Policy, Regulation, and Ethics

Chapter Thirteen

Prepared by: Raval, Fichadia

Raval • FichadiaRaval • FichadiaJohn Wiley & Sons, Inc. 2007

Security administration

Organization and accountability

RegulationSecurity policy Ethical behavior

Leadership of the organization

begins with

implementation of

compliance with

nurtures

and concerns

strengthens

reinforces

Social engineering

helps prevent/limit

Chapter Thirteen Objectives

1. Understand basic concepts of security administration.

2. Comprehend the nature, role, and characteristics of security policies.

3. Explain the general nature of legislation on computer security.

4. Comprehend fundamental concepts of business ethics.

5. Understand the nature and characteristics of social engineering attacks and how to limit or prevent such attacks.

Policy, Regulation, and Ethics

Policy Systems and procedures must meet policy

requirements. Regulation

Organizations must comply with requirements of the laws to which it is subject.

Ethics Organizations may choose to generate desired

ethical behavior.

How Security, Regulation, and Ethics Are Related?

All three complement each other. A minimum is defined by regulatory requirements. Policies help ensure that these requirements and

met and in fact, more is done where it is deemed appropriate and cost effective.

Promotion of ethical behavior is likely to generate desired behavior, aligned with meeting regulatory requirements and honoring policies.

Environment where ethical behavior is stressed could foster a sense of duty. People may tend to do the right thing, beyond the law and policies.

Organization and Accountability

Organization structure should ideally represent accountability consistent with roles of personnel.

Accountability for information security is typically assigned to information security director who may report to CEO or CIO or Other top level executive

This role must be managed in a multidisciplinary context because issues of information security are multidisciplinary.

Security Policies Policy: A high level document independent of all

functions, roles, powers, and personalities. Security policy: A formal statement of the rules by

which people who are given access to organization’s technology and information assets must abide.

Standards: Tend to enforce and tried and tested practices.

Procedures: Describe, where necessary, specific ways of securing information assets.

Guidelines: Provide examples and interpretation of the policy and related standards to facilitate policy implementation.

Purposes of a Security Policy

Informs users, staff, and managers of obligations concerning protection of information technology and assets.

Provides a baseline to provide assurance for compliance with the policy.

Provides a basis for determine what security tools to use to adequately protect information assets.

Characteristics of a Policy Tenure: Generally, a policy should have a long

tenure, during which it may not change much. Requisite variety: Each policy must have requisite

variety. All anticipated requirements to provide control must be addressed in a policy.

Feasibility: Policies must go through the test if feasibility.

Understandability: Policy must be written so that it is easy to understand.

Balance: Policy must balance the need for security with functionality and usability of information systems.

Content Areas of an Information Security Policy

Purpose Scope Policy Definitions Responsibilities Administration and interpretations Amendments/termination of the policy References to applicable policies and standards Exceptions Violations/enforcement

Area Description of content within the area

Purpose Narrates why this policy is written and how it will benefit the organization.

Scope To whom does the policy apply is clarified in this area.

Policy This is the core of policy – the statement(s) that describe the policy.

Definitions If the policy includes certain terms, these are defined in this area. This allows for a very specific interpretation of the policy, irrespective of how these terms are used in the profession.

Responsibilities Identifies who is responsible for enforcement of the policy. If more than one party is responsible, a clear identification of responsibility of each party with respect to the policy enforcement should be included.

Administration and interpretations

Identifies who is responsible to answer questions regarding this policy, to maintain records regarding the policy issues and how they were resolved, and to document violations of the policy and their resoluton.

Amendments/Termination of the policy

This part states that (1) the organization reserves the right to modify, amend or terminate the policy at any time and (2) the policy does not constitute a contract between the organization and its employees.

References to applicable standards

This section lists policies related to the policy.

Exceptions Here, the policy identifies how to request an exception to the policy, what information should the request provide, and to whom it should be addressed. Typically, all exception requests are handled in accordance with an information security exception policy.

Violations/Enforcement Specifies where to report any know violations of the policy, and what consequences could result from such violations. For example, consequences may result in immediate suspension of user privileges, a disciplinary action, or reporting the case to appropriate law enforcement agencies.

Classification of Policies

Various alternative classifications are possible.

Information security policies may be categorized: Using components of an information system. In terms of physical security and logical security. As system specific or issue specific.

Policy Development Process The process must mirror risk management processes. Identify critical information systems processes and

assets. Understand what risks each information asset faces.

Identify the asset’s vulnerabilities and anticipate types of threat the asset might be subject to.

Identify control and security measures to protect the information asset.

Develop a policy that provide cost effective protection measures.

Periodically, review the policy in light of changes in the organization and its environment.

Regulatory Requirements

Regulations exist in the area of information assets protection, and must be met.

Such regulations typically define the threshold needs to protect information assets.

Compliance of such requirements provides an assurance that the entity is meeting needs for protection of information assets at the levels required by law.

At the same time, compliance helps the entity protect its information assets and prosecute those who compromise the security.

Regulatory Requirements and Security Objectives

Information assets protection Authentication Integrity of logic Integrity of communication Confidentiality and privacy System availability Computer crimes

Table 13.3. Objectives, vulnerabilities, and regulation

Security objectiveSelected Vulnerabilities Illustrative regulatory requirements

Information assets protection

TheftSoftware piracy

Computer Software Copyright Act of 1980Digital Millenium Copyright Act (1998)

Authentication ImpersonationSpoofingSession hijackingMan-in-the-middle attack

Electronic signature legislationDigital signature laws

Integrity of logic (programs)

Malicious codeBuffer overflow

Uniform Commercial Code

Integrity of communication

Website defacementActive wiretapFalsification of message

The Electronic Communications Privacy Act of 1986

Confidentiality and privacy

EavesdroppingPassive wiretap

Right to Financial Privacy Act of 1978The Gramm-Leach-Bliley Act (1999) Children’s Online Privacy Prevention Act [COPPA] (1998) Health Insurance Portability and Accountability Act [HIPAA] (1996)

System availability Connection floodingDenial of Service (DNS) attackDistributed Denial of Service

Computer Fraud and Abuse Act (1984, 1986, 1996)

Ethical Behavior in Organizations

Ethics: The principles of conduct individuals and groups use in making and implementing choices.

Principles of moral conduct are the foundation for ethical behavior.

Ethical behavior may have implications for information security.

Frameworks for Ethical Behavior A framework is used to determine and evaluate the

ethical dimension of a choice. Several frameworks have been proposed. Ethical relativism suggests that ethics is something

a person decides. What is right or wrong is relative to one’s society.

Utilitarianism argues that what makes an action right or wrong is outside the action itself; it is determined by the consequences of the action.

Deontological theories emphasize the internal character of the act itself. If an action is done from a sense of duty, then the action is right.

Individuals play many roles in their lives: The commitments of private life. The commitments of employee. The commitments as a (business) leader. Responsibilities beyond employer’s boundaries.

Differentiating between roles allows one to define duty more responsibly and in alignment with what one can do.

There may exist conflicts within each role and between roles.

Business Ethics

An organization is a group of individuals with shared values and goals.

Business as an organization should deserve its place within the society. Organizational legitimacy is a result of the degree of

congruence between social values associated with or implied by the firm’s activities and the norms of acceptable behavior in the larger social system to which they belong.

Individuals as employees should ask questions concerning consequences of an action, serving others’ rights, consistency of decisions with basic values, and feasibility of their actions in the world as it is.

Ethics and Information Technology

Old wine in a new bottle? Argument supporting this notion: No new issues have

surfaced due to the presence of computers. Argument opposing this notion: Information technology

has created an environment that is quite different and hence, the dilemmas are different.

An examination of roles of computers makes it easier to understnd ethics in the context of information technology.

Four possible roles of computers in a man-machine system

Four Roles of Information Technology Nonuse Discretionary role: Since computer is used at the

discretion of the user, the user controls the ethical dimension of use (or nonuse), if any.

Facilitation role: In this role, computer makes the compromise of ethics much easier, but the fundamental ethical dilemma is the same.

Intrinsic role: Computer is at the core of the situation. No comparable situation would exist without the presence of the computer. New dilemmas that need to be addressed using existing

frameworks.

Social Engineering

Definition: The art and science of getting people to cooperate in the process of achieving your own goals. People hacking.

Threats: To build and maintain sound security systems,

social dimension – the human side – must also be considered. Attacks on people are easier, require very little technology, and can be planned and implemented quickly.

Countermeasures

Signs of a Social Engineering Attack The attacker refuses to give contact information. The attacker shows signs of urgency and rushes

through the process of communication after establishing an initial rapport.

To suggest familiarity and influence, the attacker resorts to name-dropping.

There is a likelihood that if necessary, the attacker would resort to intimidate the prospective informant.

Minor errors in the attacker’s communication are common, for example, inserting an odd question into the communication.

Typically, the attack includes a request for forbidden information.

Social Engineering: Countermeasures

1. Develop a comprehensive security policy, and revise when necessary. The security policy should be effectively communicated to employees, and enforced throughout the organization.

2. Create awareness of exposures to and methods of social engineering attacks.

3. Train and educate employees to be on the defense. Ongoing training programs serve as a constant reminder of social engineering threats, and how to identify and respond to them.

4. Because the attacker has some data about the organization (people, systems, procedures) on hand, it becomes feasible to launch the attack. Every measure that would help prevent landing of data in unauthorized hands should be considered. For example, shredding reports and dated systems documentation, encrypting data, and degaussing portable storage media.

Assurance Considerations Policy development, implementation, and enforcement

Is the policy current? Is it enforced? Are violations and exceptions to the policy tracked and reported? Who acts on such violations? Are such actions proper? Overall, is the policy effective?

Compliance with regulations Is an integrated approach used, where legal, technological and

operational aspects are considered together? Or is the compliance a patch work?

Who is responsible for compliance? Are the compliance solutions documented? Are changes in the regulatory requirements monitored? Is the whistle-blower system effective?

Ethical behavior Does the organization have a code of conduct? What structure is in place to nurture ethical behavior in the

organization? Who is accountable for promoting organization-wide ethical

conduct? What programs are in place to achieve the objective? Are they

effective?

Security administration

Organization and accountability

RegulationSecurity policy Ethical behavior

Leadership of the organization

begins with

implementation of

compliance with

nurtures

and concerns

strengthens

reinforces

Social engineering

helps prevent/limit