Laws are rules that mandate or prohibit certain behavior, they are drawn from ethics, which define socially acceptable behaviors. The key difference between laws and ethics is that laws carry the authority of a governing body, and ethics do not. Ethics instead are based on cultural mores. The information security professional and managers involved in information security must possess a rudimentary grasp of the legal framework within which their organizations operate (Kizza, 2007). This legal environment can influence the organization to a greater or lesser extent depending on the nature of the organization and the scale on which it operates. To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.
Types of Laws
Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury.
Private law regulates the relationships among individuals and among individuals and organizations and encompasses family law, commercial law, and labor law. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law (Whitman & Mattord, 2012). The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related federal laws and enforcement efforts (Nemati, 2008).
Regulations and Professional Organizations
It is the responsibility of information security professionals to understand state laws and regulations and ensure that their organization’s security policies and procedures comply with the laws and regulations. It is the responsibility of every organization to exercise due care and due diligence in this regard (Whitman & Mattord, 2012). Security professionals are expected to be leaders in ethical workplace behavior. They should follow a no binding professional code of ethics. Some professional organizations provide ethical codes of conduct, but they do not have the authority to banish violators from professional practice. Codes of ethics can have a positive effect on an individual’s judgment regarding computer use. Examples of professional organizations include System Administration, Networking and Security Institute (SANS), Information Systems Security Association (ISSA), and International Information Systems Security Certification Consortium (ISC)2 (Nemati, 2008).
International Laws and Legal Bodies
Many domestic laws and customs do not apply to international trade, which is governed by international treaties and trade agreements. Because of the political complexities of the relationships among nations and cultural differences, there are currently few international laws relating to privacy and information security. The Council of Europe drafted the European Council Cyber-Crime Convention, which empowers an international task force to oversee a range of Internet security functions and to standardize technology laws across international borders. It also attempts to improve the effectiveness of international investigations into breaches of technology law.
References
Kizza, J. M. (2007). Computer network security and cyber ethics. Libraries and the academy (4th ed.). Jefferson, NC: McFarland & Company, Inc.
Nemati, H. (2008). Information security and ethics : concepts, methodologies, tools, and applications. Hershey, PA: Information Science Reference.
Whitman, M. E., & Mattord, H. J. (2012). Principles of information security. Course Technology (4th ed.). Boston, MA: Technology Course.
