Introduction

As a future information security professional, you must understand the scope of an organization’s
legal and ethical responsibilities. The information security professional plays an important role in
an organization’s approach to managing liability for privacy and security risks. In the modern
litigious societies of the world, sometimes laws are enforced in civil courts, where large damages
can be awarded to plaintiffs who bring suits against organizations. Sometimes these damages are
punitive assessed as a deterrent. To minimize liability and reduce risks from electronic and
physical threats, and to reduce all losses from legal action, information security practitioners
must thoroughly understand the current legal environment, stay current with laws and
regulations, and watch for new and emerging issues. By educating the management and
employees of an organization on their legal and ethical obligations and the proper use of
information technology and information security, security professionals can help keep an
organization focused on its primary objectives. In the first part of this chapter, you learn about
the legislation and regulations that affect the management of information in an organization. In
the second part, you learn about the ethical issues related to information security, and about
several professional organizations with established codes of ethics. Use this chapter as both a
reference to the legal aspects of information security and as an aide in planning your professional
career.

Abstract

Organizations rely heavily on the use of information technology (IT) products and services to run
their day-to-day activities. Ensuring the security of these products and services is of the utmost
importance for the success of the organization. This publication introduces the information
security principles that organizations may leverage to understand the information security needs
of their respective systems.
keywords assurance; computer security; information security; introduction; risk management;
security controls; security requirements.

Importance of information security law:

1
Securing information is about securing value. In the same way that we secure physical stores of
value such as cash, gold, or jewelry against theft, loss, or destruction, we must do the same with
digital stores of value – particularly information. We live in an information society, after all,
where the creation, use, and distribution of information is a significant economic, political, and
cultural activity. We are moving from the service economy into the information economy, which
emphasizes informational activities that rely on information technologies such as computers,
mobile devices, and the Internet.

Applying information Security Law for the case study:

We suggest a pragmatic approach to information security law. You should be proactive in how
you deal with information security law. You should base your approach on practical
considerations, not just lofty theories or ideas about what you must do to comply. How should
you do this?

In this case, you should take the following steps:

● identify risks – identify all risks to the information – e.g. there’s the very real risk of
hackers stealing the account numbers
● identify safeguards – identify physical, digital, operational, and administrative
safeguards that reasonably address those risks, also considering any inherent
characteristics of the personal information that make it riskier – e.g. encryption is a
digital safeguard that is especially useful in preventing hackers from stealing personal
information as important as account numbers
● create safeguards – actually create the safeguards for those risks – e.g. buy an
encryption software solution and install it on your equipment where you store account
numbers
● verify safeguards – check that those safeguards are working – e.g. ensure your software
solution is always running by checking it manually or monitoring it automatically
● Update safeguards – update those safeguards for any new risks – e.g. consider
implementing operational safeguards such as training your staff if you find that the digital
safeguards are not sufficient.

2
 What should she do?

● With this two sections, this supports Privacy and Confidentiality towards Ms.Lim
’s client.They are integrally related but the privacy principle here is the
most explicit.The Guidelines of the Code say that computer professionals are obligated to
preserve the integrity of data about individuals “from unauthorized access or accidental
disclosure to inappropriate individuals.
● As stated, the Code also specifies that organizational leaders have obligations to verify
that systems are designed and implemented to protect personal privacy and enhance
personal dignity” , and to assess the needs of all those affected by a system.

● The company officials have an obligation to protect the privacy of their employees, and
therefore should not accept inadequate security. Ms.Lim’s first obligation is to attempt to
educate the company officials, which is implied by imperative to promote “public
understanding of computing and its consequences.” If that fails, then Ms.Lim needs to
consider her contractual obligations as noted under imperative on honoring assigned
responsibilities.
She may have to choose between her contract and her obligation to honor privacy and
confidentiality, depending on the contract applied in the business she dealt with.

Ethical issues

1. Computer Waste and Mistakes

a) Computer Waste - Inappropriate use of computer technology and resources.
● Mismanagement of Information Systems and resources.
● Computer games on company time.
● Internet overuse (from Solitaire to surfing the net).
● Unimportant email (spam).

b) Computer Mistakes – refers to errors, failures and other computer problems that make
computer outputs incorrect or not useful.
● Data-entry or capture errors.

3
 ● Errors in computer programs
● Errors in handling files
● Mishandling a computer output.
● Inadequate planning for and control if equipment malfunctions
● Inadequate planning for control of environment difficulties (electrical problems,
humidity problems, etc).
● Installing computing capacity inadequate for the level of activity.
● Failure to provide access to the most current information.

2. Computer Crime
a. The computer as a tool to commit crime
● Gaining access to information
b. The computer as the object of crime
● Illegal access and use
● Data alteration and destruction
● Information and equipment theft
● Software and Internet piracy
● Computer scams
● International computer crime
c. Hacker
● A person who enjoys computer technology and spends/wastes (lots of own)
time learning/using/playing with computer systems.
● A person who uses a computer to commit break into unauthorized data
d. Cracker - always criminal; from Criminal Hacker
● A computer-savvy person who attempts to gain unauthorized or illegal access
to computer systems.
e. Data Alteration
● The intentional use of illegal and destructive programs to alter or destroy data.

4
f. Virus
● A program that attaches itself to other programs. A virus cannot run by itself,
but infects other programs. The simplest virus only reproduces itself.
Anything more is called payload which can be anything from a cute message
("Hi, you are infected (:-o)) to erasing your hard drive. Really nasty payloads
are rare: the viruses kill themselves before they spread all over the world.
g. Worm
● An independent program that replicates its own program files until it destroys
other systems and programs or interrupts the operation of networks and
computer systems.
h. Trojan
● A program which appears to do one thing but has a destructive payload hidden
inside
▪ Example: an old Trojan started to draw a photo of a woman, head and
legs first; before it reached the middle, it had erased the hard drive
▪ Example: a program that appears to be the usual network logon, but is
actually emailing usernames and passwords to a cracker
i. Application Viruses
● Infects executable application files such as word processing.
j. System Virus
● Typically infects operating systems programs or other system files.
k. Logic Bomb
● An application or system virus designed to “explode” or execute at a specified
time and date.
l. Macro Virus
● Uses an application’s own macro programming language to distribute itself.
Very easy to write, so most common virus. Latest payload: mails copies of
itself from recipient's machine to all people recipient has recently sent email.
The email seems to be from recipient.
m. Password Sniffer

5
 ● A small program hidden in a network or a computer system that records
identification numbers and passwords.

Recommendations on Solving the Ethical Issues:

● Preventing Computer Related Waste and Mistakes

● Policies to minimize waste and mistakes:
● Changes to critical tables should be tightly controlled, with all changes authorized by
responsible owners and documented.
● A user manual should be available that covers operating procedures and that document
the management and control of the application.
● Each system report should indicate its general content in its title and specify the time
period it covers.
● The system should have controls to prevent invalid and unreasonable data entry.
● Controls should exist to ensure that data input is valid, applicable and posted in the right
time period.
● Users should implement proper procedures to ensure correct input data.

● Preventing Computer-Related Crimes

○ Crime Prevention by Corporations
● Guidelines to protect your computer from criminal hackers:
● Install strong user authentication and encryption capabilities on your firewall
● Install the latest security patches
Disable guest accounts and null user accounts
● Turn audit trails on
● Consider installing caller ID
● Install a corporate firewall between your corporate network
and the Internet
■ Using Intrusion Detection Software:
● Intrusion detection system (IDS):
● Monitors system and network resources

6
 ● Notifies network security personnel when it senses a possible
intrusion
● Can provide false alarms
■ Security Dashboard
● Provides comprehensive display on a single computer screen
of:
● All the vital data related to an organization’s security defenses,
including threats, exposures, policy compliance, and incident
alerts
■ Using managed security service providers (MSSPs):
● Many are outsourcing their network security operations to:
● Managed security service providers (MSSPs) such as
Counterpane, Guardent, IBM, Riptech, and Symantec
■ Guarding against theft of equipment and data:
● Organizations need to take strong measures to guard against
the theft of computer hardware and the data stored on it
○ Crime Prevention for Individuals and Employees
■ Identity theft:
● To protect yourself, regularly check credit reports with major
credit bureaus
■ Malware attacks:
● Antivirus programs run in the background to protect your
computer
● Many e-mail services and ISP providers offer free antivirus
protection

Legislative implications (e.g. the Privacy Act of Malaysia)

● Privacy Rights

The right to privacy as a fundamental human right is recognized by the laws of most countries as
an underlying value to be safeguarded. Where the country's’ laws differ is in the manner that this

7
right is upheld. In the countries that follow the English Common Law (Malaysia being one), the
courts are unwilling to formulate a general principle of “invasion of privacy”; instead they would
rely on various case laws and statutes to uphold the Privacy Right of a person.

● Is Privacy Law recognized in Malaysia?

In Malaysia, the courts are generally unwilling to accept that there is a general principle of
invasion of privacy. However, there have been occasions where the courts did find that a person’s
privacy had been intruded, especially where there is a case for breach of confidence (e.g., doctor-
patient relationship).

● How are Privacy Rights protected?

There are various laws that a person can rely on to protect his privacy. For example, if there is a
pre-existing relationship (contractual/professional) between the victim and the perpetrator, the
perpetrator by divulging certain private information about the victim may be liable for breach of
confidence. If another person is making baseless accusations against you to a third party, you
may also have an action in defamation. Misuse of another person’s personal details may also be a
criminal offence in Malaysia under a new piece of legislation, the Personal Data Protection Act
2010 (PDPA).

● What does the Personal Data Protection Act 2010 protect?

The PDPA protects personal data from being misused. Personal data is defined as any
information collected or processed in connection to a commercial transaction by any equipment
operating automatically (e.g., ATM, Computers) which is capable of identifying a person (a.k.a.
data subject). The above definition will include such information as names, addresses,
identification card/passport numbers, email addresses, telephone numbers, as well as banking
details.

● What duty does the PDPA impose on data users?

The PDPA prohibits data users from collecting and processing a data subject’s personal data
without his or her consent. The Act also prohibits data users from disclosing or making its data

8
available to any third party without the consent of data subjects. It requires data users to inform
data subjects on the purpose of its data collection, the class of third party who may have access
to the data, and the choices that data subjects have on how the data is to be used.

The Act also imposes a duty on data users to put in place

adequate security and indemnity measures to prevent the theft, misuse, unauthorized access,
accidental disclosure, alteration or destruction of data under their care. The Act also provides for
the rights of data subjects to access, modify and update their personal data.

● Are there any exceptions to the PDPA?

Yes, the PDPA does not apply to credit reporting business, data collected/processed for the
prevention or detection of crime, for the purpose of preparing statistics and research, in
accordance with a court order or for the purpose of discharging regulatory functions. The Act
also does not apply to personal data that is processed outside of Malaysia.

Conclusion

Information security is a complex subject, whose understanding requires knowledge and

expertise from multiple disciplines, including but not limited to computer science and
information technology, psychology, economics, organizational behavior, political science,
engineering, sociology, decision sciences, international relations, and law. In practice, although
technical measures are an important element, Information security is not primarily a technical
matter, although it is easy for policy analysts and others to get lost in the technical details.
Furthermore, what is known about Information security is often compartmented along
disciplinary lines, reducing the insights available from cross-fertilization.

Information security is crucial in organization. All information stored in the organization should
be kept secure. Information security will be defined as the protection of data from any threats of
virus. The information security in important in the organization because it can protect the
confidential information, enables the organization function, also enables the safe operation of
application implemented on the organization’s Information Technology system, and information
is an asset for an organization. Even though the information is important in organization, there

9
are several challenges to protect and manages the information as well. One of challenges faced in
an organization is the lack of understanding on important of information security. When
employees is lack of information security knowledge in term of keeping their information, the
organization is easy to being attacks by hackers or other threats that try to stole or get the
organization confidential information. So it is crucial and important to all staff in an organization
to have knowledge and understanding about the importance information security practice in an
organization to protect the confidential data.

References

https://www.uniassignment.com/essay-samples/information-technology/importance-of-
information-security-in-organizations-information-technology-essay.php

https://www.appliedtrust.com/resources/security/every-company-needs-to-have-a-security-
program

http://infosectoday.com/Articles/Peltier_awareness.pdf

https://www.coursehero.com/file/13110439/04/#/quiz

http://it4ethics.blogspot.my/2011/11/it-professional-ethics-blog-entry-2.html

https://www.coursehero.com/search/results/?
search_id=104255547&search_key=f3f4b4e28480b1271e

https://www.acs.org.au/content/dam/acs/acs-publications/ACS_Cybersecurity_Guide.pdf

10