Name: Javeria Mumtaz
Roll no : 7639
Assignment Topic:
Laws and Ethics of InfoSec
Semester: 7th
Subject : Information Security
Submitted to: Mam Qudsia
Date : 18December2021
�Laws
Rules that mandate or prohibit certain societal behavior
Ethics
Define socially acceptable behavior
Information Security Law
Information is an important tool for successful organization and information security laws forms a key
part of that equation.Informayion Security is the body of legal rules,codes and standards that requires
you to protect that information and the info system that process I,from unauthorized access.The legal
risk are potentially significant if you don’t take a pragmatic approach.
Why is Information Security Law is Important??
Securing information is about securing value.In the same wy that we secure physical stores of value such
as cash,gold or jewelery against theft,los or destruction,we must do the same with digital stores of value
particularly information.We live in an information society,after all where the creation, use, and
distribution of information is significant economic,political and cultural activity.We are moving from the
service economy into the information economy,which emphasizes informational activites that rely on
information technologies such as computers,mobile devices,and the internet.You wouldn’t leave your
house without locking the door or buy an expensive car without insuring it against theft.so why would
you process information without securing it?
How should you apply Information Security Law?
We suggest a pragmatic approach to information security law. You should be proactive in how you deal
with information security law. You should base your approach on practical considerations, not just lofty
theories or ideas about what you must do to comply. How should you do this? Consider the following
example:
Should you encrypt your data?: You have an on-premise server where you store transaction data
related to your clients or customers, including their account numbers.
In this scenario, you should take the following steps:
identify risks – identify all risks to the information – e.g. there’s the very real risk of hackers
stealing the account numbers
identify safeguards – identify physical, digital, operational, and administrative safeguards that
reasonably address those risks, also considering any inherent characteristics of the personal
information that make it riskier – e.g. encryption is a digital safeguard that is especially useful in
preventing hackers from stealing personal information as important as account numbers
create safeguards – actually create the safeguards for those risks – e.g. buy an encryption
software solution and install it on your equipment where you store account numbers
� verify safeguards – check that those safeguards are working – e.g. ensure your software
solution is always running by checking it manually or monitoring it automatically
update safeguards – update those safeguards for any new risks – e.g. consider implementing
operational safeguards such as training your staff if you find that the digital safeguards are not
sufficient
What is reasonable depends on the following factors:
risks – the existing and prospective risks to the information – e.g. there are great risks when the
information involved includes account numbers
technology – the most recent level of development of technology at a particular time – e.g.
software encryption solutions are readily available, but will evolve and improve as time goes on –
so you have to keep updating them
costs – the costs of creating, checking, and updating safeguards for those risks in terms of
money, time, and labour – e.g. software encryption solutions are cheap, quick, and easy to
implement
The moral of the story for this example is: encrypt your data! In the event of a data
breach, regulatory authorities will not look upon you kindly if you failed to do so.
Ethics in information Security
Ethics can be defined as a moral code by which a person lives. For corporations, ethics can
also include the framework you develop for what is or isn’t acceptable behavior within your
organization.
In computer security, cyber-ethics is what separates security personnel from the hackers.
It’s the knowledge of right and wrong, and the ability to adhere to ethical principles while on
the job.
Simply put, actions that are technically compliant may not be in the best interest of the
customer or the company, and security professionals need to be able to judge these
matters accordingly.
Why is ethics significant to information security?
The data targeted in cyber attacks is often personal and sensitive. Loss of that sensitive
data can be potentially devastating for your customers, and it’s crucial that you have the full
trust of the individuals you’ve hired to protect it. Cybersecurity professionals have access to
the sensitive personal data they were hired to protect. So it’s imperative that employees in
these fields have a strong sense of ethics and respect for the privacy of your customers.
The field of information technology also expands and shifts so frequently that a strong
ethical core is necessary to navigate it. It’s important that your staff can determine what’s in
the best interest of your customers and the company as a whole. Specific scenarios that
your employees might confront can sometimes be impossible to foresee, so a strong ethical
� core can be the foundation that lets employees act in those best interests even in difficult,
unpredictable circumstances.
What are the ethical issues in cybersecurity?
Cybersecurity professionals need to know the same tricks used by their black hat
counterparts. This means that a programmer should know how to—and therefore, be able
to—copy credit card data, violate intellectual property agreements, steal trade secrets, and
infiltrate medical records. The safety of your customers’ data is in their hands, and it’s your
responsibility to recruit infosec staff who will not take advantage of their unique position
within your company.
How can I imbue my organization’s culture with ethics?
Company Ethics begin at the Top C-suite employees and board members need to model
ethical behavior. By setting this example, your high-level employees can assure that staff
members in all departments know what is expected of them.
The penalties for moral breaches should be made known throughout your company, and
enforced when ethical issues arise.
A policy of openness and honesty with your investors and customers is also important. If
something goes wrong—and sooner or later, something will—your organization should let
affected parties know immediately along with a detailed plan for mitigating the effects and
assuring it does not happen again.
Reference
https://reciprocity.com
�https://www.michalsons.com
