Chapter 11
Law and Ethics
Chapter Overview
Chapter 11 covers the topics of law and ethics. In this chapter readers will learn to identify major national and international laws that relate to the practice of information security as well as come to understand the role of culture as it applies to ethics in information security.
Chapter Objectives
When you complete this chapter, you will be able to:
Differentiate between law and ethics
Identify major national and international laws that relate to the practice of information security
Understand the role of culture as it applies to ethics in information security
Access current information on laws, regulations, and relevant professional organizations
Set-up Notes
This chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours.
Lecture Notes and Teaching Tips with Quick Quizzes
Introduction
As a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities.
To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.
By educating employees and management about their legal and ethical obligations and the proper use of information technology and information security, security professionals can keep an organization focused on its primary objectives.
Law and Ethics in Information Security
Laws are rules adopted and enforced by governments to codify expected behavior in modern society.
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.
Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group.

Quick Quiz
1. What should an information security practitioner do that can minimize the organization’s legal liabilities? ANSWER: To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.
2. What are the major differences between law and ethics? ANSWER: The law carries the sanction of a governing authority and ethics do not. Ethics are also based on cultural mores: relatively fixed moral attitudes or customs of a societal group.

The Legal Environment
The information security professional and managers involved in information security must possess a rudimentary grasp of the legal framework within which their organizations operate.
This legal environment can influence the organization to a greater or lesser extent depending on the nature of the organization and the scale on which it operates.
Types of Law
Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations.
Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state.
Tort law is a subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury.
Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law.
Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
Public law includes criminal, administrative, and constitutional law.
Relevant U.S. Laws
Table 11-1 summarizes the U.S.