What are some things you can do to prevent identity theft? What actions would you take if you suspect that you are a victim of identity theft? Your journal entry mus

SEC 3301, Security Application Development 1

Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:

5. Analyze the information technology (IT) physical security considerations for an organization. 5.1 Explain legal considerations and regulations regarding information security positions. 5.2 Describe the common information security roles and job availability in the global market. 5.3 Summarize one certification for information security professionals.

Required Unit Resources Module 6: Legal, Ethical, and Professional Issues in Information Security Module 7: Security and Personnel Unit Lesson Today, we have a plethora of information system components consisting of hardware, software applications, and mobile devices. These information system components are found in every home, school, business, and corporation in the global environment. The use of information system components by end users is governed differently from one country to another. This governance is encapsulated through strict laws, regulations, and ethics that are controlled by each country. Within the United States, there are many laws and regulations to which the end user, as well as the organization as a whole, must adhere to. Additionally, each of the regulatory laws is created to be uniquely specific for different organizations. For example, the Health Insurance Portability and Accountability Act (HIPAA) was developed for health care facilities only, whereas the Family Educational Rights and Privacy Act (FERPA) was created for academic colleges and universities. HIPAA will not work in an academic college environment and FERPA will not work within a health care facility. It is important for all security professionals to know which regulatory law to embed in the correct organization to successfully protect the information assets of that organization. As a security professional, you are responsible for all aspects of the security of the information system components. This also means each of you needs to know the laws, regulations, and policies that affect not just those information system components but also the personnel inside and outside the organization. Therefore, we need to distinguish between policies and laws. Simply put, policies are guidelines or outlines that help determine what organizations or governments are going to do or not do. Policies can, in effect, lead to new laws. On the other hand, laws are standards, procedures, and principles that must be followed in our culture. Laws equate to the implementation of justice. According to Whitman and Mattord (2022), policies fall within five areas, which are listed below.

• Dissemination: The policy is available to review by all employees. • Review: The policy is readable by all employees despite disabilities and non-native English speakers. • Comprehension: Employees understand what is stated in the policy and its content. This can be done

through simple quizzes or similar tests. • Compliance: All employees must affirm that they agree to comply with the policy. This can be done

through several means such as log-on banners or signed documents. • Uniform enforcement: The policy affects all employees, no matter what the status or job position.

For the policy criteria to be enforceable and for the organization to be able to reprimand employees, all of the criteria above must be met. For example, if the policy is not readable by an individual who has a reading

UNIT IV STUDY GUIDE Laws, Ethics, Professional and Personnel in Information Security

SEC 3301, Security Application Development 2

UNIT x STUDY GUIDE Title

impairment and that individual violated the policy, then the policy cannot be enforced to penalize the individual. There are many types of laws; however, there are two statutory laws that are binding with state, organization, and especially individuals. These two laws are separated by the elements listed below (Whitman & Mattord, 2022).

• Civil law: This law is the association between individuals and organizations. This law includes family, employment, contract, and tort law. Damages within this law are heard in civil court and are not brought by the state.

• Criminal law: Violations against society are punishable and prosecuted by the state. This law includes personal and property damage, traffic law, as well as public order. It is the obligation of the state to seek retribution for the plaintiff or injured party.

Note that private law concentrates on individual relations and public law focuses on the governance of regulatory agencies. Within the paradigm of information security, there are certain laws that are specific to those who work and live within the United States, which provide the protection of sensitive information and the privacy of information. Examples of these laws are mentioned below (Whitman & Mattord, 2022).

• Computer Fraud and Abuse Act (CFAA): This federal act is an anti-hacking statute that prevents unauthorized access to computers and networks.

• Computer Security Act (CSA): This act provides for the improvement of the security and privacy of sensitive information in federal computer systems.

• Federal Information Security Management Act (FISMA): The act provides a compliance mechanism in which the program must conduct annual reviews and/or audits of information security programs to reduce or eliminate the risks at specified levels in a cost-effective, timely, and efficient manner.

• Federal Privacy Act (FPA): The FPA provides a code in reference to the fair information practices that govern the maintenance, collection, and use to include the dissemination of individuals’ information, which is maintained in records by the federal agencies.

• Electronic Communications Privacy Act (ECPA): This act is a statute that prohibits any third party from the interception and/or disclosing of communications without proper authorization. This act was formerly the Wiretap Act of 1968.

• HIPAA: This important act provides regulations for the use and disclosure of an individual’s health information.

There are many laws, acts, and regulations that cover the security of information. Table 3-1 within Module 3 of the course textbook provides a summary of information security laws that are too numerous to be mentioned here in this lesson. Within the past decade, there is one important privacy law topic that has received a lot of media attention—laws involving identity theft. Identity theft laws in most states make it a serious crime to misuse another individual’s identity information for monetary gain or personal use. The theft of the victim’s personal identifiable information (PII) is essentially purchasing goods and/or services using the identity of the victim (Whitman & Mattord, 2022). The security professional is a unique class in their own right because of the highly sensitive information and data in which the individual has been entrusted. Not only must the security professional embrace the security aspects of safeguarding sensitive information, but they must engrain ethics as a part of their security culture. There are several professional associations that provide codes of conduct regarding ethics. Some of these organizations include the Association for Computing Machinery (ACM), Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), and International Information System Security Certification Consortium (ISC). The last two associations are also certification agencies and work with ethics for their members (Whitman & Mattord, 2022). Ethics vary from country to country, and a variety of social classes within cultures have dissimilar attitudes toward the ethics paradigm. This is because ethics is the socially acceptable behavior for a given country and social class. Therefore, education is a must for all cultures and different social classes to ensure that information security is protected. Without education, there will be a stigma of unethical behavior by the end

SEC 3301, Security Application Development 3

UNIT x STUDY GUIDE Title

users. Whitman and Mattord (2022) provide three general reasons for unethical and illegal behavior, as noted below.

• Ignorance: One does not follow policy and procedures in reference to the protection of information security. Education, training, and awareness programs must be put in place to avoid ignorance by end users.

• Accident: End users of certain sensitive privileges to computer systems could accidentally harm sensitive data. Only those end users who absolutely have the need-to-know basis should be granted access to sensitive information or data.

• Intent: This is an intentional criminal act or the unethical result of penetrating the information system to access sensitive information. There must be protection controls that help prevent and monitor threats to the systems and a means of punishment or litigation for violators.

There are several federal agencies that assist in the protection of our nation’s sensitive information, data, and resources. These agencies also conduct investigations from threats or attacks on our information, data, and resources. A few of these agencies are mentioned below (Whitman & Mattord, 2022).

• Department of Homeland Security (DHS): The agency was formed in the wake of September 11, 2001, and its sole mission is to protect the people who live within the United States from physical and information harm.

• U.S. Computer Emergency Readiness Team (US-CERT): This is a part of DHS’s National Cybersecurity and Communications Integration Center (NCCIC) and provides incident reporting on attacks on the information security systems.

• U.S. Secret Service: Now a part of DHS, the Secret Service's general mission is protective services for high-ranking U.S. government officials. In addition, the Secret Service has the added mission of protecting the monetary assets, stocks, and other important financial transactions that have a direct effect on infrastructure networks and data.

• Federal Bureau of Investigation (FBI): This agency investigates cybercrimes as well as many other crimes to help assist in the prosecution of criminals under federal law.

• National Security Agency (NSA): The primary mission is to monitor signal intelligence and information assurance. The Information Assurance Directorate provides solutions and strategic guidance in reference to information systems infrastructure. NSA also sponsors the National Information Assurance (IA) Education and Training Program (NIETP).

If you recall from the last unit lesson on physical security, people are a part of this paradigm of physical security access. This is also true with project planning for staffing needs. Employees must be categorized by position and function within the organization. One important position is the chief information security officer (CISO) who reports to the chief information officer (CIO). The main function of the CISO is to monitor the information technology (IT) security requirements. In other words, the CISO is the auditor of the organization and ensures that all security assets are in place and that vulnerabilities and weaknesses are identified. In some organizations, the CIO and CISO are one and the same in order to avoid conflicts of interest as well as conflicts that stem from one having to report to the other. Recent changes have moved the reporting of the CIO and CISO to the chief operating officer (COO) or even to the chief financial officer (CFO) to eliminate contradictions between the CIO and CISO (Whitman & Mattord, 2022). Today, there is still a shortage of skilled information security professionals. The biggest shortage will be those seeking jobs as security analysts, which is shown in the Bureau of Labor Statistics image in Module 7 of the textbook. As mentioned by Whitman and Mattord (2022), the majority of information security professionals enter the security field either from military service or law enforcement; however, there are also college graduates who enter information or cybersecurity positions. Private industry often sponsors and supports employees who show an interest in the security profession. Information security positions include not only C-level positions but also information security managers, information security administrators, information analysts, information security engineers, physical security managers, and physical security officers among others. These positions mentioned are the standard and do not represent the whole security profession. Many organizations seek security professionals with certifications that are recognized by industry standards. Such certifications include the Certified Information Systems Security Professional (CISSP) for upper-

SEC 3301, Security Application Development 4

UNIT x STUDY GUIDE Title

management supervisors. The Systems Security Certified Practitioner (SSCP) and Certified Secure Software Lifecycle Professional (CSSLP) are less stringent than the CISSP but also require experience in the security field as well as testing for the certification. There are many security certifications such as Security+ and many others that security professionals may pursue depending on their area of expertise or area of interest. On-the- job training (OJT) is a part of the organization’s policy when new security employees are hired to work in the company’s security department. All levels of security professionals will receive OJT, as this is important to the security culture of the organization. Remember no two organizations are the same (Whitman & Mattord, 2022). Today, however, there are universities that offer security and cybersecurity certificates and degrees in information security. Although some organizations are looking for experienced security professionals, it is a welcomed sight to see an individual who holds a degree in security, and the organization can easily mold the individual into the organization’s security culture much easier than an individual who is an experienced security professional. For example, currently, the Department of Defense (DoD) seeks security professionals who hold degrees in information security and will provide additional training to supervise the different security departments. Security internships are also offered to selected security individuals as well as those who are commissioning as a military officer in the U.S. military. Be aware that most government and DoD contracts require that an individual who wants to work for these agencies must first pass a background investigation. The level, from secret to top-secret, will depend on your background investigation, position and/or title, and the need-to-know basis to work in certain projects or areas within information security.

Reference Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th ed.). Cengage Learning. Suggested Unit Resources In order to access the following resources, click the links below. The following presentations will summarize and reinforce the information from Modules 6 and 7 in your textbook. Module 6 PowerPoint presentation (PDF version of the Module 6 PowerPoint presentation) Module 7 PowerPoint presentation (PDF version of the Module 7 PowerPoint presentation) Your CSU Online Library has a wealth of media videos in the Films on Demand section concerning the topics in this unit. The following video will present evidence suggesting why businesses that behave in an ethical way are more successful. Organizations that have a code of ethics are often more efficient. ClickView Pty Limited (Producer). (2015, September 10). Will a code of ethics make a difference? (Segment 1

of 6) [Video]. In Q&A: Ethical behavior. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPl aylists.aspx?wID=273866&xtid=94134&loid=373954

To view a transcript of this video, click on the “Transcript” tab near the top right corner of the page.

SEC 3301, Security Application Development 5

UNIT x STUDY GUIDE Title

Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. Research Online Conducting your own research to further your learning and understanding can help you become a stronger student and can help you to see what areas interest you. Additionally, you may find resources that can help you complete your assignments. Consider searching the Academic OneFile database of the CSU Online Library using a combination of the following keywords and phrases: “security laws, HIPAA, FISMA, Patriot Act, ISSA, ISACA, and privacy laws,” “US-CERT,” “IT ethics and code of ethics,” and “security roles, IT jobs, and security jobs.” Please note: When searching, remove the commas and capitalization, and use the top search box with "Subject" selected from the dropdown. Once the results generate, use these search options to refine the results: “Peer Reviewed Journals” and "Custom Date Range" between 2022 and the present to ensure that articles are scholarly and less than 5 years old. Then, select and read two articles. Access the Academic OneFile database. Check Your Knowledge Answer the review questions for the Module 6 and Module 7 Review Questions and Exercises. These questions will help you assess whether or not you have mastered the unit content. Can you answer them without looking back in the textbook? After you have answered the questions and exercises, you can find out how well you did by checking the answers. Answers for Module 6 Review Questions and Exercises Answers for Module 7 Review Questions and Exercises