Chapter 5 – Compliance, Ethical and Professional Issues in Cybersecurity
Technologies are not ethically ‘neutral’, for they reflect the values that we ‘bake in’ to them with our design choices, as well as the values which guide our distribution and use of them. Technologies both reveal and shape what humans value, what we think is ‘good’ in life and worth seeking. Cybersecurity practices have as their aim the securing—that is, the keeping safe—of data, computer systems and networks (software and hardware). While those data, systems, and networks might have some economic or other value in and of themselves, what cybersecurity practices primarily protect are the integrity, functionality, and reliability of human institutions/practices that rely upon such data, systems, and networks.
No single, detailed code of cybersecurity ethics can be fitted to all contexts and practitioners; organizations and professions should, therefore, be encouraged to develop explicit internal policies, procedures, guidelines and best practices for cybersecurity ethics that are specifically adapted to their own activities and challenges.
A cybersecurity regulation comprises directives that safeguard information technology and computer systems to force companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyberattacks.
There have been attempts to improve cybersecurity through regulation and collaborative efforts between the government and the private sector to encourage voluntary improvements to cybersecurity. Industry regulators, including banking regulators, have taken notice of the risk from cybersecurity and have either begun or planned to begin to include cybersecurity as an aspect of regulatory examinations.
By the end of this module, you will learn:
- Overview of Cyber Security Regulations and Compliances needed globally and in the EU.
- Overview of Ethical Issues in Cyber Security
- Some Suggested Best Practices
Overview of Cyber Security Regulations and Compliances needed globally and in the EU
In general, compliance is defined as following rules and meeting requirements. In cybersecurity, compliance means creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information stored, processed, or transferred. However, cybersecurity compliance is not based on a stand-alone standard or regulation. Depending on the industry, different standards may overlap, which can create confusion and excess work for organizations using a checklist-based approach. For example, the healthcare industry needs to meet Health Insurance Portability and Accountability Act (HIPAA) compliance requirements, but if a provider also accepts payments through a point-of-service (POS) device, then it also needs to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. And it’s not unusual for companies to have to comply with multiple regulations at once, making it even more of a struggle to stay compliant. These include, but are not limited to:
- NIST(National Institute of Standards and Technology)
- CIS Controls (Center for Internet Security Controls)
- ISO (International Organization for Standardization)
- HIPAA(Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
- PCI-DSS (The Payment Card Industry Data Security Standard)
- GDPR(General Data Protection Regulation)
- CCPA(California Consumer Privacy Act)
- AICPA (American Institute of Certified Public Accountants)
- SOX (Sarbanes-Oxley Act)
- COBIT(Control Objectives for Information and Related Technologies)
- GLBA(Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act of 2014)
- FedRAMP (The Federal Risk and Authorization Management Program)
- FERPA(The Family Educational Rights and Privacy Act of 1974)
- ITAR (International Traffic in Arms Regulations)
- COPPA (Children’s Online Privacy Protection Rule)
- NERC CIP Standards (NERC Critical Infrastructure Protection Standards)
Of course, it’s critically important to comply with regulatory requirements. Businesses need to follow the state, federal, and international laws and regulations that are relevant to their operations. Failure to comply will open you up to potential lawsuits and financial liability, not to mention broken trust with clients, partners and others. However, it’s expensive, complex and requires the right expertise just to stay on top of existing standards, let alone embrace new ones. The result is that companies often focus on meeting the minimum requirements instead of implementing proper cybersecurity policies, which in today’s environment where our attackers are always one step ahead of our defenses, is not a good thing.
To observe best practices, and to meet with technical and other requirements, organizations often use frameworks for cybersecurity compliance and regulatory compliance. These frameworks provide best practices and guidelines to assist in improving security, optimizing business processes, meeting regulatory requirements, and performing other tasks necessary to achieve specific business objectives such as breaking into a market niche or selling to government agencies.
Regulatory compliance regimes usually set out highly specific and often stringent requirements for organizations and industry sectors to follow, to meet established standards, and to comply with existing laws. These requirements may be numerous and complex – so frameworks designed to assist in meeting with compliance demands are a welcome addition to the resource and knowledge base of most enterprises. Some typical examples include the following:
| The Act | What it Regulates | Company Affected |
| NIST
|
This framework was created to provide a customizable guide on how to manage and reduce cybersecurity-related risk by combining existing standards, guidelines, and best practices. It also helps foster communication between internal and external stakeholders by creating a common risk language between different industries. | This is a voluntary framework that can be implemented by any organization that wants to reduce its overall risk. |
| CIS Controls
|
Protect your organization assets and data from known cyber attack vectors. | Companies that are looking to strengthen security in the internet of things (IoT). |
| ISO 27000 Family | This family of standards provides security requirements around the maintenance of information security management systems (ISMS) through the implementation of security controls. | These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices. |
| ISO 31000 Family | This set of regulations governs principles of implementation and risk management. | These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices. |
| HIPAA/ HITECH | This act is a two-part bill. Title I protects the healthcare of people who are transitioning between jobs or are laid off. Title II is meant to simplify the healthcare process by shifting to electronic data. It also protects the privacy of individual patients. This was further expanded through the HITECH / Omnibus Rule. | Any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers. |
| PCI-DSS
|
A set of 12 regulations designed to reduce fraud and protect customer credit card information. | Companies handling credit card information. |
| GDPR
|
This regulates the data protection and privacy of citizens of the European Union. | Any company doing business in the European Union or handling the data of a citizen of the European Union. |
| CCPA | Privacy rights and consumer protection for the residents of California. | Any business, including any for-profit entity, that does business in California and collects consumers’ personal data. |
| AICPA
SOC2 |
The security, availability, processing integrity, and privacy of systems processing user data and the confidentiality of these systems. | Service organizations that process user data. |
| SOX
|
This act requires companies to maintain financial records for up to seven years. It was implemented to prevent another Enron scandal. | U.S. public company boards, management, and public accounting firms. |
| The Act | What it Regulates | Company Affected |
| COBIT
|
This framework was developed to help organizations manage information and technology governance by linking business and IT goals. | Organizations that are responsible for business processes related to technology and quality control of information. This includes, but is not limited to, areas such as audit and assurance, compliance, IT operations, governance, and security and risk management. |
| GLBA
|
This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers. | This act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.” |
| FISMA
|
This act recognizes information security as a matter of national security. Thus, it mandates that all federal agencies develop a method of protecting their information systems. | All Federal agencies fall under the range of this bill. |
| FedRAMP
|
Cloud services across the Federal Government. | Executive departments and agencies. |
| FERPA
|
Section 3.1 of the act is concerned with protecting student educational records. | Any post-secondary institution including, but not limited to, academies, colleges, seminaries, technical schools, and vocational schools. |
| ITAR
|
Controls the sale of defense articles and defense services (providing critical military or intelligence capability). | Anyone who produces or sells defense items and defense services. |
| COPPA
|
The online collection of personal information about children under 13 years of age. | Any Person or entity under U.S. jurisdiction. |
| NERC CIP Standards
|
Improve the security of North America’s power system. | All bulk power system owners and operators. |
| NIST
|
This framework was created to provide a customizable guide on how to manage and reduce cybersecurity-related risk by combining existing standards, guidelines, and best practices. It also helps foster communication between internal and external stakeholders by creating a common risk language between different industries. | This is a voluntary framework that can be implemented by any organization that wants to reduce its overall risk. |
| CIS Controls
|
Protect your organization assets and data from known cyber attack vectors. | Companies that are looking to strengthen security in the internet of things (IoT). |
Overview of Ethical Issues in Cyber Security
The foundation of all security systems is formed by moral principles and practices of those people involved and the standards of the profession. That is, while people are part of the solution, they are also most the problem. Security problems with which an organization may have to deal with include responsible decision-making, confidentiality, privacy, piracy, fraud & misuse, liability, copyright, trade secrets, and sabotage. This metaphorical arms race shows no signs of stopping as interconnected technologies become further ingrained in the fabric of professional life.
IT security personnel often have access to confidential data and knowledge about individuals’ and companies’ networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no mandatory standards for cyberethics issues that cybersecurity professionals are obligated to follow. In fact, many IT pros don’t even realize that their jobs involve ethical issues. Yet they make decisions daily that raise ethical questions. Many of the ethical issues involve privacy. For example:
- Should you read the private e-mail of your network users just because you can? Is it OK to read employees’ e-mail as a security measure to ensure that sensitive company information isn’t being disclosed? Is it OK to read employees’ e-mail to ensure that company rules (for instance, against personal use of the e-mail system) aren’t being violated? If you do read employees’ e-mail, should you disclose that policy to them? Before or after the fact?
- Is it OK to monitor the Web sites visited by your network users? Should you routinely keep logs of visited sites? Is it negligent to not monitor such internet usage, to prevent the possibility of pornography in the workplace that could create a hostile work environment?
- Is it OK to place key loggers on machines on the network to capture everything the user types? What about screen capture programs so you can see everything that’s displayed? Should users be informed that they’re being watched in this way?
- Is it OK to read the documents and look at the graphics files that are stored on users’ computers or in their directories on the file server?
Remember it’s not about the legal questions here. A company may very well have the legal right to monitor everything an employee does with its computer equipment. It is about the ethical aspects of having the ability to do so.
A common concept in any ethics discussion is the “slippery slope.” This pertains to the ease with which a person can go from doing something that doesn’t really seem unethical, such as scanning employees’ e-mail “just for fun,” to doing increasingly unethical things, such as making little changes in their mail messages or diverting messages to the wrong recipient. The slippery slope concept can also go beyond using your IT skills. If it’s OK to read other employees’ e-mail, is it also OK to go through their desk drawers when they aren’t there? To open their briefcases or purses?
Then there are money issues. The proliferation of network attacks, hacks, viruses and other threats to their IT infrastructures have caused many companies to “be afraid, be very afraid.” As a security consultant, it may be very easy to play on that fear to convince companies to spend far more money than they really need to. Is it wrong for you to charge hundreds or even thousands of dollars per hour for your services, or is it a case of “whatever the market will bear?”
Another ethical issue involves promising more than you can deliver or manipulating data to obtain higher fees. You can install technologies and configure settings to make a client’s network more secure, but you can never make it completely secure.
Suggested popular Best Practices
No single, detailed code of cybersecurity ethics can be fitted to all contexts and practitioners; organizations and professions should, therefore, be encouraged to develop explicit internal policies, procedures, guidelines and best practices for cybersecurity ethics that are specifically adapted to their own activities and challenges. Some of the popular guidance are as suggested below:
- Keep Cybersecurity Ethics in the Spotlight: Ethics is a pervasive aspect of cybersecurity practice. Because of the immense social power of information technology, ethical issues are virtually always in play when we strive to keep that technology and its functioning secure.
- Consider the Human Lives and Interests Behind the Systems: In technical contexts, it’s easy to lose sight of what most of the systems we work with are: namely, ways of improving human lives and protecting human interests.
- Establish Chains of Ethical Responsibility and Accountability: In organizational settings, the ‘problem of many hands’ is a constant challenge to responsible practice and accountability.
- Practice Cybersecurity Disaster Planning and Crisis Response: Most people don’t want to anticipate failure or crisis; they want to focus on the positive potential of a project or system.
- Promote Values of Transparency, Autonomy, and Trustworthiness: It is important to preserve a healthy relationship between security practitioners and the public is to understand the importance of transparency, autonomy, and trustworthiness in the relationship.
- Make Ethical Reflection & Practice Standard, Pervasive, Iterative, and Rewarding: Ethical reflection and practice, as we have already said, is an essential and central part of professional excellence in cybersecurity.
Some of the popular best practices for ethics in the cybersecurity.
Practice Self-Reflection/Examination: This involves spending time regularly thinking about the person you want to become, in relation to the person you are today.
- Look for Moral Exemplars: Many of us spend a great deal of our time, often more than we realize, judging the shortcomings of others.
- Exercise Moral Imagination: It can be hard to notice our ethical obligations, or their importance because we have difficulty imagining how what we do might affect others.
- Acknowledge Our Own Moral Strength: For the most part, living well in the ethical sense makes life easier, not harder.
- Seek the Company of Other Moral Persons: Many have noted the importance of friendship in moral development; in the 4th century B.C. the Greek philosopher Aristotle argued that a virtuous friend can be a ‘second self,’ one who represents the very qualities of character that we value and aspire to preserve in ourselves.