Task 2 - Addressing Ethical Issues in Cybersecurity
docx
keyboard_arrow_up
School
Western Governors University *
*We aren’t endorsed by this school
Course
C841
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
8
Uploaded by CorporalArmadillo3991
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
Legal Issues in Information Security -C841
TASK 2: ETHICS AND CYBERSECURITY
Susan Crowe
#011374378
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
Legal Issues in Information Security -C841
IHP3 TASK 2: ETHICS AND CYBERSECURIT
Y
Edward Loredo
#001155270
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
A1. Discuss the ethical guidelines or standards relating to information security that should apply to the case study.
A standard Code of Ethics for Cybersecurity personnel is the ISC2 Code of Ethics. This standard is designed to structure ethical behavior and states “The safety and welfare of society and the common
good, duty to our principles, and to each other requires that we adhere, and be seen to adhere to, the highest ethical standards of our behavior.” (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) 9th Edition
The employees within TechFite failed to follow any code of ethics. They did not act with integrity, they did not act honestly, responsibility, or even legally. The practices of the employees within TechFite violated multiple laws and knowingly penetrated company networks to obtain proprietary data. The ISC2 Code of Ethics breaks down four cannons which further incriminate TechFite team members behavior. These cannons are as follows (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide
(Sybex Study Guide) 9th Edition
Protect society, the common good, necessary
public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
Provide diligent and competent service to principals.
Advance and protect the profession. o
((ISC)² CISSP: Certified
Information Systems Security professional 2018)
1.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2.
Act honorably, honestly, justly, responsibly, and legally.
3.
Provide diligent and competent service to principals.
4.
Advance and protect the profession. TechFite did not implement segmentation to ensure that customer data was properly segregated and protected from unauthorized access. They purposely leveraged elevated privileges and non-valid accounts to gain access to sensitive documentation internally. This violated the basic principle of confidentiality as well as integrity as two of the pillars of information security. The Business Intelligence Unit also violated the second cannon of the ISC2 Code of Ethics. They used metasploit to conduct penetration testing and scanning on multiple outside companies. A1A. Justify your reasoning.
It is the duty of employees to act responsibly and protect their organization’s data as well as the data they
are entrusted with. TechFite violated this by knowingly allowing authorized penetration and scanning of outside companies without approval of the victim companies. Additionally, due to the lack of segregation within the TechFite network, the organization lacked 2 of the core principles of cybersecurity being confidentiality and integrity. Access was purposely circumvented by using two unauthorized accounts for employees who did not exist to access data.
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
A2. Identify the behaviors, or omission of behaviors, of the people who fostered the unethical practices
Carl Jaspers, Sara Miller, Megan Rogers, and Jack Hudson were prime culprits of unethical practices. Sarah Miller and her team including Megan and Jack, purposely violated the Computer Fraud and Abuse Act as well as the Electronic Communication Privacy Act. Carl Jaspers encouraged unethical behavior and likely implemented practices himself for fraudulent and financial gain activities. He violated multiple laws including a violation of a signed NDA between TechFite and Orange Leaf. He conducted inappropriate business with three fake companies for financial gain. A3. Discuss what factors at TechFite led to lax ethical behavior.
The first and easiest example of relaxed ethical behavior would be the lack of policies and procedures in place or enforced within TechFite. These practices were not enforced and there appear to have been no consequences for the behavior. In fact, it was the opposite, as the Analyst was praised for fraudulent reporting of internal audit findings. There was enforcement of least privilege, no enforcement of processes to ensure DLP was in place and properly managed. B1. Describe
two
information security policies that may have prevented or reduced the criminal activity, deterred the negligent acts, and decreased the threats to intellectual property.
The act of least privilege for accounts would be the first step. Identity access is a critical function that
requires adherence to proper policy and procedure handling. By removing administrative rights from all the user accounts and enforcing least privilege, the organization would be able to better control the accessibility of data from people without the need to know. Another valuable policy would be to implement an audit policy or deploy a Governance program to conduct proper audits and develop remediation plans for findings. By conducting internal audits on a scheduled basis, there would be more consistency throughout the environment and a development of compliance and standards. The critical aspect to this would be procedures to validate that the appropriate actions are taken on the findings, however. It would be valuable to also implement procedures to adhere to the Stored Communications At iwthin
the Electronic Communications Privacy Act. This would ensure that stored communications and data
are protected against intentional access of electronic data while it’s in a storage state. B2. Describe the key components of a Security Awareness Training and Education (SATE) program that could be implemented at TechFite.
User education and awareness is a critical component to the understanding and proactive behaviors of employees. Employees must be taught and tested to ensure they are aware of behaviors and potential risks, both by their actions and attempts of threat actors. One component I would recommend implementing is a model of consequence. By implementing a policy that expresses behavior expectations, requiring acknowledgement of the user, and then listing
our potential consequences could make people take extra caution. As part of the SAT process, it would help to ensure that all departments are taking responsibility and adhering to the policies. A second component I would recommend for SAT would be to create specialized awareness courses for different types of employees. Specialized employee types can be targeted separately
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
and have unique training to align with their position to include consequences and required actions. This would be for positions such as Executives, HR, Finance, etc. Additionally, all employees would be required to take Ethical, General Cybersecurity awareness training, and be trained on Phishing campaigns on an annual basis at a minimum. In the case of Techfite, my suggestion would be to require this training on a bi-annual basis until behaviors have improved and legal cases have been completed or dismissed. B2B. Justify the SATE program’s relevance to mitigating the undesirable behaviors at TechFite.
Cybersecurity Awareness Training helps educate personnel to be able to recognize threatening behavior from internal and external users, as well as being more aware of their own behaviors and potential consequences. Awareness training helps to enforce a method of critical thinking and helping users to stop and think before they act. Method of training could be to recognize the behavior in others (internally and externally) but also reconsider their own actions and behavior. Another benefit to the awareness training is to help educate users on the consequences of their actions.
The execution of this training would need to happen in multiple place. First off, training would need to be developed for new hire personnel. This would be required onboarding training that is required within the first 30 days of employment. A second element of the training would be to conduct a required training program annually, at a minimum. This could be done as a part of the regular annual
training delivered by the organization focusing on cybersecurity topics. This would require a completion and to be documented for their training employee record. A third element would be needed as a response to failed cybersecurity training awareness campaigns such as email phishing campaigns. This would provide and reiterate the appropriate actions and knowledge and allow the issues to be highlighted, documented, and corrected. Eventually a fourth training layer would be beneficial, to increase the complexity of the information over time for employees who have been employed for a longer period of time and are able to handle more complex topics to help continue to combat the first line of defense for the organization at the user level.
C. Prepare a summary directed to senior management (
suggested length of 1–2 paragraphs
) that states TechFite’s ethical issues from Part A and the related mitigation strategies from Part B.
To summarize the assessment conducted by the investigator, multiple violations were identified. The
diligence of the investigator provided key insight into the necessary actions to be taken to mitigate the situation as best they could. Some of the violations included access of confidential and prioprietary information, the release of the information, accessing and scanning networks without permission, bank fraud, and criminal behavior. In order to address these issues, TechFite could first look to the Code of Ethics from ISC2, implement a training awareness program, conduct a thorough internal assessment, and develop a remediation plan to correct multiple discrepancies. The entire network infrastructure and accessibility
needs to be enhanced to segregate data properly as well as implement least privilege for user access. D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
Chapple, M., Stewart, J. M., & Gibson, D. (2018). (Isc)² Cissp: Certified Information Systems Security professional (Eighth). Sybex, A Wiley Brand. Code of ethics: Giac Certifications. Code of Ethics | GIAC Certifications. (n.d.). Retrieved January 4, 2022, from https://www.giac.org/poli
cies/ethics/
Task 2 – Ethical Issues for Cybersecurity – Susan Crowe
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide
(Sybex Study Guide) 9th Edition
Code of ethics: Giac Certifications.
Code of Ethics | GIAC Certifications. (n.d.)., from https://www.giac.org/policies/ethics/