Learning Materials for Information Technology Professionals (EUCIP-Mat)
A7 . LEGAL AND ETHICAL ISSUES Number of study hours The estimation of the study hours required to the student is of 15 hours
Short description of the course The course “Legal and Ethical Issues” is organized in five units. The first unit is about introduction into the issues of intellectual property rights including the issues regarding patents. It includes some examples also.
The next unit presents is dedicated for IT law. The laws regulation the use of personal data, collecting these into databases and laws related to new technologies like digital signature. Also employment regulations are described. The contracts are key elements in the business. Therefore the basics of IT contracts and shipment contracts are touched. The third unit is about code of conduct, what content should be one of rulers of professional behaviour of the specialist. Nowadays cyber security becomes more and more important on every level of computer use. The fourth unit describing general principles of security measures in society and in an organisation. The last unit describes the main tasks and regulations for health and safety on a work place. Target groups
The employers of IT core level professionals are the target sector.
The first target group consists of IT students (vocational school IT basic level training and the first courses of colleges and universities) in technology area and IT practitioners not having vocational certificates yet.
Prerequisites There are no prerequisites for this course.
Aim of the course - learning outcomes The main objective of the course is to give a general knowledge of the main issues related to the juridical and ethical, which regulate the professional behaviour of the specialists in their everyday life as well as citizens. Content of the leaning materials
Part A – „Management“
The use and management of information systems A7 – Juridical and ethical aspects Compiled by: Jaan Oruaas
Table of contents A7 – Juridical and ethical aspects 2 A.7 Juridical and ethical aspects 4 A.7.1 Intellectual property and copyright 4 A.7.2 IT-related legal system 7 A.7.2.1. the policies, regulations and activities towards information society 7 A.7.2.2. Work relations 9 A.7.2.3. Supply contracts 9 A.7.2.4. IT contracts 10 A.7.3 Code of Ethics 13 A.7.4 Security 16 A.7.5 Job safety and healthcare 21 A.7.5.1 Important requirements and unified European standards 22 A.7.5.2. General Power safety of devices 23
A.7 Juridical and ethical aspects A.7.1 Intellectual property and copyright
Here is given an overview of the essence of intellectual property, but it will not handle all the possible aspects deeply, because of the complicity and transnational essence of the subject. The concept of intellectual property is in constant development, derived from the fact that new forms of creativity are emerging all the time and arguments have risen since the acceptance of Bern convention (http://www.riigikantselei.ee/failid/Autori_guse_p_him_tted.pdf).
The general practice at defending a technical creation differs, depending on its essence and further use. New technical solutions are protected with patents, as utility models or as industrial designs. In order to obtain a patent, the protected solution has to be innovative for the whole science of engineering. The requirement for international innovation exists for utility models, but it is limited to the practical application of it and the exterior design is protected by industrial design (see The Estonian Patent Office www.epa.ee). Biology related patents are handled separately (microbiological cultures, biotechnology). A patent lasts for 20 years in most of the countries, including Estonia.
Original creations, if not protected by industrial property methods, have automatically copyrights. Despite of the fact if it is registered somewhere or not. Implicitly all the authors have the rights to determine the further handling of their creation. The author has a right or an obligation deriving from work (and other) related contracts, to hand over the property rights to other people. The authors keep in every case the entitlement to the title and to be presented as the authors of the given creation. It is important to distinct the two aspects of copyright – inalienable right for the creation and alienable property rights To regulate the property rights a lot of laws have been dedicated, the earliest of them is the Act of Copyright (https://www.riigiteataja.ee/ert/act.jsp?id=810714). Copyright covers all creations- in legal terms “pieces of work” - literal, musical, artistic, theatrical, movies etc. Also architecture, radio- and television shows and concerts, scientific papers, magazine articles (except the news), translations, computer programs, nontrivial collections etc.
To get the full picture, the differences between trademarks have to be defined. They are also under legal protection. Their protection is similar to the juridical methods of patents. It is important to know the real difference of the two objects under protection. Patents defend the technical original solution (invention or method) created by a person. Trademarks defend text, graphical elements or their combinations, that are supposed to bring up and to present a product, service or an organization on the market. Main attention in case of trademarks is on the form.
Examples: The best known Estonian trademarks abroad in 2006.
The owner of an intellectual property is usually an individual or their association i.e. inventor or the author of the piece of work. It was mentioned previously, that the property side of copyrights may belong to a legal person, based on contracts or if the creation has been invented during the operations covered by the employment agreement. If not settled otherwise, then the results of the operations belong to the employer, including the economic use of the creation and its further developments.
The individuals possessing the property copyrights are called in legal terms the owners of the copyright.
The owners of copyrights have several methods for protecting their rights. As a rule they are all legal methods, which are assigned by the state and are unified based on international agreements, technological and market related.
Tax and Customs Board and police, are firstly responsible of the application of juridical methods. Carry out busts in justified cases in order to verify the legitimacy of the products that are in use or for sale. The appropriate places for inspection are customs, sales places and the places of practise. The sellers and users have to be able to prove the products’ legal heritage and the right of use. In case of software products and services, the rights depend on the licences given from the producers and the users and examiners have to clearly know the essence of the licences and be able to understand different terms and conditions. Often the absence of check or the original casing (that was inevitable for most of the software few years ago) is not a circumstance that proves the violation of copyright. Technological methods are applied to all different user groups – starting from beginners to experts – to hurdle them from obtaining the products without a licence i.e. getting them through illegal channels without paying the fees. They consist of different methods restraining access: association of the products’ serial number to code key, geographical limitations (DVD regions) etc. Marketing methods are created to inspire users to value the product (through the brand name) or to make them use it in a less functional form (in case of software) and later on drift them to the side of legitimate users. There are different ways of ensuring customer loyalty. One of the most common ways is the free use of trial or demo versions, with limited possibilities or for a certain period of time. Software has to be distinguished, deriving from the operating conditions, as freeware, shareware or commercial software. Freeware (as the name already characterizes) is for free use for the ones that are allowed to. Shareware does not usually distinguish the essence of the user (individual or legal person), but the software has limitations in form of either time or possibilities. The use of commercial software requires, as a rule, the purchase of the rights to use i.e. licence in its most common meaning of the term. The owner of the copyrights may determine the form of the software (freeware, shareware or commercial), based on which the one and the same software may be used depending on the essence of the users, under every possible form. It is also important to separate freeware from open-source software. The latter stands for software with open-source code. Open-source software is not always definitely freeware, although it is one of the most popular forms of it.
The owner of copyrights has the possibility to defend their rights internationally, by registering their patent and trademark in the desired countries or registering a European patent. The registration of trademarks is not mandatory, but it gives an insurance against improper use of the property.
The mentioned principles in copyrights are very similar in all the countries with very little exceptions. In the Patent Acts it is very important to understand the different approaches of USA and EU software patents. Differing from USA, the software solutions cannot be patented in EU. Long discussions were held in European parliament, that resulted favourably for small companies and countries and it was made impossible to get unlimited patent for software, although it has been possible to obtain it through other means. Software has been patented in Europe through the principles of utility models or industrial designs. (See also http://en.wikipedia.org/wiki/Software_patent)
The defence of copyrights is essential to ensure the obtaining of authors’ legitimate fees for the use of their properties. All kinds of violations of copyrights are not rare cases (example: software piracy, music exchange in the internet ECT.). As a rule, the violation of copyrights stands for using a property without paying the author the legitimate fee (using illegal software at home) and gaining unreasonable profit from using it because of entrepreneurial tasks (selling music recorders, using illegal software in the company’s operations). This kind of behaviour is derived from the society’s understanding of intellectual property, as easily obtainable property, without considering that this kind of action is illegal according to the law. Almost every country has laws for this, but often they are not followed with the demanded austerity. In all the developed industrial countries copyright protection is really operational. There have been created organizations that observe the utilization of properties and the collecting of the authors’ service fees through different „taxation measures“. Receiving the legitimate fees inspires the authors to invest in creating something new. This influences individuals but also companies dealing with research and development. Several cases are displayed on the Ministry of Culture’s webpage. http://www.kul.ee/kohtulahendid/index_lahend.php?case_id=137&case_nr=Kriminaalasi%201-05-1421
The possession of software without the rights (not paying the licence fee) is considered as software piracy, despite of the fact if it is used or not. Even bigger violation is the opening of the source code of software (in case if it is not open-source software), in order to alter and use it. The investigation of programs for a study purpose is allowed.
The most known arguments over intellectual property: SCO vs. IBM See. http://www.infoworld.com/article/06/07/03/HNscofewerclaims_1.html 7.2 IT-related legal system
IT legal system is regulated with special regulations and laws that have been by their essence as IT specific, but with the wider spread of IT application, they have started to regulate many aspects of everyday life (example. the regulation that protects personal data). More general aspects, as work legislation, job safety and social welfare do not possess specific IT distinctness’s at legal level, but practically the conditions of the workplaces’ organisation and arrangement have to be considered. Many laws have IT and technology related provisions. The criminal code is constantly improved because of the spread of cyber crimes.
If IT related legislation has in a greater extent combined with everyday life, then a separate field is telecommunication, which is regulated by Electronic Communication Policy based on EU directives. The creation of Estonian legislation is based on the directives and regulation of EU. Presently valid most important regulations are listed below.
A.7.2.1. the policies, regulations and activities towards information society The Information Society will affect most aspects of our lives. To regulate European institutions work out relevant policies range from the regulation of entire industrial sectors to the protection of each individual's privacy. The policies are grouped as follows: Regulating the Market (http://ec.europa.eu/information_society/tl/policy/regulate/index_en.htm): Europe's Information Society has grown partly due to European initiatives such as the liberalisation of the telecommunications sector, the Single Market, the Television without Frontiers Directive, the GSM standard and opening public information for future use.
Stimulating the Information Society (http://ec.europa.eu/information_society/tl/policy/stimulate/index_en.htm): rolling out new technologies, products and services is not just a matter of research and development - policies are required to overcome obstacles ranging from copyright to security, creation of useful content in legal in terms of human values and taxes and in a secure way.
Exploiting the Benefits (http://ec.europa.eu/information_society/tl/policy/exploit/index_en.htm): ensuring that Europe exploits the possibilities offered by the Information Society in areas as diverse as health, safety and education, sustainable growth and e-business. Today, Europe's Information Society policies are brought together under the i2010 Initiative (http://ec.europa.eu/information_society/eeurope/i2010/index_en.htm): the EU framework for addressing the main challenges and developments in the information society and media sectors in the years up to 2010. The initiative promotes an open and competitive digital economy, research into information and communication technologies, as well as their application to improve social inclusion, public services and quality of life. All policies are interrelated and are available as an A-Z list of all EU Information Society policies (http://ec.europa.eu/information_society/tl/policy/a2z/index_en.htm). The best way to e up-dated is to follow this link due to the very quick changes. As was mentioned market regulation is one of the tasks for EU policies and legislation. A new electronic communications regulatory framework, launched in July 2003, provides a world-class legal framework for continuing the development of Europe's communications industry. The new Framework is pro-competition - regulation is withdrawn as competition develops - and covers, among other things, the management of scarce resources essential to communications. One particularly important resource is radio spectrum, through which all wireless communications travel, so the EU's new radio spectrum policy was launched as part of the new framework. However, while the Framework focuses on communications networks and services, radio spectrum policy covers all areas where spectrum is an issue, from mobile telephony to television broadcasting, from satellite positioning systems to scientific research, and much more. Europe also regulates a number of dedicated telephone numbers: 112 - a single emergency number for Europe: enables everyone to call emergency services anywhere in the European Union, from a fixed or a mobile phone. Used, in particular, by eCall - when your car calls for help after an accident (read the eCall press pack) 116000: the single EU hotline number for missing children - read the press release These regulatory areas are coordinated with the Radio Equipment and Telecommunications Terminal Equipment (RTTE) Directive, which regulates the telecommunications equipment market. By replacing over 1000 national approval regulations, the Directive has created a framework for regulating what is now a European single market. The Commission also launched the Mobile Roaming Charges regulatory initiative to reduce the cost of international roaming charges in Europe, and regulates the safety of ICT-related products: preventing any risk of health-related effects of Electromagnetic Fields, and setting minimum safety and health requirements for work with Visual Display Units. In the field of content, European audiovisual regulation aims to ensure the free provision of services and to fulfil objectives of public interest such as access to information and protection of users in areas such as commercial communication, protection of minors and human dignity - see: the "Television Without Frontiers Directive, which promotes the European broadcasting industry by ensuring the free movement of television broadcasting services throughout the EU; the Council Recommendation on the Protection of Minors and Human Dignity, which provides guidelines for national legislation in combating illegal and harmful content transmitted over electronic media. The EU's Single Market rules, moreover, facilitates the cross border transmission of audiovisual programmes via satellite and retransmission by cable. The electronic communications regulatory framework site also summarises European policies in the areas of Spam, Privacy and Data Protection. The Commission also promotes the internationally accepted Web Accessibility guidelines to ensure everyone can access websites, regardless of any physical disabilities. The Directive on the harmonisation of certain aspects of copyright and related rights in the information society, finally, adapts legislation on copyright and related rights to reflect the digitisation of content, and supports the use of Digital Rights Management technologies. Earlier European copyright law included protecting databases and computer programs.
A.7.2.2. Work relations
The work relations in IT field do not differ from common. As IT has developed to cross other fields of economy – a horizontal field of activity, then the people working in a non-IT company must consider the imposed distinctiveness’s of the economic field. For example the rules of public service or the army and also the conditions of collective contracts, if present. Often IT specialists come across some sensitive data from the organization’s point of view that cannot fall into hands of outside individuals. In cases like this it is inevitable to execute a confidentiality contract as part of employment agreement.
A.7.2.3. Supply contracts
Inter organizational communication is determined usually by contracts. In Estonia, it is mostly regulated by Law of Obligations, that determines the general principles, but the parties of the contracts have quite broad possibilities. It seems as normal relations don’t need contracts at all but they give legal insurance for unforeseen events and ensure minimal damages for the parties in case of breach of the contract. When working in a public sector, it is important to keep in mind that all the purchases and orders that exceed a degree determined by the law have to pass state procurement’s all procedures.
A.7.2.4. IT contracts
For the benefit of the supplier and customer it is good to have an understanding of the possible contracts for information systems’ life cycles. With all the purchases of information systems, either ready-made product or ordering developments in some extent, both sides come across system’s rights of use i.e. the licence agreement. The parties have to negotiate the software’s form, either freeware, open-source or in case of commercial software renting it or buying it. The latter usually stands for the complete transition of the software to the customer.
A lot of different contracts are used in IT; therefore it is complicated to compile some example contracts. Estonia has moved from the outdated civil code to considerably complicated Law of Obligation, which is accompanied with lots of new legal requirements. That again means, that the party that knows the laws better is in an advantageous position when signing a contract compared to the less informed party and it is difficult to ensure the necessary balanced legal level to sign the contract. This means, that the party who understands the laws better, has a preferred position, but the legal ratio has to be balanced in contracts.
A contract is made between two or more individuals that determine what the party or parties must do or have to leave undone. A contract’s fulfilment is mandatory for the parties.
Everyone who is responsible for preparing, signing and fulfilling the contract, has to be acquainted to the provisions of the law. Even in cases, where examples are used, it is recommended to accord the contracts with a lawyer. Even onetime consultation may result in good outcomes. To ensure a fluent cooperation in longer projects, it is recommended to compile a contract, where is stated the framework and conditions of the cooperation, to avoid repeating them in every following contract. The person, who is responsible for the compilation and the fulfilment of the contract, has to have an overview of the negotiations, expected results and fulfilment of the contract preceding the conclusion. Otherwise it might happen that the contract is useless legal document - in case of a dispute and doesn’t help to solve the problem. Therefore every example has to be worked through carefully before using it.
The most common mistakes are related to shortcomings in defining the form of the contract. Contracts can be concluded in oral, written or in some other form if not stated differently in the law concerning the mandatory form of contract.
It is also important to choose the right type of contract – irrespective of the title the contract is suited with legal provisions that are according to the content. Therefore, if the document is titled „The contract of property use“, then it might seem at a first glance that it is a rental agreement (priced property use), then it also might stand for a rental with no charge. Often the contract has a title that reflects the performance of the document. For example maintenance and installation contracts are usually normal work agreements that are arranged according to the appropriate provision in the law. Also in cases like this, it has to be kept in mind, that contracts are regulated by appropriate provisions of work agreements.
The type of contract should be specified; either it is a sales contract, service, procurement, rental or some other contract. The document may have several contract types’ characteristics, for example service contract may be related to sales contract. In this case all the according regulations for the contract types should be considered.
In case of contracts where the other party is a random client, then advance information in form of a price list, an overview of usual deadlines of different tasks, the list of services provided, helps to save time and money by offering the client the possibility to decide if to conclude with the contract or not. In IT-field, there are organizations that produce typical conditions from a mutual party’s point of view. In IT field a lot of countries private unions have worked out these typical conditions (TIPAL in Finland, EITS in Estonia). Orgalime (www.orgalime.org) can be brought as an example, Federation of European countries’ production unions, who have developed example contracts and general contract conditions that should suit as a basis for the field’s majority agreements.
In Estonia there have been compiled example contracts for broadly spread situations in IT-field (the below listed is definitely not sufficient for all the cases): Cooperation contract for describing long-term general principles Hardware or software sales agreement with necessary licensing contracts for simple cases Hardware service contract Information system’s input analysis Software update, testing, installing, training and maintenance contracts All of them have a number of extras that specify the time schedule of the tasks, payment terms, responsibilities and other, that the parties consider necessary.
When offering different services, some might require to process personal data. In these kinds of cases it is important to be extremely careful and follow the requirements of the law, because it is very easy to breach the rules.
When processing personal data, the breaches are usually involuntary or derived from careless activity. When this kind of activity is intentional and an identity theft happens, then it is an already punishable according to the Criminal Code. Stealing personal and financial data has evolved to one of the biggest crime types in the World. It is also punishable to share viruses or spyware and disturbing or paralyzing in some other way the operations of computers’ and networks’. These activities are classified as cyber felonies. There are widely known cyber crime types as spreading illegal content in the Internet or some other information channels. Special attention is paid by the enforcement structures to paedophilia, xenophobia and all kinds’ enforcements of ill blood in the fields of racism, nationalism and politics.
Several unethical computer people i.e. crackers (not to be mistaken for hackers, who have a certain code of conduct) have taken up as a favourite activity to intrude computer systems or to disturb their operations in any other way. This also includes the widely spread system overloading (denial of service). Legally a crime has been committed and the difference of the punishment depends on the fact, if the unauthorized intrusion was because of innocent curiosity, system override, and gain in economic profit, espionage or terrorism.
The transactions that take place over electronic communication instruments, in a usual internet store, ordering and making offers by e-mail, bidding at auctions and transactions in banking and stock market are all regulated by laws. It is important to get assurance when making these transactions that the buyer and the seller really have the same understanding of the deal. The seller has to know all the sales conditions and obligations involved with the product/service. The buyer has to agree with the bid. The law determines the cases, when the ordering and the acceptance become valid i.e. the parties cannot back out. Consumers as a weaker side have in some cases the right to abandon the transaction. It is good to use digital signatures in order to confirm and to identify the parties and to examine their authorities.
A.7.3 Code of Ethics Human society has formulated over times general values that are used to evaluate their member’s behaviour. These values are different between societies and regions. One of the first developments of values was to appreciate the activities that help to keep alive and extend the life of the society. The development of the society added religious, economic, legal, political and other factors. The criteria for evaluations were always conditional and depended on culture, political orientation, religion etc. The activities of people are evaluated depending on the place, conditions and environmentally differing criteria that may lead to differences in opinions and conflicts. Often the basis for a dispute is not a violation of law but different moral or political beliefs i.e. what is legally allowed, might not be honest and morale.
Information technology has developed to be horizontal i.e. passing through all the fields of economy and hence the reason why IT specialists’ professional activities are visible (but unfortunately not understandable) to almost all the business- and public sectors’ participants. The latter are very closely related to the originated country’s culture, legal system and social environment.
Depending on the developed traditions, an ethical violation might lead to serious consequences in professional or political career. Familiar examples from Scandinavian politicians’ resignations, because of misuse of credit cards and on the other side the transitions with corruptive hints of top level politicians to some big organizations’ CEO’s that have caused damage only to some reputation. In a professional environment an ethical breach usually influences only career. Evaluation depends on social agreements that have been determined earlier. Medieval guilds, had determined monetary punishments for every breach; today’s unions do not document these regulations any more. There are clear codes of ethics for craft union members and for example in IT field there is a behavioural protocol for all the computer users, netiquette (might be a misleading use of words in Estonian language). In a narrower sense, every work related team and organization is a community that has their own internal ethical rules. Also mentioned in chapter A.6.1.
Every code of ethics is in their essence the description of the society’s values that are the most valued and necessary in the specific field. In knowledge based societies, they are most certainly creativity, social common touch and respect for the culture, honesty, integrity, safety etc. Also the will for constant self-improvement has to be held in an important place. In a broader sense the loyalty to a company has to base on general values. Following is brought out the code of ethics that are followed by Estonian Information Technology Society (see http://www.eits.ee/index.php?section=ws_eits_est&ws_id=9). It is in accordance with Council of European Professional Informatics Societies, CEPIS’s recommendations.
Defending public interest and the compliance with laws in own specialized job: Maintaining health, security, environments’ traditions and culture Respecting third parties’ rights and protecting their intellectual property Recognizing the rights of information privacy of individuals and groups Understanding and following appropriate legislation, agreements and standards, following their demands and recognizing equally the general human rights and avoiding any activity that might harm them. Notifying society about all the IT application influences.
Responsibility in front of employer and clients: Performing specialized tasks at the level that is according to the demands of the employer and the client and directing the latter’s attention to the consequences of disregarding the specialized knowledge. Performing the tasks according to the deadlines and within the previously determined expenses and informing the client early about the inconveniences in case the demands are not possible to be fulfilled with the given limits. Taking full responsibility for the basically foreknown consequences. Avoiding the introduction of the client’s business information to third parties obtained during the tasks.
Professional dignity and introduction of the goals: Avoiding the activities that might harm the field’s good reputation, by defending the field’s values and by personal participation in developing IT related standards, use and spread. To disprove harmful and false understandings and positions about the field, keeping specialized knowledge above the common level and keeping IT in an honour. To honour the development of the field and supporting the youth by offering care and support when they join IT field Honest behaviour towards colleges and other people in the field; avoiding behaviour that might harm the reputation of the field.
Competent, ethics and neutrality: Improving specialized occupational skills and introducing IT development directions Disregarding the demands for higher positions that require greater competence Recognizing the responsibility towards work, subordinates and companions Supporting professional promotions, except in unreasonable cases Avoiding the situations where the client’s and other parties interests might clash by introducing all the parties about the information circumstances
IT has developed to be a lot more effective in the public and private sector. Comparing to the situation few years ago, the information properties have grown and the threats and attacks have become more massive, the methods cost more and the risks are higher. Information security cannot be assured by one bureau, company, workgroup or state – it is necessary for all the participants to cooperate in every organization, state and on the international level. The EU’s general politics foresees the services’ for public sector’s companies and citizens, security improvements and the general rise in security awareness. The requirement to operate actively with state level information security is enacted also internationally. The cooperation between public and private sector is extremely important.
As every technical system, also IT systems can be characterized by the reliability parameters. Additionally their work can be influenced with many external factors. When designing, creating, and administering information systems it is important to consider important threats that may influence the integrity, usability and confidentiality of the data. The sources of danger may be : Natural disasters: floods, lightening, fire, and not possible in Estonia but also, volcanic activity, earthquakes, landslide that may harm the computer systems’ hardware Deviations from the ordinary working conditions due to external influences such as disorder in energy supply and loss of network connection Logical errors in software and the structure of the information system, that occurs only in very specific situations and do not emerge even during the most strict tests Human errors in administering and using the information systems, for example non-deliberate errors by service personnel Culpable attacks, where the attacks are against the system’s security and thereby performing inappropriate reactions to the users. The people behind the act may be within the organization or from outside. They can be competitors, industrial spies, thieves, vandals and also terrorists. Their activity is punishable in any way by the criminal code.
The development and application of general information system politics involves several parties, Knowledge about the information security and solutions has to be transported to as many interested parties as possible and it has five main fields: cooperation and coordination, notification and training, developing regulations, informational infrastructure’s cooperation and coordination.
Information security is handled by different parties, therefore the planning and coordinating the tasks is very important, as national and international organizations, public-, private- and third sector are participating in the process. It includes: Coordinating execution of IT environment’s risk analysis The development of the handling of security incidents in Estonia The administration of Information’s security related contact network for organizing national and international cooperation with ENISA (European Network and Information Security Agency). Coordinating the development of cross border e-service information security solutions
The necessity of the cooperation can be seen from the amount of laws and regulations that directly or indirectly influence the information security field in Estonia: The law of personal data protection The law of data records The States regulation no 273 (12.08.2004) „The validation of information systems’ security methods“. The States regulation no 331 (19.07.2003) „The application of information systems’ data communication layer“. Criminal code Information society’s service regulations The act of Identification documents The act of digital signature The act of public information The act of copyright The act of electronic data communication
Notification and training
To ensure information security all the parties have to be aware of the threats, risks, attacks, methods and other information security related circumstances. All organizations have to defend their systems and acknowledge information security as a strategic success factor, not as an expense article. People have to realize that the relevant defence of home computers has critical importance to the general information security chain. Constant information security related trainings and notifications have to be organized.
Developing regulations Necessary regulations are required for the basis of information security. The required procedures, documents and means are specified, created, implemented, information security behind IT and the processes necessary for electronic communications infrastructure are updated. This activity involves information security and electronic communication, defence of infrastructures containing critical information, data gathering, secure e-services, security standards, and the development of risk analyses’ indicators.
Informational infrastructure’s defence. Informational infrastructure is one of the bases of modern state and economy; the threats to it are becoming greater. Informational infrastructure is defended, considering the information security’s aspects in other infrastructure’s defences fields, there are carried out activities against cyber crime. The mentioned activities are coordinated internationally. This activity involves the consideration of information security’s aspects in all the defence fields of infrastructures, going against cyber crimes, cyber attacks, including attacks originating from abroad, also anti-spam’s legal, organizational and technical measures with the international cooperation.
Defence of people and property It is important to defend people according to their rights and the application of defence methods in institutions. In order to do that, the highest security methods have to be applied to defend personal data, secure e-identity solutions (example e-ID card and mobile-ID) and their cross border application possibilities. People have to be defended from illegal or harassing unwanted contents (abuse, child pornography, fostering violence etc.)
To reduce security risks, it has to be always noted, who are responsible for avoiding them. This kind of task distribution is achieved as part of organization’s information politics or as a separate document, that handles all the relevant security related aspects in the organisation i.e. making the rules of information security methods. There is always responsibility besides before internal i.e. responsibility before co-workers, clients and suppliers, but also a broader responsibility before the society that involves the trust in application of IT in business activities, social relations and using public services.
Therefore even a little organization has to have a person dealing with security issues, who uses the help of outside expert when needed. This person applies with the management of the organization an appropriate security politics that require the application of necessary technologies and procedures. The security politics has to be overviewed periodically and updated when necessary. The goal of determining information system’s security methods is to define understandably the information systems’ defence specification discipline, deriving from the safety demands of the information security’s corresponding classes and layers Based on information system’s safety analysis securtity classes are compiled, where it is determined the most protection requiring data’s security levels. When marking the security class, the appropriate letter and layer number are used. The classes are marked according to the data utilization (U – usable, on time and easily accessible data during previously determined necessary/required work time to authorized users) integrity (I - assurance of the information’s authenticity and the absence of unauthorized changes) and confidentiality (C- the availability of data only to the authorized user and unavailable to everyone else). The security class’s marker is made up from the previously listed classes in they are ordered as U-I-C. Example U2I3S1. According to the security classes’ appropriate development solutions for creating the information system have to be used, in order to foresee and reduce all kinds of possible risks of paralyzing or damaging the operations of the systems. In a more narrow sense, only involving information system handling, for the defence of integrity of information systems makes it is possible to apply technical and organizational methods. Organizational methods have to ensure the preservation and availability of information only to authorized people. In many ways it is related to physical security means. All the information systems include components that can be stolen and broken, or be paralyzed be the forces of nature. Several standards have been created, that present the minimal requirements for information systems physical security. There is described the access/denial of access methods, the requirements for fire alarm systems, backup power sources ECT. To eliminate the possibility of losing the data and the interruption of essential systems, there are created doubling data storages or reflected server clusters in physically separate locations.
Important components when handling information system’s security are considered their integrity; usability and confidentiality that means that the processed data has to be always up to date, available in full extent and usable only to users and users groups according to defined access politics. It is elementary, that system’s logical defence line is protected with firewalls and all kinds of anti-virus software. Data accessible over networks has to be protected with several encrypting techniques. Here should be made a reference to e-ID solutions usability necessity, as it is one of the solutions for using crypto-algorithms.
Information systems can be divided by objective criteria based on their security requirements and determined by appropriate security classes determining the possible usability or other types of threats. Some examples from systems with different security requirements: Administration systems, that manages high risk objects’ tasks (nuclear facilities, dams, air- and railway transportation etc.) i.e. systems that pose a threat to people and public property in case of error. Infrastructure systems that run the economy (banks, communication etc.) E-business and public service systems that citizens use daily.
The evaluation criteria for the security methods have to be compiled in a way that they are appropriate for the information system’s security class. The evaluation has to indicate, if all the risks are taken into account and it should be possible to determine (of course with simulations that do not destroy the systems) the usefulness of the security techniques and the efficiency of preventing methods in case of every potential risk. The probability of realizing the risks and their threat have to play an important part in planning the tests and it shouldn’t be left without attention, that the whole security system is as strong as its weakest link. A well organized attack always finds the weakest link in the system and it is possible to paralyze the systems
A.7.5 Job safety and healthcare
Info technology in its essence is a field that is similar to other office works that do not possess any great risks in job security, to professionals but also to people, who use data processing services or computers and other communication devices. The people who deal with hardware should be observed separately, because it is necessary to follow electricity related safety rules and the people in charge of the wiring, as they have to work in high altitudes or in tight spaces (cable tunnels etc.)
Still it is necessary to realize the potential risks that may occur at workplaces and threaten the health through short term or long term influences. Serious occupational diseases are absent in the field of IT, but some certain health damages may occur in case of improper working conditions. These conditions do not contain anything irrefutable and are usually in the power of the employee itself to adjust appropriately or the employer is obligated to do so. At every workplace all the elementary threat sources have to be observed – furniture and other objects that obstruct movement, bad lightening, appropriate air temperature, cleanliness etc. Special attention should be paid to ordinary extension cords and their connection to the power circuit.
Every organization has to have a person in charge of job safety and healthcare. That person’s tasks are listed very clearly in the legislation that is unified in the European Union. The primary task is to observe the work environments’ safety for employees and deal with constantly improving the situation, reducing the existing risks and improve the employees’ awareness.
All the machinery and equipment i.e. in IT-field, the computers and accessories need a certain amount of care when handling them, because might always have some sharp edges (rough edges left from metal processing) or parts with high temperature (microchips). But firstly there are the power appliances that are covered with several EU safety directives – electromagnetic accordance and low voltage equipment directives, that regulate the products allowed on the EU market. IT specialists are demanded to know the requirements specifically and the following is a short overview of them.
A.7.5.1 Important requirements and unified European standards The members of the unions have to insure the compliance of the equipments to important requirements, good assembly quality, service preparation and usability according to the purpose before the product reaches the markets. Important requirements on the equipments: The protection of health and safety of the users’ according to the directive 2006/95/EU (low voltage directive) (http://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist/lvd.html), appliances working in certain voltage limits Ensuring electromagnetic compatibility (89/336/EEC, http://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist/emc.html); The use of devoted radio spectrum for terrene- and space communication in a way that it doesn’t create disturbing interferences. If a product conforms to the unified European standards (http://europa.eu/scadplus/leg/en/lvb/l22020.htm), and is in accordance with the procedures in directive 98/34/EU (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31998L0034:ET:HTML), then it is reasonable to presume, that the important requirements are filled. Information and notification The member states have to ensure, that the producers or the ones responsible for bringing the product to the markets make the information about the use of the product available in manuals or on the packaging with important declarations indicating the compliance of requirements. The packages of radio devices and their manuals have to mark the member states or areas in the states, where the product can be used. This information has to be accurate enough to pinpoint the possible operating area. The information about the final appliances of telecommunication has to indicate accurately the telecommunication network interfaces that the device connects to.
CE marking It is important to know that products without this marking cannot be marketed in European Union. Devices that conform to important requirements carry CE conformity marking. (http://europa.eu/scadplus/leg/en/lvb/l21013.htm). Producers add the marking to their product to notify the conformity of applications to the market’s needs. With its decision 2000/299/EU (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:097:0013:01:ET:HTML) the European commission has stated the classes for radio equipment and telecommunication final appliances, that cannot be used everywhere in European Union. These kinds of devices have to carry a special marking.
A.7.5.2. General Power safety of devices
As with every electrical device, also the IT-technology’s power supply devices have to conform to general power safety requirements. The possibility to get an electric shock has to be eliminated and the users have to exercise additional methods (grounding, antistatic carpets on the office floors, special equipment at the maintenance places and at technicians’) to reduce the possibility of electric shocks caused by electrostatic discharges. The faults of electrical appliances may cause fires and that is why appropriate fire extinguishers (powder or carbon dioxide extinguishers) are needed. It is prohibited to cover parts that need cooling or to get moisture on devices that are powered.
The most common practise is to familiarise with the safety requirements in the manual before starting to use the device. They consist of information about threats that the device may cause and important knowledge about the refuse emerging from the operations of the product (usually batteries) and how they should be utilized. This is not directly related to job safety, but it is very important from the environmental point of view. Also it is necessary to know how to utilize the device itself after its resources have been used up or it becomes obsolete.
Sometimes the problem with electrical devices is the electromagnetic radiation produced by the devices. The effect of the radiation has been proven in the case of old CRT monitors (it is not favourable to sit behind the monitor). This problem will diminish in few years. A lot of discussion has been created by mobile phones (GSM, UMTS etc.) and by other wireless communication devices (Wi-Fi, WiMax etc.) and their possible influence. So far the low powered devices’ harmful influence on people has not found adequate proof.
Several health risks are involved with computers in case the majority of the day is spent behind them:
During a longer time period problems with eyesight may emerge from constant focusing of the eyes on the screen. In order to avoid the problem, the work time has to be organized properly. If eyesight problems have emerged then the employer has the possibility by the law to compensate for the medical expenses (example: purchasing glasses) Other effects derived from longer eyesight problems may appear from the simultaneous occurrences of negative conditions and may result after observing rapidly moving pictures (videogames). This may result in dizziness and other coordination disturbances. Also false and uncomfortable working postures are dangerous, that can result in muscular and structural complaints. The first remedies in such cases are to fix the sitting posture. It is helpful to use modern chairs, leg rests, adjustable working surfaces and other special means; additionally arranging working regime in such way, that there is a need to stand up and move around form time to time.
In order, to ensure the right risk reduction and evaluations of situations there have been developed different evaluation techniques. In Estonia the appropriate instructions have been developed by the Ministry of Social Affairs and Labour Inspectorate. These documents are: Occupational health and safety requirements for work with display screen equipment Regulation No. 362 of the Government of the Republic of 15 November 2000 http://www.riigiteataja.ee/ert/act.jsp?id=72421
Healthcare requirements for computer studies and for public use of computers Regulation No. 57 of the Government of the Republic of 07 June 2001 Ministry of Social Affairs 7. June 2001. Regulation no 57
What has to be taken into account for work with display screen? Labour Inspectorate 2002 http://www.ti.ee/public/files/Arvuti.pdf
In Western-Europe these techniques are known as Digital Screen Equipment assessment and Portable Appliance Testing, where the technical personnel assesses the conditions of work with display screens and mobile devices and observes the pursue of the regulations.
More general work environment conditions have to be observed by the employer and appropriate audits have to be made constantly. During which the general work safety situation has to be also examined, that is not directly related to IT : Every structure, that is designed for working space has to meet the conforming requirements i.e. has to be well maintained, there may not be any possibilities for threats and all the technological systems – power supply, heating, ventilation and running water have to be in good shape The employer has to ensure the work hygiene at a necessary level i.e. starting from the microclimate of the spaces has to conform to norms and finishing with the prohibition of smoking in all the office areas. In emergency situations the evacuation routes have to be market with constantly luminous emergency signs, in case the power supply might be interrupted, fire extinguishing systems (hydrants, fireproof walls, automated extinguishers etc.) and first-aid kits have to be functional and complex. Evacuation plans have to be positioned in visible places. Usually the construction plans determine the clear-cut planning of evacuation routes. The holder of the buildings has to maintain the stairways and doors usable in case of danger. It is inevitable to arrange emergency trainings, to avoid panics and confusions in case of real threat. All of this is the responsibility of specialised official.
7.1. Which is the best way to defend technical invention to gain economic benefit? patent X paper issued in technical journal hiding and not using
7.2. Copyright of the author is violated when :
small piece of text from a book is citated in some article with citation to the source included book is copied for sale without permission of the author X book is analyzed detailly in workshop topic of private university
7.3. Software is divided by usage rights: commercial software, shareware, freeware X freeware, mainframe software, commercial software freeware, commercial software, operating systems
7.4. The Personal Data Protection Law: Prohibits business organizations to collect personal data and reserv this right only to public sector Prepares conditions to citizen to pass their personal data to various digital databases Enacts principles of personal data collection and processing, and rights of collectors and proceeding entities X
7.5. IT agreements differ from other kind of agreements: that can be signed only by IT department head by handling IT technical problems, solving issues and deadlines for finishing works in addition to general stipulations from the Law of Obligations they have exact technical conditions described for proceeding the work X
7.6. Aim of data security in an organization is archiving all accounting documents in digital form to guarantee organizations whole information assets availability, integrity and confidentiality X to create safe environment for computers in an organization, which mean to backup all system and application software and procedures for making backups
7.7 Using CE sign producer declares that product is in accordanced with health and safety of the users, electromagnetic compatibility and devoted radio spectrum X health and safety of the individuals and design electromagnetic compatibility and devoted radio spectrum
7.8.Rate information security risks from higher to lower according to potential risk level in the system: 1) enterprise’s economic information, 2) electricity distribution network management system, 3) population registry
2, 3, 1 X 1, 2, 3 3, 1, 2
3, 2, 1