Upload
francine-conley
View
218
Download
1
Embed Size (px)
Citation preview
BUS1MIS Management Information Systems
Semester 1, 2012
Week 7 Lecture 1
Ethics and Information Security
Learning objectives
Ref. Chapter 4 (Text)
• Explain the ethical issues surrounding information technology. • Identify the differences between an ‘ethical computer use policy’ and an
‘acceptable use policy.• Describe the relationship between an ‘email privacy policy’ and an ‘Internet
use policy’.• Describe the relationship between information security policies and an
information security plan.• Summarise the five steps to creating an information security plan.• Provide an example of each of the three primary security areas:
a. authentication and authorization, b. prevention and resistance, c. detection and response.
• Describe the relationships and differences between hackers and viruses.
Ethics and Information Security
An organisation’s data and information are a key resource.
To lose the data and information or have them used inappropriately or illegally can be disastrous for an organisation.
A business manager must understand the ethical and security issues surrounding data and information.
Ethics and Information Security
Ethics – the principles and standards that guide our behaviour toward other people.
Ethics sit between appropriate behaviour and illegal behaviour.
Ethics and Information SecurityActing ethically and legally are not always the same
Hopefully you will be making decisions here!
Ethics and Information Security
1. Is it OK to use work time and equipment for private email and Internet usage?
2. Should your boss be able to monitor your personal Internet usage on work computers?
3. Should your boss be able to read private emails you have sent from or received on work computers?
4. You give up a job to go into business for yourself. Before you leave you print a list of your customers’ contact details. Is it OK to individually contact your previous customers to inform them of your new business?
Consider the questions below from an ethical and legal viewpoint.
Ethics and Information Security
Ethical issues concerning IT and IS
•Intellectual property [rights that protect creative and intellectual effort]
•Copyright [copying, using material illegally] e.g. iiNet
•Fair use doctrine [where it is legal to use copyrighted material]
•Pirated software [unauthorized use of copyrighted software]
•Counterfeit products [e.g. software that is manufactured to look like the real thing and sold as such]
Ethics and Information Security
Privacy is a major ethical issue, and a right to privacy is the law
Privacy : the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent
Confidentiality : the assurance that messages and information are available only to those who are authorized to view them
Ethics and Information Security
Developing Information Management Policies
Organisations should strive to build a corporate culture based on ethical principles that employees can understand and implement e-Policies typically include:
• Ethical computer use policy• Information privacy policy• Acceptable use policy• email privacy policy• Internet use policy• Anti-spam policy
e-policies are policies and procedures that address the ethical use of computers and internet usage in the business environment
Ethics and Information Security
Ethical computer use policy : contains general principles to guide computer user behaviour [p. 170]
Information privacy policy : contains general principles regarding information privacy [p. 171]
The unethical use of information typically occurs “unintentionally” when it is used for new purposes
Acceptable use policy (AUP) : a policy that a user must agree to follow in order to be provided access to a network or to the Internet [p. 171-2]
1. Will not violate any laws2. Will not break the security3. Will not post commercial messages 4. Will not send spam5. Will not send mail bombs
Ethics and Information Security
Organisations can mitigate the risks of email and instant messaging communication tools by implementing and adhering to an email privacy policy
email privacy policy : details the extent to which email messages may be read by others [p. 172-3]
Ethics and Information Security
Internet use policy : contains general principles to guide the proper use of the Internet within an organization [p. 173-4]
The policy1. Describes available Internet services2. Defines the purpose and restriction of Internet access3. Complements the ethical computer use policy4. Describes user responsibilities5. States the ramification for violations
Spam : unsolicited email
Anti-spam policy : simply states that email users will not send unsolicited emails (or spam)
Ethics and Information Security
Workplace monitoring is a concern for many employees
Organisations can be held financially responsible for their employees’ actions
The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees; however, some people feel that monitoring employees is unethical
Information Technology Monitoring
Monitoring : tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed
Ethics and Information SecurityInformation security : the protection of information from accidental or intentional misuse by persons inside or outside an organization
Organizations must enable employees, customers, and partners to access information electronically
The biggest issue surrounding information security is not a technical issue, but a people issue
33% of security incidents originate within the organization
Insiders : legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident
Ethics and Information Security
Lines of Defence - [1] People
The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan.
How do you create an information security plan?
1. Develop the information security policies2. Communicate the information security policies3. Identify critical information assets and risks4. Test and reevaluate risks5. Obtain stakeholder support [see Tables 4.15, 4.16 Text]
Ethics and Information Security
Lines of Defence - [2] Technology
The second line of defense involves technology, in particular:
1. Authentication and authorization [p. 186-8]2. Prevention and resistance [p. 188-90]3. Detection and response [p. 190-2]
Ethics and Information Security
Authentication : a method for confirming users’ identities
The most secure type of authentication involves:
• Something the user knows [e.g. user name & password
• Something the user has [e.g. a smart card or token]
• Something that is part of the user [e.g. voice signature, fingerprint]
Authorisation : the process of giving someone permission to do or have something
e.g. file access, hours of access, amount of storage space
Ethics and Information SecurityPrevention and resistance
Technologies available to help prevent and build resistance to attacks include:
1. Content filtering [e.g. software to filter emails for sensitive information, to detect files containing viruses, etc.]
2. Encryption [`scrambling’ of information prior to transmission, `unscrambling’ on receipt of information]
3. Firewalls [hardware/software that `guards’ a private network]
Ethics and Information Security
Detection and Response
If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage.
Antivirus software is the most common type of detection and response technology.
Virus : software written with malicious intent to cause annoyance or damage [see table 4.19, Text for a description of virus types].
Hackers : people very knowledgeable about computers who use their knowledge to invade other people’s computers [again, see table 4.19, text for a description of hacker types].