3.1 Ethical Issues:
· Ethics: are principals of right or wrong that any
individual use to guide a certain action or behaviour.
· Code
of Ethics: is a collection of principles that are intended to guide
decision making by members of an organization.
·
Fundamental Tenets of Ethics:
o
Responsibility: is a social
force that binds you to your obligations.
o
Accountability: is the
responsibility to someone or for some activity.
o
Liability: anything that
is owed to someone else for example, individuals have the right to recover the
damages done to them by other individuals, organizations, or systems.
·
Ethical issues:
o
Privacy
Issues.
o
Accuracy
Issues.
o
Property
Issues.
o
Accessibility
Issues.
·
Threats to Privacy:
o
Electronic
Surveillance.
o
Personal
Information in Databases.
o
Information
on Internet Bulletin Boards, Newsgroups, and Social Networking Sites.
·
Protecting Privacy:
o Privacy Codes and Policies:
§ Opt-out Model: the organization collects personal information from
the customers.
§ Opt-in Model: the organization is prohibited from collecting
information from the customer.
3.2 Threats to Information Security:
·
Factors Increasing the Threats to Information Security:
o
Today’s
interconnected, interdependent, wirelessly-networked business environment.
o
Government
legislation.
o
Smaller,
faster, cheaper computers and storage devices.
o
Decreasing
skills necessary to be a computer hacker.
o
International
organized crime turning to cybercrime.
o
Downstream
liability.
o
Increased
employee use of unmanaged devices.
o
Lack
of management support.
·
Categories of Threats to Information Systems:
o Unintentional acts:
§ Human errors.
§ Deviations in quality of service by service providers (e.g., utilities
or heavy equipments).
§ Environmental hazards (e.g., dirt and static electricity).
o Natural disasters:
§ Floods, Earthquake, Hurricanes and fires.
o Technical failures:
§ Problems with hardware and software.
o Management failures:
§ Lack of funding for information security efforts for example lack
of leadership causes the information security of the organization to suffer.
o Deliberate acts:
§ Information Extortion.
§ Identity Theft.
§ Theft of Equipment and Information.
§ Software attack.
§ A supervisory control and data acquisition (SCADA) system is a
large-scale, distributed, measurement and control system.
3.3 Protecting Information Resources:
·
Risk Management:
o Risk analysis
o Risk mitigation:
§ Risk Acceptance. Accept the potential risk, continue operating with
no controls, and absorb any damages that occur.
§ Risk limitation. Limit the risk by implementing controls that
minimize the impact of threat.
§ Risk transference. Transfer the risk by using other means to
compensate for the loss, such as purchasing insurance.
·
Controls:
o Physical controls:
§ Physical protection of computer facilities and resources from
unauthorized individuals through walls, door locks or alarm system.
o Access controls:
§ Restriction of unauthorized user access to computer resources; use
biometrics and passwords controls for user identification.
o Communications (network) controls:
§ The protection of data across networks and include border security
controls, authentication and authorization.
o Application controls:
§ Protect specific applications.
·
Business Continuity Planning, Backup, and Recovery:
o
Hot
Site is a fully configured computer facility, with all services, communications
links, and physical plant operations.
o
Warm
Site provides many of the same services and options of the hot site, but it
typically does not include the actual applications the company runs.
o
Cold
Site provides only rudimentary services and facilities and so does not supply
computer hardware or user workstations.
·
Information Systems Auditing:
o
Types
of Auditors and Audits:
§ Internal: Performed
by corporate internal auditors.
§ External: Reviews
internal audit as well as the inputs, processing and outputs of information
systems.
·
IS Auditing Procedure:
o
Auditing
around the computer means verifying processing by checking for known outputs or
specific inputs.
o
Auditing
through the computer means inputs, outputs and processing are checked.
o
Auditing
with the computer means using a combination of client data, auditor software,
and client and auditor hardware.