Saturday, 4 May 2013

Chapter 3: Information Systems: Ethics, Privacy and Information Security


 
3.1 Ethical Issues:

·       Ethics: are principals of right or wrong that any individual use to guide a certain action or behaviour.
·        Code of Ethics: is a collection of principles that are intended to guide decision making by members of an organization.

·       Fundamental Tenets of Ethics:

o   Responsibility: is a social force that binds you to your obligations.
o   Accountability: is the responsibility to someone or for some activity.
o   Liability: anything that is owed to someone else for example, individuals have the right to recover the damages done to them by other individuals, organizations, or systems.

·       Ethical issues:

o   Privacy Issues.
      o   Accuracy Issues.

o   Property Issues.

o   Accessibility Issues.

·       Threats to Privacy:

o   Electronic Surveillance.

o   Personal Information in Databases.

o   Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites.


·       Protecting Privacy:

o   Privacy Codes and Policies:

§  Opt-out Model: the organization collects personal information from the customers.

§  Opt-in Model: the organization is prohibited from collecting information from the customer.


3.2 Threats to Information Security:

·       Factors Increasing the Threats to Information Security:

o   Today’s interconnected, interdependent, wirelessly-networked business environment.
     o   Government legislation.
o   Smaller, faster, cheaper computers and storage devices.
o   Decreasing skills necessary to be a computer hacker.
o   International organized crime turning to cybercrime.
o   Downstream liability.
o   Increased employee use of unmanaged devices.
o   Lack of management support.
 

·       Categories of Threats to Information Systems:

o   Unintentional acts:

§  Human errors.
§  Deviations in quality of service by service providers (e.g., utilities or heavy equipments).
§  Environmental hazards (e.g., dirt and static electricity).

o   Natural disasters:

§  Floods, Earthquake, Hurricanes and fires.
 

o   Technical failures:

§  Problems with hardware and software.
 

o   Management failures:

§  Lack of funding for information security efforts for example lack of leadership causes the information security of the organization to suffer.

o   Deliberate acts:

§  Information Extortion.

§  Identity Theft.
§  Theft of Equipment and Information.
§  Software attack.
§  A supervisory control and data acquisition (SCADA) system is a large-scale, distributed, measurement and control system.
 
 
3.3 Protecting Information Resources:
·       Risk Management:
o   Risk analysis
o   Risk mitigation:
§  Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
§  Risk limitation. Limit the risk by implementing controls that minimize the impact of threat.
§  Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.
·       Controls:
o   Physical controls:
§  Physical protection of computer facilities and resources from unauthorized individuals through walls, door locks or alarm system.
 
o   Access controls:
§  Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
o   Communications (network) controls:
§  The protection of data across networks and include border security controls, authentication and authorization.
o   Application controls:
§  Protect specific applications.
·       Business Continuity Planning, Backup, and Recovery:
o   Hot Site is a fully configured computer facility, with all services, communications links, and physical plant operations.
o   Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs.
o   Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.

·       Information Systems Auditing:
o   Types of Auditors and Audits:
§  Internal: Performed by corporate internal auditors.
§  External: Reviews internal audit as well as the inputs, processing and outputs of information systems.
·       IS Auditing Procedure:
o   Auditing around the computer means verifying processing by checking for known outputs or specific inputs.
o   Auditing through the computer means inputs, outputs and processing are checked.
o   Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.
 

1 comment:

  1. Passwords & alarms are usesful for the protection..

    Nice work

    ReplyDelete