Chapter 3: Information Systems: Ethics, Privacy and Information Security

 

3.1 Ethical Issues:

·       Ethics: are principals of right or wrong that any individual use to guide a certain action or behaviour.

·        Code of Ethics: is a collection of principles that are intended to guide decision making by members of an organization.

·       Fundamental Tenets of Ethics:

o   Responsibility: is a social force that binds you to your obligations.

o   Accountability: is the responsibility to someone or for some activity.

o   Liability: anything that is owed to someone else for example, individuals have the right to recover the damages done to them by other individuals, organizations, or systems.

·       Ethical issues:

o   Privacy Issues.

      o   Accuracy Issues.

o   Property Issues.

o   Accessibility Issues.

·       Threats to Privacy:

o   Electronic Surveillance.

o   Personal Information in Databases.

o   Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites.

·       Protecting Privacy:

o   Privacy Codes and Policies:

§  Opt-out Model: the organization collects personal information from the customers.

§  Opt-in Model: the organization is prohibited from collecting information from the customer.

3.2 Threats to Information Security:

·       Factors Increasing the Threats to Information Security:

o   Today’s interconnected, interdependent, wirelessly-networked business environment.

     o   Government legislation.

o   Smaller, faster, cheaper computers and storage devices.

o   Decreasing skills necessary to be a computer hacker.

o   International organized crime turning to cybercrime.

o   Downstream liability.

o   Increased employee use of unmanaged devices.

o   Lack of management support.

 

·       Categories of Threats to Information Systems:

o   Unintentional acts:

§  Human errors.

§  Deviations in quality of service by service providers (e.g., utilities or heavy equipments).

§  Environmental hazards (e.g., dirt and static electricity).

o   Natural disasters:

§  Floods, Earthquake, Hurricanes and fires.

 

o   Technical failures:

§  Problems with hardware and software.

 

o   Management failures:

§  Lack of funding for information security efforts for example lack of leadership causes the information security of the organization to suffer.

o   Deliberate acts:

§  Information Extortion.

§  Identity Theft.

§  Theft of Equipment and Information.

§  Software attack.

§  A supervisory control and data acquisition (SCADA) system is a large-scale, distributed, measurement and control system.

 

 

3.3 Protecting Information Resources:

·       Risk Management:

o   Risk analysis

o   Risk mitigation:

§  Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

§  Risk limitation. Limit the risk by implementing controls that minimize the impact of threat.

§  Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.

·       Controls:

o   Physical controls:

§  Physical protection of computer facilities and resources from unauthorized individuals through walls, door locks or alarm system.

 

o   Access controls:

§  Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.

o   Communications (network) controls:

§  The protection of data across networks and include border security controls, authentication and authorization.

o   Application controls:

§  Protect specific applications.

·       Business Continuity Planning, Backup, and Recovery:

o   Hot Site is a fully configured computer facility, with all services, communications links, and physical plant operations.

o   Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs.

o   Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.

·       Information Systems Auditing:

o   Types of Auditors and Audits:

§  Internal: Performed by corporate internal auditors.

§  External: Reviews internal audit as well as the inputs, processing and outputs of information systems.

·       IS Auditing Procedure:

o   Auditing around the computer means verifying processing by checking for known outputs or specific inputs.

o   Auditing through the computer means inputs, outputs and processing are checked.

o   Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.