No Slide Title
Download
Report
Transcript No Slide Title
Lecture
11
Data
Security
Manager’s View
• Issues regarding information
security and ethics regarding
information systems are critical
to all managers in modern
organisations.
• Information systems represent
critical organisational assets.
• Ethical responsibility for
private information is important
to managers.
Viewing IS Security
Control loss of assets
ensure the integrity and
reliability of data
improve the efficiency/
effectiveness of
Information Systems
applications
Risks, Threats, and
Vulnerabilities
• Risk: a potential monetary
loss to the firm.
• Threat: people, actions,
events, and other situations
that can trigger losses.
• Vulnerabilities: flaws,
problems, and other
conditions that make a
system open to threats.
Assessing Risks
• Identify what risks are
acceptable and what risks
are not.
• Estimate amount of loss and
probability the loss will
occur.
– If loss occurs, how will
the firm respond?
– What would be the cost of
the response?
Controls
Counter measures to threats.
Physical controls
Electronic controls
Software controls
Management controls
Common Threats
• Natural Disasters
• Employ Errors
• Computer Crime, Fraud,
and Abuse
Natural Disasters
Disaster prevention plan
Use of backup power supplies
Special building material
Location
Drainage systems
Structural modifications to
avoid damage
Natural Disasters
Disaster containment plan
•
•
Sprinkler systems
Water tight ceilings
Disaster recovery plan
•
Planning how to restore
operations quickly
•
Developing contingency
plans
Computer Crime, Fraud
and Abuse
• About 75% of firms reported
financial losses from computer
crimes; 90% of computer crime
goes unreported.
• Industrial Espionage The theft of organisational
data by competitors
Hacking Unauthorised entry by a person
into a computer system or
network
Data Diddling The use of a computer system
by employees to forge
documents or change data in
records for personal gain
Computer Viruses
a hidden program which insert
itself into the computer system
and forces the system to clone it.
Can be
– Benign
– Malicious
• destroys its original host
when it has copied itself
• spare capacity of the
computer is used up by
proliferation
Time Bombs
activated by a particular
date
Logic Bomb
activated by the execution
of a specific logical
condition
Worms
similar to virus but,
resides on separate soft
ware
Trojan Horses
Computer Viruses
Can be infected by :
•E-mail
•any network connection
download a program
-
access web site
•from diskettes
Computer Crime, Fraud
and Abuse (Cont.)
• Hardware Theft and Vandalism:
– Over 208,000 notebook
computers were stolen in 1995.
• Software Piracy: reproducing a
program that violates copyright
protection.
– Illegal use jeopardises organisations.
– Piracy can cause you to lose your
job.
•Copy right laws
Privacy Violations
Capacity of individuals or
organisations to control
information about themselves.
– limiting the types and amounts of
data that can be collected about
individuals and organisations.
– individuals or organisations have
the ability to access, examine,
and correct the data stored about
them
– that the disclosure, use, or
dissemination of those data are
restricted
Privacy Violations
Violations of electronic mail
privacy and electronic data
interchange.
Data protection
legislation
Controls
Good computer hygiene
Anti-Virus programs
-Prevent a virus-laden file from
being down loaded from a
network
-Prevent the virus program being
inserting it self in the system
-Detect a virus program so you
can take emergency action
-Controlling the damage virus
programs can do once they have
been detected
Protecting Information
Systems
• Small business measures:
– Alarms and regular use of
keyboard locks.
– Replacement value insurance.
– Password protection.
– Storage of software disks in a
locked cabinet.
– Tie-down cables for desktop
computers.
– Train employees.
Securing Communications
Systems
• Encryption:
the process of encoding data
• Firewalls:
typically a system used to
enforce an access control policy
between two networks.
• E-mail Gateways:
monitors all inbound and
outbound traffic
Develop/practice a
disaster recovery plan
with a “hot” site and a
“cold” site.
Describes how a firm can
resume operations after a
disaster
Ethics
• Ethical and Contractual
Behaviour: a good part of
computer ethics is behaving
legally and contractually - not
copying software you have no
right to copy.
• Privacy, Access, and Accuracy
Issues: It is not illegal to read
the email of others, but it is
unethical.
Privacy Issues
• What information on
individuals and other firms
should an organisation keep?
• What rights should these
individuals and firms have
about the use of the data that
your organisation keeps?
• If your organisation is bought
by another, what rights should
the purchaser have about the
data that it maintains?
Privacy Issues (Cont.)
• What is your firm’s
responsibility for ensuring the
data on people it keeps is
accurate?
• What rights do people have to
review the data kept about
themselves?
• Who in an organisation has the
right to review the records of
others?
Property Issues
• Using shareware software
without sending a check to the
developer is unethical.
• Protecting the rights of others
by not copying software--piracy
increases the legal cost to others
who purchase the software.
• Property rights over intellectual
property such as copyrights.
The Widespread Impact of
Information Systems and
Management Responsibility
• IS allow increased efficiency
and effectiveness--this can lead
to workforce reductions.
• Responsibilities to employees as
stakeholders in the organisation.
• Managers should develop and
deploy information systems in a
socially responsible way.
Summary
• Information systems pose
numerous security and ethical
problems for managers.
• Assess the risks and understand
the controls to apply to reduce
the threats to IS.
• Understand that ethical
problems with IS have been the
subject of legislation and court
action, and that managers have
a social responsibility to
safeguard information and its
use.
R. Behar, “Who’s Reading Your Email?”,
Fortune, February 3, 1997, , p58, p64.
Check out CNET.COM (on line
magazine). K Ferrell, “Net Crime: Don’t
be a Victim”, February 6, 1996.
A Gordon, “Study: Computer Crimes
Grow, Losses Top $100 million, “ UDA
Today, March 7, 1997 (on line version).
M J Zuckerman, “Cybercrime against
Business Frequent, Costly”, USA Today,
January 13, 1997 (online version).
Vance McCarthy, “Web Security: How
Much Is Enough?”, January, 1997.