Transcript No Slide Title

Lecture
11
Data
Security
Manager’s View
• Issues regarding information
security and ethics regarding
information systems are critical
to all managers in modern
organisations.
• Information systems represent
critical organisational assets.
• Ethical responsibility for
private information is important
to managers.
Viewing IS Security

Control loss of assets

ensure the integrity and
reliability of data

improve the efficiency/
effectiveness of
Information Systems
applications
Risks, Threats, and
Vulnerabilities
• Risk: a potential monetary
loss to the firm.
• Threat: people, actions,
events, and other situations
that can trigger losses.
• Vulnerabilities: flaws,
problems, and other
conditions that make a
system open to threats.
Assessing Risks
• Identify what risks are
acceptable and what risks
are not.
• Estimate amount of loss and
probability the loss will
occur.
– If loss occurs, how will
the firm respond?
– What would be the cost of
the response?
Controls
Counter measures to threats.

Physical controls

Electronic controls

Software controls

Management controls
Common Threats
• Natural Disasters
• Employ Errors
• Computer Crime, Fraud,
and Abuse
Natural Disasters
Disaster prevention plan
Use of backup power supplies
Special building material
Location
Drainage systems
Structural modifications to
avoid damage
Natural Disasters
Disaster containment plan
•
•
Sprinkler systems
Water tight ceilings
Disaster recovery plan
•
Planning how to restore
operations quickly
•
Developing contingency
plans
Computer Crime, Fraud
and Abuse
• About 75% of firms reported
financial losses from computer
crimes; 90% of computer crime
goes unreported.
• Industrial Espionage The theft of organisational
data by competitors
Hacking Unauthorised entry by a person
into a computer system or
network
Data Diddling The use of a computer system
by employees to forge
documents or change data in
records for personal gain
Computer Viruses
a hidden program which insert
itself into the computer system
and forces the system to clone it.
Can be
– Benign
– Malicious
• destroys its original host
when it has copied itself
• spare capacity of the
computer is used up by
proliferation
Time Bombs
activated by a particular
date
Logic Bomb
activated by the execution
of a specific logical
condition
Worms
similar to virus but,
resides on separate soft
ware
Trojan Horses
Computer Viruses
Can be infected by :
•E-mail
•any network connection
download a program
-
access web site
•from diskettes
Computer Crime, Fraud
and Abuse (Cont.)
• Hardware Theft and Vandalism:
– Over 208,000 notebook
computers were stolen in 1995.
• Software Piracy: reproducing a
program that violates copyright
protection.
– Illegal use jeopardises organisations.
– Piracy can cause you to lose your
job.
•Copy right laws
Privacy Violations
Capacity of individuals or
organisations to control
information about themselves.
– limiting the types and amounts of
data that can be collected about
individuals and organisations.
– individuals or organisations have
the ability to access, examine,
and correct the data stored about
them
– that the disclosure, use, or
dissemination of those data are
restricted
Privacy Violations
Violations of electronic mail
privacy and electronic data
interchange.
Data protection
legislation
Controls
Good computer hygiene
Anti-Virus programs
-Prevent a virus-laden file from
being down loaded from a
network
-Prevent the virus program being
inserting it self in the system
-Detect a virus program so you
can take emergency action
-Controlling the damage virus
programs can do once they have
been detected
Protecting Information
Systems
• Small business measures:
– Alarms and regular use of
keyboard locks.
– Replacement value insurance.
– Password protection.
– Storage of software disks in a
locked cabinet.
– Tie-down cables for desktop
computers.
– Train employees.
Securing Communications
Systems
• Encryption:
the process of encoding data
• Firewalls:
typically a system used to
enforce an access control policy
between two networks.
• E-mail Gateways:
monitors all inbound and
outbound traffic
Develop/practice a
disaster recovery plan
with a “hot” site and a
“cold” site.
Describes how a firm can
resume operations after a
disaster
Ethics
• Ethical and Contractual
Behaviour: a good part of
computer ethics is behaving
legally and contractually - not
copying software you have no
right to copy.
• Privacy, Access, and Accuracy
Issues: It is not illegal to read
the email of others, but it is
unethical.
Privacy Issues
• What information on
individuals and other firms
should an organisation keep?
• What rights should these
individuals and firms have
about the use of the data that
your organisation keeps?
• If your organisation is bought
by another, what rights should
the purchaser have about the
data that it maintains?
Privacy Issues (Cont.)
• What is your firm’s
responsibility for ensuring the
data on people it keeps is
accurate?
• What rights do people have to
review the data kept about
themselves?
• Who in an organisation has the
right to review the records of
others?
Property Issues
• Using shareware software
without sending a check to the
developer is unethical.
• Protecting the rights of others
by not copying software--piracy
increases the legal cost to others
who purchase the software.
• Property rights over intellectual
property such as copyrights.
The Widespread Impact of
Information Systems and
Management Responsibility
• IS allow increased efficiency
and effectiveness--this can lead
to workforce reductions.
• Responsibilities to employees as
stakeholders in the organisation.
• Managers should develop and
deploy information systems in a
socially responsible way.
Summary
• Information systems pose
numerous security and ethical
problems for managers.
• Assess the risks and understand
the controls to apply to reduce
the threats to IS.
• Understand that ethical
problems with IS have been the
subject of legislation and court
action, and that managers have
a social responsibility to
safeguard information and its
use.
R. Behar, “Who’s Reading Your Email?”,
Fortune, February 3, 1997, , p58, p64.
Check out CNET.COM (on line
magazine). K Ferrell, “Net Crime: Don’t
be a Victim”, February 6, 1996.
A Gordon, “Study: Computer Crimes
Grow, Losses Top $100 million, “ UDA
Today, March 7, 1997 (on line version).
M J Zuckerman, “Cybercrime against
Business Frequent, Costly”, USA Today,
January 13, 1997 (online version).
Vance McCarthy, “Web Security: How
Much Is Enough?”, January, 1997.