Transcript Slide 1

CHAPTER 4
ETHICS AND
INFORMATION
SECURITY
Opening Case
Sarbanes-Oxley:
Where Information
Technology, Finance,
and Ethics Meet
McGraw-Hill/Irwin
©2008 The McGraw-Hill Companies, All Rights Reserved
4-2
Chapter Four Overview
• SECTION 4.1 - ETHICS
–
–
–
–
Ethics
Information Ethics
Developing Information Management Policies
Ethics in the Workplace
• SECTION 4.2 - INFORMATION SECURITY
– Protecting Intellectual Assets
– The First Line of Defense - People
– The Second Line of Defense - Technology
4-3
Organizational Fundamentals –
Ethics and Security
• Ethics and security are two fundamental
building blocks that organizations must
base their businesses on to be successful
• In recent years, such events as the Enron
and Martha Stewart, along with 9/11 have
shed new light on the meaning of ethics
and security
SECTION 4.1
ETHICS
McGraw-Hill/Irwin
©2008 The McGraw-Hill Companies, All Rights Reserved
4-5
LEARNING OUTCOMES
1. Explain the ethical issues surrounding
information technology
2. Identify the differences between an ethical
computer use policy and an acceptable
computer use policy
3. Describe the relationship between an e-mail
privacy policy and an Internet use policy
4-6
LEARNING OUTCOMES
4. Explain the effects of spam on an
organization
5. Summarize the different monitoring
technologies and explain the importance
of an employee monitoring policy
4-7
ETHICS
• Ethics – the principles and standards that
guide our behavior toward other people
• Issues affected by technology advances
– Intellectual property
– Copyright
– Fair use doctrine
– Pirated software
– Counterfeit software
4-8
ETHICS
• Privacy is a major ethical issue
– Privacy – the right to be left alone when you
want to be, to have control over your own
personal possessions, and not to be
observed without your consent
– Confidentiality – the assurance that
messages and information are available only
to those who are authorized to view them
4-9
ETHICS
• One of the main ingredients in trust is privacy
• Primary reasons privacy issues lost trust for ebusiness
4-10
INFORMATION ETHICS
• Individuals form the only ethical component of IT
4-11
Information Has No Ethics
• Acting ethically and legally are not always
the same
4-12
Information Has No Ethics
• Information does not care how it is used
• Information will not stop itself from
sending spam, viruses, or highly-sensitive
information
• Information cannot delete or preserve
itself
4-13
DEVELOPING INFORMATION
MANAGEMENT POLICIES
• Organizations strive to build a corporate culture
based on ethical principles that employees can
understand and implement
• ePolicies typically include:
–
–
–
–
–
–
Ethical computer use policy
Information privacy policy
Acceptable use policy
E-mail privacy policy
Internet use policy
Anti-spam policy
4-14
Ethical Computer Use Policy
• Ethical computer use policy – contains
general principles to guide computer user
behavior
• The ethical computer user policy ensures
all users are informed of the rules and, by
agreeing to use the system on that basis,
consent to abide by the rules
4-15
Ethical Computer Use Policy
4-16
Information Privacy Policy
• The unethical use of information typically occurs
“unintentionally” when it is used for new
purposes
– For example, social security numbers started as a
way to identify government retirement benefits and
are now used as a sort of universal personal ID
• Information privacy policy - contains general
principles regarding information privacy
4-17
Information Privacy Policy
•
Information privacy policy guidelines
1. Adoption and implementation of a privacy
policy
2. Notice and disclosure
3. Choice and consent
4. Information security
5. Information quality and access
4-18
Acceptable Use Policy
• Acceptable use policy (AUP) – a policy that a
user must agree to follow in order to be
provided access to a network or to the Internet
• An AUP usually contains a nonrepudiation
clause
– Nonrepudiation – a contractual stipulation to ensure
that e-business participants do not deny (repudiate)
their online actions
4-19
Acceptable Use Policy
4-20
E-Mail Privacy Policy
• Organizations can mitigate the risks of email and instant messaging
communication tools by implementing and
adhering to an e-mail privacy policy
• E-mail privacy policy – details the extent
to which e-mail messages may be read by
others
4-21
E-Mail Privacy Policy
4-22
E-Mail Privacy Policy
4-23
Internet Use Policy
• Internet use policy – contains general principles to
guide the proper use of the Internet
4-24
Anti-Spam Policy
• Spam – unsolicited e-mail
• Spam accounts for 40% to 60% of most
organizations’ e-mail and cost U.S.
businesses over $14 billion in 2005
• Anti-spam policy – simply states that email users will not send unsolicited emails (or spam)
4-25
ETHICS IN THE WORKPLACE
• Workplace monitoring is a concern for many
employees
• Organizations can be held financially
responsible for their employees’ actions
• The dilemma surrounding employee monitoring
in the workplace is that an organization is
placing itself at risk if it fails to monitor its
employees, however, some people feel that
monitoring employees is unethical
4-26
Monitoring Technologies
4-27
Monitoring Technologies
• Monitoring – tracking people’s activities by
such measures as number of keystrokes, error
rate, and number of transactions processed
• Common monitoring technologies include:
–
–
–
–
–
–
–
Key logger or key trapper software
Hardware key logger
Cookie
Adware
Spyware
Web log
Clickstream
4-28
Employee Monitoring Policies
• Employee monitoring policies – explicitly state how,
when, and where the company monitors its employees
4-29
OPENING CASE QUESTIONS
Sarbanes-Oxley
1. Define the relationship between ethics
and the Sarbanes-Oxley Act
2. Why is records management an area of
concern for the entire organization and
not just the IT department?
3. Identify two policies an organization can
implement to achieve Sarbanes-Oxley
compliance?
4-30
OPENING CASE QUESTIONS
Sarbanes-Oxley
4. What ethical dilemmas are being solved
by implementing Sarbanes-Oxley?
5. What is the biggest roadblock for
organizations that are attempting to
achieve Sarbanes-Oxley compliance?
SECTION 4.2
INFORMATION
SECURITY
McGraw-Hill/Irwin
©2008 The McGraw-Hill Companies, All Rights Reserved
4-32
LEARNING OUTCOMES
6. Describe the relationship between information
security policies and an information security plan
7. Summarize the five steps to creating an
information security plan
8. Provide an example of each of the three primary
security areas: (1) authentication and
authorization, (2) prevention and resistance, and
(3) detection and response
9. Describe the relationships and differences
between hackers and viruses
4-33
PROTECTING INTELLECTUAL ASSETS
• Organizational information is intellectual capital
- it must be protected
• Information security – the protection of
information from accidental or intentional
misuse by persons inside or outside an
organization
• E-business automatically creates tremendous
information security risks for organizations
4-34
PROTECTING INTELLECTUAL ASSETS
4-35
PROTECTING INTELLECTUAL ASSETS
4-36
THE FIRST LINE OF DEFENSE - PEOPLE
• Organizations must enable employees, customers,
and partners to access information electronically
• The biggest issue surrounding information security
is not a technical issue, but a people issue
• 33% of security incidents originate within the
organization
– Insiders – legitimate users who purposely or accidentally
misuse their access to the environment and cause some
kind of business-affecting incident
4-37
THE FIRST LINE OF DEFENSE - PEOPLE
• The first line of defense an organization
should follow to help combat insider issues
is to develop information security policies
and an information security plan
– Information security policies – identify the
rules required to maintain information security
– Information security plan – details how an
organization will implement the information
security policies
4-38
THE FIRST LINE OF DEFENSE - PEOPLE
•
Hackers frequently use “social
engineering” to obtain password
– Social engineering – using one’s social skills
to trick people into revealing access
credentials or other information valuable to the
attacker
4-39
THE FIRST LINE OF DEFENSE - PEOPLE
•
Five steps to creating an information
security plan:
1.
2.
3.
4.
5.
Develop the information security policies
Communicate the information security policies
Identify critical information assets and risks
Test and reevaluate risks
Obtain stakeholder support
4-40
THE FIRST LINE OF DEFENSE - PEOPLE
4-41
THE SECOND LINE OF DEFENSE TECHNOLOGY
•
There are three primary information
technology security areas
1. Authentication and authorization
2. Prevention and resistance
3. Detection and response
4-42
Authentication and Authorization
•
Authentication – a method for confirming
users’ identities
•
Authorization – the process of giving someone
permission to do or have something
•
The most secure type of authentication
involves:
1. Something the user knows such as a user ID and
password
2. Something the user has such as a smart card or
token
3. Something that is part of the user such as a
fingerprint or voice signature
4-43
Something the User Knows Such As a User ID
and Password
•
This is the most common way to identify
individual users and typically contains a
user ID and a password
•
This is also the most ineffective form of
authentication
•
Over 50 percent of help-desk calls are
password related
4-44
Something the User Knows Such As a User ID
and Password
•
Identity theft – the forging of someone’s
identity for the purpose of fraud
•
Phishing – a technique to gain personal
information for the purpose of identity
theft, usually by means of fraudulent email
4-45
Something the User Knows Such As a User ID
and Password
4-46
Something the User Knows Such As a User ID
and Password
•
Smart cards and tokens are more
effective than a user ID and a password
– Tokens – small electronic devices that
change user passwords automatically
– Smart card – a device that is around the
same size as a credit card, containing
embedded technologies that can store
information and small amounts of software
to perform some limited processing
4-47
Something That Is Part Of The User Such As a
Fingerprint or Voice Signature
•
This is by far the best and most effective
way to manage authentication
– Biometrics – the identification of a user
based on a physical characteristic, such as
a fingerprint, iris, face, voice, or handwriting
•
Unfortunately, this method can be costly
and intrusive
4-48
Prevention and Resistance
•
Downtime can cost an organization
anywhere from $100 to $1 million per
hour
•
Technologies available to help prevent
and build resistance to attacks include:
1. Content filtering
2. Encryption
3. Firewalls
4-49
Content Filtering
•
Organizations can use content filtering
technologies to filter e-mail and prevent emails containing sensitive information from
transmitting and stop spam and viruses from
spreading.
–
–
–
Content filtering – occurs when organizations use
software that filters content to prevent the
transmission of unauthorized information
Spam – a form of unsolicited e-mail
Corporate losses caused by Spam
4-50
Encryption
•
If there is an information security breach
and the information was encrypted, the
person stealing the information would be
unable to read it
– Encryption – scrambles information into an
alternative form that requires a key or
password to decrypt the information
– Public key encryption (PKE) – an
encryption system that uses two keys: a
public key for everyone and a private key
for the recipient
4-51
Encryption
4-52
Firewalls
•
One of the most common defenses for
preventing a security breach is a firewall
– Firewall – hardware and/or software that
guards a private network by analyzing the
information leaving and entering the
network
4-53
Firewalls
•
Sample firewall architecture connecting
systems located in Chicago, New York,
and Boston
4-54
Detection and Response
•
If prevention and resistance strategies
fail and there is a security breach, an
organization can use detection and
response technologies to mitigate the
damage
•
Antivirus software is the most common
type of detection and response
technology
4-55
Detection and Response
•
Hacker - people very knowledgeable about
computers who use their knowledge to invade
other people’s computers
–
–
–
–
–
–
White-hat hacker
Black-hat hacker
Hactivist
Script kiddies or script bunnies
Cracker
Cyberterrorist
4-56
Detection and Response
•
Virus - software written with malicious
intent to cause annoyance or damage
–
–
–
–
–
–
Worm
Denial-of-service attack (DoS)
Distributed denial-of-service attack (DDoS)
Trojan-horse virus
Backdoor program
Polymorphic virus and worm
4-57
Detection and Response
• Security threats to e-business include:
– Elevation of privilege
– Hoaxes
– Malicious code
– Spoofing
– Spyware
– Sniffer
– Packet tampering
4-58
OPENING CASE QUESTIONS
Sarbanes-Oxley
6. What information security dilemmas are being
solved by implementing Sarbanes-Oxley?
7. How can Sarbanes-Oxley help protect a
company’s information security?
8. What impact does implementing Sarbanes-Oxley
have on information security in a small business?
9. What is the biggest information security roadblock
for organizations attempting to achieve SarbanesOxley compliance?
4-59
CLOSING CASE ONE
Banks Banking on Security
1. What reason would a bank have for not
wanting to adopt an online-transfer delay
policy?
2. What are the two primary lines of security
defense and why are they important to
financial institutions?
3. Explain the differences between the types of
security offered by the banks in the case
4-60
CLOSING CASE ONE
Banks Banking on Security
4. What additional types of security, not
mentioned in the case above, would you
recommend a bank implement?
5. Identify three policies a bank should
implement to help it improve information
security
6. Describe monitoring policies along with the
best way for a bank to implement monitoring
technologies
4-61
CLOSING CASE TWO
Hacker Hunters
1. What types of technology could big retailers
use to prevent identity thieves from
purchasing merchandise?
2. What can organizations do to protect
themselves from hackers looking to steal
account data?
3. Authorities frequently tap online service
providers to track down hackers. Do you think
it is ethical for authorities to tap an online
service provider and read people’s e-mail?
Why or why not?
4-62
CLOSING CASE TWO
Hacker Hunters
4. Do you think it was ethical for authorities to
use one of the high-ranking officials to trap
other gang members? Why or why not?
5. In a team, research the Internet and find
the best ways to protect yourself from
identity theft
4-63
CLOSING CASE THREE
Thinking Like the Enemy
1.
How could an organization benefit from attending one of
the courses offered at the Intense School?
2.
What are the two primary lines of security defense and
how can organizational employees use the information
taught by the Intense School when drafting an
information security plan?
3.
Determine the difference between the two primary
courses offered at the Intense school, “Professional
Hacking Boot Camp” and “Social Engineering in Two
Days.” Which course is more important for
organizational employees to attend?
4-64
CLOSING CASE THREE
Thinking Like the Enemy
4. If your employer sent you to take a
course at the Intense School, which
one would you choose and why?
5. What are the ethical dilemmas
involved with having such a course
offered by a private company?