MIS 301 Information Systems in Organizations Dave Salisbury [email protected] (email) http://www.davesalisbury.com/ (web site) Talking Points Security, Ethics and Privacy Ethical Issues Information Systems Defense and Control Corporate Individual Law & Order.
Download ReportTranscript MIS 301 Information Systems in Organizations Dave Salisbury [email protected] (email) http://www.davesalisbury.com/ (web site) Talking Points Security, Ethics and Privacy Ethical Issues Information Systems Defense and Control Corporate Individual Law & Order.
MIS 301 Information Systems in Organizations Dave Salisbury [email protected] (email) http://www.davesalisbury.com/ (web site) Talking Points Security, Ethics and Privacy Ethical Issues Information Systems Defense and Control Corporate Individual Law & Order Security & Ethical Challenges Privacy Accuracy Property Access Computer Crime Human Impacts Security Issues Physical Security Making sure the hardware is safe and not tampered with Logical Security Making sure that software and data are not manipulated, stolen or tampered with Security Issues Physical Security Issues Access methods Security Codes Theft of equipment Fire Natural Disaster Man-made disaster Electrical failure Logical Security Issues Viruses Denial of Service Email as virus transmission Disaster Recovery & Backups Phishing & Pharming Identity Theft Tampering with data Ethical Considerations Ethical Principles Proportionality Informed Consent Justice Minimized Risk Standard of Conduct Act with integrity Protect information privacy & confidentiality Do not misrepresent or withhold information Do not misuse resources Do not exploit weakness of systems Advance general health & welfare Ethical Issues Privacy Internet privacy Corporate email Matching Accuracy Credit card accounts Student Records Property Intellectual property Software piracy Identity Theft Access Who can see it? Who should see it? Privacy Issues IT makes it technically and economically feasible to collect, store, integrate, interchange, and retrieve data and information quickly and easily. Benefit – increases efficiency and effectiveness But, may also have a negative effect on individual’s right to privacy Accessing private e-mail and computer records & sharing information about individuals gained from their visits to websites and newsgroups Privacy Issues Always knowing where a person is via mobile and paging services Computer Matching Computer profiling and matching personal data to that profile Mistakes can be a major problem Protect your privacy by Encrypting your messages Post to newsgroups through anonymous re-mailers Ask your ISP not to sell your information to mailing list providers and other marketers Decline to reveal personal data and interests online Laws to Defend Individual Privacy Attempt to enforce the privacy of computer-based files and communications Electronic Communications Privacy Act Computer Fraud and Abuse Act The Health Insurance Portability and Accountability Act (HIPAA) Computer Libel and Censorship (The opposite side of the privacy debate) Right to know (freedom of information) Right to express opinions (freedom of speech) Right to publish those opinions (freedom of the press) Spamming Flaming Anonymity of domain ownership Human Impacts Employee Monitoring (especially online) Deskilling (robotic welders) Intellectual Property Protection (Napster or KaZaA or Morpheus) Human Control (Airbus Fly-by-Wire) Outsourcing & Offshoring Other Challenges Employment Working Conditions New jobs have been created and productivity has increased, yet there has been a significant reduction in some types of jobs as a result of IT. IT has eliminated many monotonous, obnoxious tasks, but has created others Individuality Computer-based systems criticized as impersonal systems that dehumanize and depersonalize activities Excessive regimentation Computer Monitoring Concerns for workplace privacy Monitors individuals, not just work Is done continually. May be seen as violating workers’ privacy & personal freedom Workers may not know that they are being monitored or how the information is being used May increase workers’ stress level May rob workers of the dignity of their work Health Issues Job stress Muscle damage Eye strain Radiation exposure Accidents Ergonomics (human factors engineering) Societal Solutions Beneficial effects on society Solve human and social problems Medical diagnosis Computer-assisted instruction Governmental program planning Environmental quality control Law enforcement Crime control Job placement Security Management Policies Minimize errors, fraud, and losses in the business systems that interconnect businesses with their customers, suppliers, and other stakeholders Aligned with organizational goals. Enterprisewide. Continuous. Proactive. Validated. Formal. Authority Responsibility Accountability. Corporate Security Plan Risk Management IT Security Trends Increasing the reliability of systems Self-healing computers Intelligent systems for early intrusion detection Intelligent systems in auditing and fraud detection Artificial intelligence in biometrics Expert systems for diagnosis, prognosis, and disaster planning Smart cards Defense strategy objectives Prevention and deterrence Detection Limitation of damage Recovery Correction Awareness and compliance Computer Crime Malicious access Viruses Theft Money Service Data Identity Information System Controls Input controls Input masks Control totals Processing controls Hardware Software Output controls Distribution Access Storage controls Passwords Backups Information System Controls Facility controls Networks Encryption Firewalls Equipment & Access Possessed object (key or key card) Biometrics (retina scans, hand scanner) Information System Controls Procedures Standards Documentation Authorization Disaster recovery Backups Equipment Failure controls Electrical Fire Water Software Software variety Windows monoculture Other varieties (e.g. Linux) might enhance “genetic” diversity Internetworked Security Defenses Encryption Passwords, messages, files, and other data is transmitted in scrambled form Mathematical algorithms to encode data Public and private keys Firewalls Serves as a “gatekeeper” system that protects a company’s intranets and other computer networks from intrusion Provides a filter and safe transfer point Screens all network traffic for proper passwords or other security codes Security Layers Internetworked Security Defenses Denial of Service Defenses These assaults depend on three layers of networked computer systems Victim’s website Victim’s ISP Sites of “zombie” or slave computers Defensive measures and security precautions must be taken at all three levels E-mail Monitoring “Spot checks just aren’t good enough anymore. The tide is turning toward systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security.” Widespread monitoring of email Magic Lantern Carnivore Viruses Programs written with malicious intent General Types Trojan-horse File Logic or Time Bomb Worm Defense may be accomplished through Centralized distribution and updating of antivirus software Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies Security Measures Security codes Multilevel password system Log onto the computer system Gain access into the system Access individual files Backup Duplicate files of data or programs File retention measures Sometimes several generations of files are kept for control purposes Biometric Security Measure physical traits that make each individual unique Voice Fingerprints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition and Genetic pattern analysis More Security Measures Computer Failure Controls Fault tolerant systems Preventive maintenance of hardware & management of software updates Backup computer system Carefully scheduled hardware or software changes Highly trained data center personnel Computer systems that have redundant processors, peripherals, and software Disaster recovery plan Which employees will participate and their duties What hardware, software, and facilities will be used Priority of applications that will be processed Business Continuity The purpose of a business continuity plan is to keep the business running after a disaster occurs. Recovery planning is part of asset protection. Planning should focus on recovery from a total loss of all capabilities. Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. All critical applications must be identified and their recovery procedures addressed. The plan should be written so that it will be effective in case of disaster. System Controls and Audits Information System Controls Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities Designed to monitor and maintain the quality and security of input, processing, and storage activities Auditing Business Systems Review and evaluate whether proper and adequate security measures and management policies have been developed and implemented Testing the integrity of an application’s audit trail Has legal implications (i.e. Sarbanes-Oxley) Auditing Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task. There are two types of auditors: An internal auditor is usually a corporate employee who is not a member of the ISD. An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit. There are two types of audits. The operational audit determines whether the ISD is working properly. The compliance audit determines whether controls have been implemented properly and are adequate. Personal Security Management Examples Install and regularly use antivirus and spy-ware cleaning software, and keep it up to date Don’t store credit card information online with merchants (or at least only with trusted ones) Don’t be predictable with passwords Keep OS, apps and browsers up to date with most recent patches Send sensitive information only to secure sites Make sure the website you’re accessing is correct (check the underlying URL) – avoid phishing attempts Don’t open email attachments, or click on URLs in email unless you’ve verified the source Install firewalls (this is particularly important with fast internet connections) Law & Order Irony of a private person being accessible by so many It’s always been doable; just not this easily (see examples throughout the episode) Worms Privacy and the law Who’s morally responsible for how information is used? If your software or service is used by somebody as a means to kill another, who’s responsible?