MIS 301 Information Systems in Organizations Dave Salisbury [email protected] (email) http://www.davesalisbury.com/ (web site) Talking Points Security, Ethics and Privacy Ethical Issues Information Systems Defense and Control Corporate Individual Law & Order.
Download
Report
Transcript MIS 301 Information Systems in Organizations Dave Salisbury [email protected] (email) http://www.davesalisbury.com/ (web site) Talking Points Security, Ethics and Privacy Ethical Issues Information Systems Defense and Control Corporate Individual Law & Order.
MIS 301
Information Systems in Organizations
Dave Salisbury
[email protected] (email)
http://www.davesalisbury.com/ (web site)
Talking Points
Security, Ethics and Privacy
Ethical Issues
Information Systems Defense and
Control
Corporate
Individual
Law & Order
Security & Ethical Challenges
Privacy
Accuracy
Property
Access
Computer Crime
Human Impacts
Security Issues
Physical Security
Making sure the hardware is safe and not
tampered with
Logical Security
Making sure that software and data are not
manipulated, stolen or tampered with
Security Issues
Physical Security Issues
Access methods
Security Codes
Theft of equipment
Fire
Natural Disaster
Man-made disaster
Electrical failure
Logical Security Issues
Viruses
Denial of Service
Email as virus
transmission
Disaster Recovery &
Backups
Phishing & Pharming
Identity Theft
Tampering with data
Ethical Considerations
Ethical Principles
Proportionality
Informed Consent
Justice
Minimized Risk
Standard of Conduct
Act with integrity
Protect information
privacy & confidentiality
Do not misrepresent or
withhold information
Do not misuse resources
Do not exploit weakness
of systems
Advance general health &
welfare
Ethical Issues
Privacy
Internet privacy
Corporate email
Matching
Accuracy
Credit card accounts
Student Records
Property
Intellectual property
Software piracy
Identity Theft
Access
Who can see it?
Who should see it?
Privacy Issues
IT makes it technically and economically
feasible to collect, store, integrate,
interchange, and retrieve data and
information quickly and easily.
Benefit – increases efficiency and effectiveness
But, may also have a negative effect on
individual’s right to privacy
Accessing private e-mail and computer
records & sharing information about
individuals gained from their visits to websites
and newsgroups
Privacy Issues
Always knowing where a person is via mobile and
paging services
Computer Matching
Computer profiling and matching personal data to that
profile
Mistakes can be a major problem
Protect your privacy by
Encrypting your messages
Post to newsgroups through anonymous re-mailers
Ask your ISP not to sell your information to mailing list
providers and other marketers
Decline to reveal personal data and interests online
Laws to Defend Individual Privacy
Attempt to enforce the privacy of
computer-based files and communications
Electronic Communications Privacy Act
Computer Fraud and Abuse Act
The Health Insurance Portability and
Accountability Act (HIPAA)
Computer Libel and Censorship
(The opposite side of the privacy debate)
Right to know (freedom of information)
Right to express opinions (freedom of
speech)
Right to publish those opinions
(freedom of the press)
Spamming
Flaming
Anonymity of domain ownership
Human Impacts
Employee Monitoring (especially online)
Deskilling (robotic welders)
Intellectual Property Protection (Napster
or KaZaA or Morpheus)
Human Control (Airbus Fly-by-Wire)
Outsourcing & Offshoring
Other Challenges
Employment
Working Conditions
New jobs have been created and productivity has increased,
yet there has been a significant reduction in some types of
jobs as a result of IT.
IT has eliminated many monotonous, obnoxious tasks, but
has created others
Individuality
Computer-based systems criticized as impersonal systems
that dehumanize and depersonalize activities
Excessive regimentation
Computer Monitoring
Concerns for workplace privacy
Monitors individuals, not just work
Is done continually. May be seen as violating
workers’ privacy & personal freedom
Workers may not know that they are being
monitored or how the information is being used
May increase workers’ stress level
May rob workers of the dignity of their work
Health Issues
Job stress
Muscle damage
Eye strain
Radiation exposure
Accidents
Ergonomics (human factors
engineering)
Societal Solutions
Beneficial effects on society
Solve human and social problems
Medical diagnosis
Computer-assisted instruction
Governmental program planning
Environmental quality control
Law enforcement
Crime control
Job placement
Security Management Policies
Minimize errors, fraud, and losses in the business
systems that interconnect businesses with their
customers, suppliers, and other stakeholders
Aligned with organizational goals.
Enterprisewide.
Continuous.
Proactive.
Validated.
Formal.
Authority
Responsibility
Accountability.
Corporate Security Plan
Risk Management
IT Security Trends
Increasing the reliability of systems
Self-healing computers
Intelligent systems for early intrusion
detection
Intelligent systems in auditing and fraud
detection
Artificial intelligence in biometrics
Expert systems for diagnosis, prognosis, and
disaster planning
Smart cards
Defense strategy objectives
Prevention and deterrence
Detection
Limitation of damage
Recovery
Correction
Awareness and compliance
Computer Crime
Malicious access
Viruses
Theft
Money
Service
Data
Identity
Information System Controls
Input controls
Input masks
Control totals
Processing controls
Hardware
Software
Output controls
Distribution
Access
Storage controls
Passwords
Backups
Information System Controls
Facility controls
Networks
Encryption
Firewalls
Equipment & Access
Possessed object (key or key card)
Biometrics (retina scans, hand scanner)
Information System Controls
Procedures
Standards
Documentation
Authorization
Disaster recovery
Backups
Equipment
Failure controls
Electrical
Fire
Water
Software
Software variety
Windows monoculture
Other varieties (e.g.
Linux) might enhance
“genetic” diversity
Internetworked Security Defenses
Encryption
Passwords, messages, files, and other data is transmitted in
scrambled form
Mathematical algorithms to encode data
Public and private keys
Firewalls
Serves as a “gatekeeper” system that protects a company’s
intranets and other computer networks from intrusion
Provides a filter and safe transfer point
Screens all network traffic for proper passwords or other
security codes
Security Layers
Internetworked Security Defenses
Denial of Service Defenses
These assaults depend on three layers of
networked computer systems
Victim’s website
Victim’s ISP
Sites of “zombie” or slave computers
Defensive measures and security
precautions must be taken at all three
levels
E-mail Monitoring
“Spot checks just aren’t good enough
anymore. The tide is turning toward
systematic monitoring of corporate e-mail
traffic using content-monitoring software that
scans for troublesome words that might
compromise corporate security.”
Widespread monitoring of email
Magic Lantern
Carnivore
Viruses
Programs written with malicious intent
General Types
Trojan-horse
File
Logic or Time Bomb
Worm
Defense may be accomplished through
Centralized distribution and updating of antivirus software
Outsourcing the virus protection responsibility to ISPs or to
telecommunications or security management companies
Security Measures
Security codes
Multilevel password
system
Log onto the
computer system
Gain access into the
system
Access individual files
Backup
Duplicate files of
data or programs
File retention
measures
Sometimes several
generations of files
are kept for control
purposes
Biometric Security
Measure physical traits that make each
individual unique
Voice
Fingerprints
Hand geometry
Signature dynamics
Keystroke analysis
Retina scanning
Face recognition and Genetic pattern analysis
More Security Measures
Computer Failure Controls
Fault tolerant systems
Preventive maintenance of hardware & management of
software updates
Backup computer system
Carefully scheduled hardware or software changes
Highly trained data center personnel
Computer systems that have redundant processors,
peripherals, and software
Disaster recovery plan
Which employees will participate and their duties
What hardware, software, and facilities will be used
Priority of applications that will be processed
Business Continuity
The purpose of a business continuity plan is to keep
the business running after a disaster occurs.
Recovery planning is part of asset protection.
Planning should focus on recovery from a total loss of
all capabilities.
Proof of capability usually involves some kind of
what-if analysis that shows that the recovery plan is
current.
All critical applications must be identified and their
recovery procedures addressed.
The plan should be written so that it will be effective
in case of disaster.
System Controls and Audits
Information System Controls
Methods and devices that attempt to ensure the
accuracy, validity, and propriety of information
system activities
Designed to monitor and maintain the quality and
security of input, processing, and storage activities
Auditing Business Systems
Review and evaluate whether proper and
adequate security measures and management
policies have been developed and implemented
Testing the integrity of an application’s audit trail
Has legal implications (i.e. Sarbanes-Oxley)
Auditing
Implementing controls in an organization can be very
complicated and difficult to enforce. Are controls installed as
intended? Are they effective? Did any breach of security occur?
These and other questions need to be answered by independent
and unbiased observers. Such observers perform an auditing
task.
There are two types of auditors:
An internal auditor is usually a corporate employee who is not a
member of the ISD.
An external auditor is a corporate outsider. This type of auditor
reviews the findings of the internal audit.
There are two types of audits.
The operational audit determines whether the ISD is working
properly.
The compliance audit determines whether controls have been
implemented properly and are adequate.
Personal Security Management
Examples
Install and regularly use
antivirus and spy-ware
cleaning software, and keep
it up to date
Don’t store credit card
information online with
merchants (or at least only
with trusted ones)
Don’t be predictable with
passwords
Keep OS, apps and browsers
up to date with most recent
patches
Send sensitive information
only to secure sites
Make sure the website you’re
accessing is correct (check
the underlying URL) – avoid
phishing attempts
Don’t open email
attachments, or click on
URLs in email unless you’ve
verified the source
Install firewalls (this is
particularly important with
fast internet connections)
Law & Order
Irony of a private person being accessible by so
many
It’s always been doable; just not this easily (see
examples throughout the episode)
Worms
Privacy and the law
Who’s morally responsible for how information is
used?
If your software or service is used by somebody as a
means to kill another, who’s responsible?