Business Driven Information Systems 2e

CHAPTER 4 ETHICS AND INFORMATION SECURITY

McGraw-Hill/Irwin

2009 The McGraw-Hill Companies, All Rights Reserved

4-2

Chapter Four Overview

SECTION 4.1 - ETHICS
Ethics Information Ethics Developing Information Management Policies Ethics in the Workplace

SECTION 4.2 - INFORMATION SECURITY

Protecting Intellectual Assets The First Line of Defense - People The Second Line of Defense - Technology

4-3

Organizational Fundamentals Ethics and Security

Ethics and security are two fundamental building blocks that organizations must base their businesses on to be successful
In recent years, such events as the Enron and Martha Stewart, along with 9/11 have shed new light on the meaning of ethics and security

SECTION 4.1

ETHICS

McGraw-Hill/Irwin

2009 The McGraw-Hill Companies, All Rights Reserved

4-5

LEARNING OUTCOMES
1. Explain the ethical issues surrounding information technology 2. Identify the differences between an ethical computer use policy and an acceptable computer use policy
3. Describe the relationship between an email privacy policy and an Internet use policy

4-6

LEARNING OUTCOMES
4. Explain the effects of spam on an organization 5. Summarize the different monitoring technologies and explain the importance of an employee monitoring policy

4-7

ETHICS
Ethics the principles and standards that guide our behavior toward other people Issues affected by technology advances
Intellectual property Copyright Fair use doctrine Pirated software Counterfeit software

4-8

ETHICS
Privacy is a major ethical issue
Privacy the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent Confidentiality the assurance that messages and information are available only to those who are authorized to view them

4-9

ETHICS
One of the main ingredients in trust is privacy Primary reasons privacy issues lost trust for ebusiness

4-10

INFORMATION ETHICS
Individuals form the only ethical component of IT Individuals copy, use , and distribute software Search organizational databases for sensitive and personal information Individuals create and spread viruses Individuals hack into computer systems to steal information Employees destroy and steal information

4-11

Information Has No Ethics

Acting ethically and legally are not always the same

4-12

Information Has No Ethics

Information does not care how it is used
Information will not stop itself from sending spam, viruses, or highly-sensitive information Information cannot delete or preserve itself

4-13

DEVELOPING INFORMATION MANAGEMENT POLICIES

Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement Epolicies typically include:
Ethical computer use policy Information privacy policy Acceptable use policy email privacy policy Internet use policy Anti-spam policy

4-14

Ethical Computer Use Policy

Ethical computer use policy contains general principles to guide computer user behavior
The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules

4-15

Ethical Computer Use Policy

1. Information is a valuable corporate asset 2. The CIO is steward of corporate information 3. The CIO is responsible for information access 4. The CIO is responsible for preventing information destruction 5. The CIO is responsible for information management practices and policies 6. The CIO must execute the information management policies

4-16

Information Privacy Policy

The unethical use of information typically occurs unintentionally when it is used for new purposes
Information privacy policy - contains general principles regarding information privacy

4-17

Information Privacy Policy

Information privacy policy guidelines
1. Adoption and implementation of a privacy policy 2. Notice and disclosure 3. Choice and consent 4. Information security 5. Information quality and access

4-18

Acceptable Use Policy

Acceptable use policy (AUP) a policy that a user must agree to follow in order to be provided access to a network or to the Internet
An AUP usually contains a nonrepudiation clause

4-19

Acceptable Use Policy

1. 2. 3. 4. 5. 6. Will not violate any laws Will not break the security Will not post commercial messages Will not perform nonrepudiation Will not send spam Will not send mail bombs

4-20

Email Privacy Policy

Organizations can mitigate the risks of email and instant messaging communication tools by implementing and adhering to an email privacy policy
email privacy policy details the extent to which email messages may be read by others

4-21

Email Privacy Policy

4-22

Email Privacy Policy

1. Should compliment ethical computer use policy 2. Defines who are legitimate email users 3. Identifies backup procedures 4. Explains legitimate grounds for reading user email 5. Informs email control 6. Explains ramifications of leaving 7. Asks employees to be careful when posting organizational information

4-23

Internet Use Policy

Internet use policy contains general principles to guide the proper use of the Internet
1. 2. 3. 4. 5. Describes available Internet services Defines the purpose and restriction of Internet access Complements the ethical computer use policy Describes user responsibilities States the ramification for violations

4-24

Anti-Spam Policy
Spam unsolicited email
Spam accounts for 40% to 60% of most organizations email and cost U.S. businesses over $14 billion in 2005

Anti-spam policy simply states that email users will not send unsolicited emails (or spam)

4-25

ETHICS IN THE WORKPLACE

Workplace monitoring is a concern for many employees
Organizations can be held financially responsible for their employees actions The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees, however, some people feel that monitoring employees is unethical

4-26

Monitoring Technologies
Monitoring tracking peoples activities by such measures as number of keystrokes, error rate, and number of transactions processed Common monitoring technologies include:
Key logger or key trapper software Hardware key logger Cookie Adware Spyware Web log Clickstream

4-27

Employee Monitoring Policies

Employee monitoring policies explicitly state how, when, and where the company monitors its employees
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Be specific Enforce the policy Enforce the policy the same for all employees Communicate rights to monitor all employees State when monitoring will be performed State what will be monitored Describe types of information collected State consequences for violating policies State provisions for policy updates Specify scope and manner of monitoring Obtain written signature acknowledging policies

4-28

OPENING CASE QUESTIONS Sarbanes-Oxley

1. Define the relationship between ethics and the Sarbanes-Oxley Act 2. Why is records management an area of concern for the entire organization and not just the IT department?
3. Identify two policies an organization can implement to achieve Sarbanes-Oxley compliance?

4-29

OPENING CASE QUESTIONS Sarbanes-Oxley

4. What ethical dilemmas are being solved by implementing Sarbanes-Oxley? 5. What is the biggest roadblock for organizations that are attempting to achieve Sarbanes-Oxley compliance?

SECTION 4.2

INFORMATION SECURITY

McGraw-Hill/Irwin

2009 The McGraw-Hill Companies, All Rights Reserved

4-31

LEARNING OUTCOMES
6. Describe the relationship between information security policies and an information security plan
7. Summarize the five steps to creating an information security plan 8. Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response 9. Describe the relationships and differences between hackers and viruses

4-32

Downtime

4-33

Downtime
How Much Will Downtime Cost Your Business?

4-34

PROTECTING INTELLECTUAL ASSETS

Organizational information is intellectual capital - it must be protected
Information security the protection of information from accidental or intentional misuse by persons inside or outside an organization Ebusiness automatically creates tremendous information security risks for organizations

4-35

PROTECTING INTELLECTUAL ASSETS

4-36

PROTECTING INTELLECTUAL ASSETS

4-37

THE FIRST LINE OF DEFENSE - PEOPLE

Organizations must enable employees, customers, and partners to access information electronically
The biggest issue surrounding information security is not a technical issue, but a people issue 33% of security incidents originate within the organization
Insiders legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

4-38

THE FIRST LINE OF DEFENSE - PEOPLE

The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan
Information security policies Information security plan

4-39

THE FIRST LINE OF DEFENSE - PEOPLE

Hackers frequently use social engineering to obtain password

Social engineering using ones social skills to trick people into revealing access credentials or other information valuable to the attacker

4-40

THE FIRST LINE OF DEFENSE - PEOPLE

Five steps to creating an information security plan:

1. 2. 3. 4. 5. Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and reevaluate risks Obtain stakeholder support

4-41

THE SECOND LINE OF DEFENSE TECHNOLOGY

There are three primary information technology security areas

1. Authentication and authorization 2. Prevention and resistance 3. Detection and response

4-42

Authentication and Authorization

Authentication a method for confirming users identities

Authorization the process of giving someone permission to do or have something The most secure type of authentication involves:
1. Something the user knows 2. Something the user has 3. Something that is part of the user

4-43

Something the User Knows Such As a User ID and Password

This is the most common way to identify individual users and typically contains a user ID and a password
This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related

4-44

Something the User Knows Such As a User ID and Password

Identity theft the forging of someones identity for the purpose of fraud Phishing a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent email

4-45

Something the User Knows Such As a User ID and Password

Smart cards and tokens are more effective than a user ID and a password
Tokens small electronic devices that change user passwords automatically Smart card a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

4-46

Something That Is Part Of The User Such As a Fingerprint or Voice Signature

This is by far the best and most effective way to manage authentication
Biometrics the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting

Unfortunately, this method can be costly and intrusive

4-47

Prevention and Resistance

Downtime can cost an organization anywhere from $100 to $1 million per hour
Technologies available to help prevent and build resistance to attacks include:
1. Content filtering 2. Encryption 3. Firewalls

4-48

Content Filtering
Content filtering - prevents emails containing sensitive information from transmitting and stops spam and viruses from spreading

Corporate losses caused by Spam

4-49

Encryption
If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it
Encryption Public key encryption (PKE)

4-50

Encryption

4-51

Firewalls
One of the most common defenses for preventing a security breach is a firewall

Firewall hardware and/or software that guards a private network by analyzing the information leaving and entering the network

4-52

Firewalls
Sample firewall architecture connecting systems located in Chicago, New York, and Boston

4-53

Detection and Response

If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology

4-54

Detection and Response

Hacker - people very knowledgeable about computers who use their knowledge to invade other peoples computers
White-hat hacker Black-hat hacker Hactivist Script kiddies or script bunnies Cracker Cyberterrorist

4-55

Detection and Response

Virus - software written with malicious intent to cause annoyance or damage
Worm Denial-of-service attack (DoS) Distributed denial-of-service attack (DDoS) Trojan-horse virus Backdoor program Polymorphic virus and worm

4-56

Detection and Response

Security threats to ebusiness include:
Elevation of privilege Hoaxes Malicious code Spoofing Spyware Sniffer Packet tampering

4-57

OPENING CASE QUESTIONS

Sarbanes-Oxley
6. What information security dilemmas are being solved by implementing Sarbanes-Oxley?
7. How can Sarbanes-Oxley help protect a companys information security? 8. What impact does implementing Sarbanes-Oxley have on information security in a small business? 9. What is the biggest information security roadblock for organizations attempting to achieve SarbanesOxley compliance?

4-58

CLOSING CASE ONE Banks Banking on Security

1. What reason would a bank have for not wanting to adopt an online-transfer delay policy?
2. What are the two primary lines of security defense and why are they important to financial institutions? 3. Explain the differences between the types of security offered by the banks in the case

4-59

CLOSING CASE ONE Banks Banking on Security

4. What additional types of security, not mentioned in the case above, would you recommend a bank implement? 5. Identify three policies a bank should implement to help it improve information security
6. Describe monitoring policies along with the best way for a bank to implement monitoring technologies

4-60

CLOSING CASE TWO Hacker Hunters

1. What types of technology could big retailers use to prevent identity thieves from purchasing merchandise? 2. What can organizations do to protect themselves from hackers looking to steal account data? 3. Authorities frequently tap online service providers to track down hackers. Do you think it is ethical for authorities to tap an online service provider and read peoples email? Why or why not?

4-61

CLOSING CASE TWO Hacker Hunters

4. Do you think it was ethical for authorities to use one of the high-ranking officials to trap other gang members? Why or why not?
5. In a team, research the Internet and find the best ways to protect yourself from identity theft

4-62

CLOSING CASE THREE Executive Dilemmas in the Information Age 1. Explain why understanding technology, especially in the areas of security and ethics, is important for a CEO. How do CEOs actions affect the organizational culture? 2. Identify why executives in nontechnological industries need to worry about technology and its potential business ramifications

4-63

CLOSING CASE THREE Executive Dilemmas in the Information Age

3. Describe why continuously learning about technology allows an executive to better analyze threats and opportunities 4. Identify three things that a CTO, CPO, or CSO could do to prevent the above issues

4-64

BUSINESS DRIVEN BEST SELLERS

The Smartest Guys in the Room, by Bethany McLean and Peter Elkind

4-65

BUSINESS DRIVEN BEST SELLERS

Career Warfare, by David DAlessandro

4-66

BUSINESS DRIVEN BEST SELLERS

Leadership Sopranos Style: Lessons from a Fictional Mob Boss, by Deborrah Himsel