Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS (Many contents added) CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS (Many contents added)

4-2 TJX: The Worst Data Breach Ever?

4-3 INFORMATION ETHICS  Business issues related to information ethics Privacy Intellectual property Copyright Pirated software Counterfeit software

4-4 Ethically questionable tech use

4-5 INFORMATION ETHICS  Privacy is a major ethical issue Privacy – The right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent vs Confidentiality – the assurance that messages and information are available only to those who are authorized to view them

4-6 Threats to privacy: Electronic Surveillance  See "The State of Surveillance" article in BusinessWeekThe State of Surveillance  See the surveillance slideshowsurveillance slideshow  And you think you have privacy? - Ordering pizza in 2015

4-7 Protecting Privacy Privacy Codes and Policies TRUST e Privacy policy –Example: Yahoo Consumer’s choices regarding business practices related to privacy –Opt-out Model –Opt-in Model

4-8 INFORMATION ETHICS  Acting ethically and legally are not always the same

4-9 INFORMATION DOES NOT HAVE ETHICS, PEOPLE DO  Information does not care how it is used, it will not stop itself from sending spam, viruses, or highly-sensitive information  Tools to prevent information misuse Information management Information governance Information compliance Ediscovery

4-10 DEVELOPING INFORMATION MANAGEMENT POLICIES  Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement  Epolicies (defined P. 139) typically include: 1.Ethical computer use policy 2.Information privacy policy 3.Acceptable use policy (P.140) 4. privacy policy (P. 141) 5.Social media policy (importance on the rise) 6.Workplace monitoring policy

4-11 Fig 4.6 Internet Monitoring Technologies

4-12 PROTECTING INTELLECTUAL ASSETS  Organizational information is intellectual capital - it must be protected  Information security – The protection of information from accidental or intentional misuse by persons inside or outside an organization  Downtime – Refers to a period of time when a system is unavailable Sources of downtimes : Fig 4.7, P. 146

4-13 Sources of downtimes : Fig 4.7, P. 146

4-14 How Much Will Downtime Cost Your Business?

4-15 Factors Increasing the Threats to Information Security  Today’s interconnected, interdependent, wirelessly-networked business environment -- Implication?  Smaller, faster, cheaper computers and storage devices -- Implication?  Decreasing skills necessary to be a computer hacker - Implication? 15

4-16 Factors Increasing the Threats to Information Security (continued)  Increased employee use of unmanaged devices -- Implication?  More tech reasons why info security is a bigger issue as compared to 20 years ago  Government legislation  International organized crime turning to cybercrime 16

4-17 A Look at Unmanaged Devices Wi-Fi at McDonalds Wi-Fi at Starbucks Hotel Business Center (My experience at XiYuan Hotel in Beijing)

4-18 Categories of Threats to Info Systems 1.Unintentional acts 2.Natural disasters 3.Technical failures 4.Management failures 5.Deliberate acts (Whitman and Mattord, 2003) Example of a threat ( usa ) usa Lesson: Slide 15 18

4-19 SECURITY THREATS CAUSED BY HACKERS AND VIRUSES

4-20 SECURITY THREATS CAUSED BY HACKERS AND VIRUSES Fig 4.11 Common forms of “virus” (malware)

4-21 SECURITY THREATS CAUSED BY HACKERS AND VIRUSES  Hacker weapons ( Fig 4.12 ) Elevation of privilege Hoaxes Malicious code Packet tampering Sniffer Spoofing Splogs Spyware

4-22  Software attacks (continued) Phishing attacks  Phishing slideshowslideshow  Phishing quizquiz  Phishing exampleexample  Phishing exampleexample Distributed denial-of-service attacks  See botnet demonstrationdemonstration  The “Bronze Soldier Incident”Bronze Soldier Incident Deliberate Acts (continued) 22

4-23 Risk Management Risk Risk management –(Cost of risk management – risk optimization) Risk analysis Risk mitigation Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference

4-24 Risk Optimization 24

4-25 Controls  Physical controls Ex:  Access controls Ex:  Communications (network) controls Ex:  Application controls Ex: 25

4-26 Primary Goals of Security General Security Goals (“CIA”) Confidentiality  Protection of data from unauthorized disclosures of customers and proprietary data  simply put:  Attackers cannot access or understand protected info Integrity  Assurance that data have not been altered or destroyed  simply put:  If attackers change messages, this will be detected Availability  Providing continuous operations of hardware and software so that parties involved can be assured of uninterrupted service  simply put:  System is available to serve users

4-27 THE FIRST LINE OF DEFENSE - PEOPLE  Organizations must enable employees, customers, and partners to access information electronically  The biggest issue surrounding information security is not a technical issue, but a people issue Insiders Social engineering Dumpster diving

4-28 THE FIRST LINE OF DEFENSE - PEOPLE  The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan Information security policies Information security plan

4-29 THE SECOND LINE OF DEFENSE - TECHNOLOGY  There are three primary information technology security areas 1.People: Authentication and authorization 2.Data: Prevention and resistance 3.Attack: Detection and response

4-30 AUTHENTICATION AND AUTHORIZATION (“Access control”)  Authentication – A method for confirming users’ identities  Authorization – The process of giving someone permission to do or have something  The most secure type of authentication involves 1.Something the user knows 2.Something the user has 3.Something that is part of the user

4-31 PREVENTION AND RESISTANCE  Downtime can cost an organization anywhere from $100 to $1 million per hour  Technologies available to help prevent and build resistance to attacks include 1.Content filtering 2.Encryption 3.Firewalls

4-32 Basic Home Firewall (top) and Corporate Firewall (bottom) 32

Communication or Network Controls (continued) Virtual private networking (VPN) Secure Socket Layer (now transport layer security) Vulnerability management systems Employee monitoring systems

4-34 DETECTION AND RESPONSE  If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage  Intrusion detection software – Features full-time monitoring tools that search for patterns in network traffic to identify intruders