BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1

Ethics and Information Security Learning objectives Ref. Chapter 4 (Text) Explain the ethical issues surrounding information technology. Identify the differences between an ‘ethical computer use policy’ and an ‘acceptable use policy. Describe the relationship between an ‘ privacy policy’ and an ‘Internet use policy’. Describe the relationship between information security policies and an information security plan. Summarise the five steps to creating an information security plan. Provide an example of each of the three primary security areas: a.authentication and authorization, b.prevention and resistance, c.detection and response. Describe the relationships and differences between hackers and viruses.

Ethics and Information Security An organisation’s data and information are a key resource. To lose the data and information or have them used inappropriately or illegally can be disastrous for an organisation. A business manager must understand the ethical and security issues surrounding data and information.

Ethics and Information Security Ethics – the principles and standards that guide our behaviour toward other people. Ethics sit between appropriate behaviour and illegal behaviour.

Ethics and Information Security Acting ethically and legally are not always the same Hopefully you will be making decisions here!

Ethics and Information Security 1.Is it OK to use work time and equipment for private and Internet usage? 2.Should your boss be able to monitor your personal Internet usage on work computers? 3.Should your boss be able to read private s you have sent from or received on work computers? 4.You give up a job to go into business for yourself. Before you leave you print a list of your customers’ contact details. Is it OK to individually contact your previous customers to inform them of your new business? Consider the questions below from an ethical and legal viewpoint.

Ethics and Information Security Ethical issues concerning IT and IS Intellectual property [rights that protect creative and intellectual effort]Intellectual property Copyright [copying, using material illegally] e.g. iiNetCopyright iiNet Fair use doctrine [where it is legal to use copyrighted material]Fair use doctrine Pirated software [unauthorized use of copyrighted software] Counterfeit products [e.g. software that is manufactured to look like the real thing and sold as such]Counterfeit products

Ethics and Information Security Privacy is a major ethical issue, and a right to privacy is the law PrivacyPrivacy : the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent Confidentiality : the assurance that messages and information are available only to those who are authorized to view them

Ethics and Information Security Developing Information Management Policies Organisations should strive to build a corporate culture based on ethical principles that employees can understand and implement e-Policies typically include: Ethical computer use policy Information privacy policy Acceptable use policy privacy policy Internet use policy Anti-spam policy e-policies are policies and procedures that address the ethical use of computers and internet usage in the business environment

Ethics and Information Security Ethical computer use policy : contains general principles to guide computer user behaviour [p. 170] Information privacy policy : contains general principles regarding information privacy [p. 171] The unethical use of information typically occurs “unintentionally” when it is used for new purposes Acceptable use policyAcceptable use policy (AUP) : a policy that a user must agree to follow in order to be provided access to a network or to the Internet [p ] 1.Will not violate any laws 2.Will not break the security 3.Will not post commercial messages 4.Will not send spam 5.Will not send mail bombs

Ethics and Information Security Organisations can mitigate the risks of and instant messaging communication tools by implementing and adhering to an privacy policy privacy policy : details the extent to which messages may be read by others [p ]

Ethics and Information Security Internet use policy : contains general principles to guide the proper use of the Internet within an organization [p ] The policy 1.Describes available Internet services 2.Defines the purpose and restriction of Internet access 3.Complements the ethical computer use policy 4.Describes user responsibilities 5.States the ramification for violations Spam : unsolicited Anti-spam policy : simply states that users will not send unsolicited s (or spam)

Ethics and Information Security Workplace monitoring Workplace monitoring is a concern for many employees Organisations can be held financially responsible for their employees’ actions The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees; however, some people feel that monitoring employees is unethical Information Technology Monitoring Monitoring : tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed

Ethics and Information Security Information security : the protection of information from accidental or intentional misuse by persons inside or outside an organization Organizations must enable employees, customers, and partners to access information electronically The biggest issue surrounding information security is not a technical issue, but a people issue 33% of security incidents originate within the organization Insiders : legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

Ethics and Information Security Lines of Defence - [1] People The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan. How do you create an information security plan? 1.Develop the information security policies 2.Communicate the information security policies 3.Identify critical information assets and risks 4.Test and reevaluate risks 5.Obtain stakeholder support [see Tables 4.15, 4.16 Text]

Ethics and Information Security Lines of Defence - [2] Technology The second line of defense involves technology, in particular: 1.Authentication and authorization [p ] 2.Prevention and resistance [p ] 3.Detection and response [p ]

Ethics and Information Security Authentication : a method for confirming users’ identities The most secure type of authentication involves: Something the user knows [e.g. user name & password Something the user has [e.g. a smart card or token] Something that is part of the user [e.g. voice signature, fingerprint] Authorisation : the process of giving someone permission to do or have something e.g. file access, hours of access, amount of storage space

Ethics and Information Security Prevention and resistance Technologies available to help prevent and build resistance to attacks include: 1.Content filtering [e.g. software to filter s for sensitive information, to detect files containing viruses, etc.] 2.Encryption [`scrambling’ of information prior to transmission, `unscrambling’ on receipt of information] 3.Firewalls [hardware/software that `guards’ a private network]

Ethics and Information Security Detection and Response If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage. Antivirus software is the most common type of detection and response technology. Virus : software written with malicious intent to cause annoyance or damage [see table 4.19, Text for a description of virus types]. Hackers : people very knowledgeable about computers who use their knowledge to invade other people’s computers [again, see table 4.19, text for a description of hacker types].