Issues Information Systems and Management

Issues Privacy Ethics Health Computer Crime Security

Privacy  The right to be left alone when you want to be, to have control over your personal possessions and not to be observed without your consent  The power of IT to store and retrieve information can have a negative affect on the “right of privacy” of every individual Monitor Collect data from website visits

Privacy and the Internet There are few rules about what is private and what you can store Censorship: Freedom of Information/Speech/The Press Spamming: mass unsolicited Flaming: critical, derogatory, vulgar

Privacy and Employees Monitoring technology scans both incoming and outgoing Eastman Kodak has a monitoring policy Computer matching –Mistaken identity –Stolen identity Terrorists use UNSENT as a virtual drop box

Privacy and Consumers Consumers want businesses to know who they are, provide them with what they want, and tell them about their products – BUT leave them alone. Cookies Spyware

Privacy and Government Canadians have the right to see all data held by the Federal Government about them –There is a database on who has made a request –Soviet Union 1974

Privacy and International Trade Which countries’ laws apply? –Buy –Ship –Destination

Ethics  The principles and standards that guide our behaviours toward other people. Technology has created many new ethical dilemmas Intellectual property: intangible Copyright: songs Fair use Doctrine: can legally use copyright material for education Pirated Software: unauthorized duplication or sale of copyright software Counterfeit Software: software manufactured to look real.

Developing Information Management Policies Ethical Computer Use Information Privacy Acceptable Use Privacy Internet Use Anti-Spam

Health Issues Repetitive Stress Injury (RSI) Carpal Tunnel Syndrome (CTS) Computer Vision Syndrome (CVS) Techno-stress Response: Ergonomics »Human factors engineering

You and Ethical Responsibility As a managerial end user, you have a responsibility to do something about some of the abuses of information and technology in the workplace. As IS Professionals there should be a code of ethics to follow –One that is generally accepted like other professions

Computer Crime The commission of illegal acts through the use of a computer or against a computer system

Computer Crime Money theft Service theft Software theft Data alteration or theft Computer Viruses Malicious Access – Hacking Crimes against the computer SWP Internal Audit Seminar,

Outside the Organization Viruses: destructive software written with the intent to cause annoyance or damage Benign Viruses Malignant Viruses Macro Viruses Worm Denial-of-service (single or distributed) Combinations Hoaxes Stand-alone Viruses Trojan Horse Viruses

The Players Hackers White-hat hackers Black-hat hackers Crackers Social Engineering Hactivists Cyber-terrorists Script Kiddies

Inside the Company Be careful who you hire and how you investigate potential problems

Computer Forensics The gathering, authentication, examination, and analysis of electronic information stored on any type of computer media, such as hard drives, floppy disks, or CD’s.

Recovery and Interpretation Places to look for stray information –Deleted files and slack space –Unused space Ways of hiding information –Rename the file –Make the information invisible –Use Windows to hide files –Protect the file with a password –Encrypt the file –Use Steganography –Compress the file

Information Security The protection of information from accidental or intentional misuse by persons inside or outside an organization The First Line of Defence –People –Develop and enforce policies –Ontario Hydro – “Can I help you?”

Social Engineering Using one’s social skills to trick people into revealing access credentials or other information valuable to the attackers.

The Second Line of Defence - Technology Authentication –Confirm user’s identity ID and password Smart card Fingerprint or voice signature Prevention and Resistance Firewalls Encryption Content filters Detection and Response Anti-virus software

Risk Management Identify Threats Assess Consequences Select Countermeasures Prepare contingency plans Monitor and review

Effective Controls Provide Quality Assurance Keep the information system free from errors and fraud Data Accuracy System Integrity Scan on data integrity within a database

Information System Controls 1.Input Controls 2.Processing Controls 3.Output Controls 4.Storage Controls

Information Systems Controls Input Controls –Control totals: record count, batch total, hash total –Ensure a valid transaction Processing Controls –Hardware controls: special checks built into the hardware to verify the accuracy of computer processing Parity Re-calculation –Software controls: check internal file labels, check points, audit trails; edits in application programs

Information Systems Controls Output Controls –Ensure that information products are correct and complete and are transmitted to authorized users in a timely manner Storage Controls –Program and database library –File back-up and retention

Facility Controls 1.Network Security 2.Physical Protection Controls 3.Biometric Controls 4.Computer Failure Controls

Facility Controls Network Security –Monitor the use of networks –Protect networks from unauthorized use –Give authorized users access through ID and passwords –Encryption Physical Protection –Security doors –ID badges –Alarms –Closed-circuit TV

Facility Controls Biometric Controls –Measure unique physical traits of individuals Signature, retinal scanning Computer Failure Controls –Fault tolerant: multiple CPU, peripherals and system software –Fail Safe: capability to operate at the same level –Fail Soft: capability to operate at a reduced but acceptable level

Procedural Controls Methods that specify how the information services organization should be operated for maximum security to facilitate the accuracy and integrity of computer operation and system development activities.

Procedural Controls Separation of Duties Standard Operating Procedures Authorization Requirements Disaster Recovery Auditing Information Systems

Procedural Controls Disaster Recovery (Business Continuity Planning) –Specifies duties of employees, what hardware, software, and facilities will be used, and the priority of applications that will be processed.

Procedural Controls Auditing Information Systems –Auditing around the computer: verify accuracy of output given specific input –Auditing through the computer: detailed verification of the logic of computer programs –Audit trail The presence of documentation that allows a transaction to be traced through all the stages of its information processing RCMP Auditor

Issues Information Systems and Management