This presentation was developed by Dr. Steven C This presentation was developed by Dr. Steven C. Ross for use in MIS 320 classes at Western Washington University. Some of the material contained herein is © 2007, John Wiley & Sons, Inc. and other sources, as noted. All rights reserved.
Protecting People and Information MIS 320 Protecting People and Information
Protecting People Ethics Intellectual property Privacy Cultural diversity Ergonomics
Ethics “Doing what’s right.” Who decides? What’s the difference between unethical and illegal? What’s the difference between unethical and immoral?
A Framework for Ethical Issues Privacy Information revealed, surveillance, security of information Accuracy Accuracy of collected and reported information Property Ownership and exchange of information Intellectual property Accessibility Who, how facilitated Consequences – benefit or harm Society’s opinion – your perception of what society really thinks of the intended action Likelihood of effect – probability of harm or benefit Time to consequences – length of time it will take until benefit or harm takes effect Relatedness – how much do you identify with the person or persons who will receive the benefit or suffer the harm? Reach of result – how many people will be affected
Privacy Employees Customers [from] Government Agencies Variations by Country
Employee Privacy What right does an organization have to Collect data on its employees Monitor employee email and internet use Who and what limits the organization’s data collection and monitoring? Who and what limits the organization’s data collection and monitoring? Laws Employee associations (including unions)
Consumer Privacy What right does an organization have to Collect data on its consumers Share that data with other organizations Share that data with government Is there a difference between individually-identifiable data and aggregated data?
Privacy and Societal Needs The right to privacy is not absolute … Balanced against needs of society Public’s right to know is superior to individual’s right to privacy
Privacy and Government Agencies Do we want the government to know everything about us? Do we want the government to know anything about us? Should the government know more (or different) data about non-citizens? Types of data Criminal Tax Census
Code of Fair Information Practices There must be no personal record keeping whose very existence is secret. There must be a way for an individual to find out what information about him is on record and how it is being used. There must be a way for an individual to correct or amend a record of identifiable information about him. There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for another purpose without his consent. Any organization creating, maintaining, using or disseminating records of identifiable personal data must guarantee the reliability of the data for their intended use and must take precautions against the misuse of the data. US Department of Health, Education, and Welfare 1973
Privacy Law Variations among Countries Countries, or groups of countries such as the EU, have rules that are different from ours. So what? So what? Restrictions on international movement of data Reciprocal treaties – e.g., US companies will treat European data with the same rules that European countries apply to that data
More about Privacy Privacy advocate André Bacard : Playboy interview at http://www.andrebacard.com/playboy.html A whole bunch on privacy at http://www.andrebacard.com/privacy.html including links to other sites.
Intellectual Property What is it? Why do we protect it? What’s fair use? Who decides? Who decides fair use? Copyright owner may state what’s permitted. Person who uses material may have to make a judgment as to what’s fair. Courts will decide if there is a dispute.
If something hurts – determine the cause and fix it!!! Ergonomics What’s RSI? How do you prevent it? What are the characteristics of a good workplace? Eyes – lighting, focal distance Wrists and hands – angles, support Arms, neck, and shoulders – monitor and keyboard height, angles, support Back and legs – angles, support Circulation – support and movement What’s RSI? Repetitive strain injury
Protecting Information The Roles of Information Security Disaster Recovery
The Roles of Information Raw material “component from which a product is made” Trade secrets (“secret herbs and spices”) Algorithms in the product Capital “an asset used to produce a product or service” Information about the market and customers Information that helps manufacture the product Information that helps manage the enterprise
Information Security What are the bad things that can happen? Loss of data Data integrity Disclosure of data Embarrassment Trade secrets Marketing data Financial data and strategic plans Loss of physical assets Human casualties Loss of use
Security Threats * Figure 3.1 from Rainer, et al.
Unintentional Threats to Information Systems Human errors Environmental hazards Computer system failures
Intentional Threats to Information Systems Espionage or trespass Information extortion Sabotage or vandalism Theft Identity theft Software attacks Compromises to intellectual property
Software Attacks on Information Systems Virus Segment of code in existing (desired) program Worm Stand-alone destructive program Trojan horse Program that hides in another program Logic bomb Segment of code that executes under certain circumstances
Software Attacks on Information Systems Back door or trap door Logon method that bypasses normal security Denial of service Flooding a web site with a multitude of requests for information Alien software Pestware, adware, spyware, cookies, web bugs Phishing and Pharming Masquerading as a legitimate email or web site
Risk Management “Perfect security is unobtainable at any price.” Risk assessment What can go wrong? How likely is it? What are the consequences? Security measures Backup Firewall Encryption Security software Auditing Recovery plan
Access Controls Authentication Authorization Are you who you say you are? UserID (often fairly public) Verification: Something you are: Biometric Something you have: smartcard or token Something you do: voice or signature Something you know: password or phrase Authorization What you are allowed to do
Location of Defense Mechanisms * Figure 3.2 from Rainer, et al.
Public Key Encryption * Figure 3.4 from Rainer, et al.
Digital Certificates * Figure 3.5 from Rainer, et al.
Backup Perhaps the single most important thing you can do to protect your data. Issues What (data, programs, settings) How (full or incremental) Timing (how often and when) Where to store the backup copies (safe, off-site, televault)
Active Security Measures Firewall Encryption Anti-virus software Intrusion-detection software Authentication software Security auditing Firewall to isolate your system Encryption to disguise the data that can’t be isolated Anti-virus software to detect and eliminate viruses Intrusion-detection software to warn you that an attempt has been made Authentication software to control access Security auditing looks for weaknesses
Disaster Recovery What can go wrong? Data integrity can be compromised Human error Human maliciousness System error Data can be lost System destruction Hardware can be lost from human or natural causes
Disaster Recovery Plan Customers Facilities Hot or cold site Knowledge workers Business information Computer equipment Communications infrastructure Customers – keep them informed Facilities – hot or cold site Knowledge workers – consider family needs, impacts of long, hard hours Business information – backup Computer equipment – understand the special quirks of your setup Communications infrastructure – who provides, what contract
Questions to ask Before Your Data Center Burns Backup Where are original copies stored? What is being backed up? What is not being backed up? Where are the backups stored? How often is backed-up data moved to a different place? Restoration and recovery Are the backup media readable? What devices are required to read the backup media? What software is needed to read the backup media? Who knows how to restore the backed-up data? What hardware would be available to resume operations?
References Haag, Cummings, and McCubbrey, Management Information Systems for the Information Age (5th Edition), McGraw-Hill Irwin, 2005. Rainer, Turban, and Potter, Introduction to Information Systems: Supporting and Transforming Business, Wiley, 2007.