Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet

Slides:



Advertisements
Similar presentations
BUSINESS B2 Ethics.
Advertisements

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Information and Ethics, Information Security and Malicious Programs BSAD 141 Dave Novak.
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.
CHAPTER 05 Organizational Structures That Support Strategic Initiatives McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights.
CHAPTER OVERVIEW SECTION 4.1 – Ethics
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet
BUSINESS PLUG-IN B6 Information Security.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B6 Information Security.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing that bites Paying for Privacy Pirates.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved ETHICS SECTION 4.1.
McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.
4-1 Chapter Four Overview SECTION ETHICS –Ethics –Information Ethics –Developing Information Management Policies –Ethics in the Workplace SECTION.
Business Plug-In B7 Ethics.
Business Plug-In B7 Ethics.
CSUN Information Systems IS312 Information Systems for Business Lecture 9 Ethic & Information Security.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 LO1 Describe information technologies that could be used in computer.
CHAPTER FOUR ETHICS AND INFORMATION SECURITY MIS BUSINESS CONCERNS
Internet safety By Lydia Snowden.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
Protecting People and Information: Threats and Safeguards
PROTECTING PEOPLE AND INFORMATION Threats and Safeguards
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
PART THREE E-commerce in Action Norton University E-commerce in Action.
BUSINESS B1 Information Security.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
CHAPTER 8 PROTECTING PEOPLE AND INFORMATION Threats and Safeguards.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved ETHICS Business Plug-In 7.
Chapter 4 McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin © The McGraw-Hill Companies, All Rights Reserved CHAPTER 5 Organizational Structures that Support Strategic Initiatives.
Business Driven Technology Unit 1 Achieving Business Success Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc. All rights reserved. 2-1 BUSINESS DRIVEN TECHNOLOGY Business Plug-In B2 Ethics.
McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B6 Information Security.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
Topic 5: Basic Security.
McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B7 Ethics.
Matt Broman Kodiac Gamble Devin Nichol SECTION 4.2 INFORMATION SECURITY.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
Technical Implementation: Security Risks
Securing Information Systems
Securing Information Systems
BUSINESS DRIVEN TECHNOLOGY
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Add video notes to lecture
Learn how to protect yourself against common attacks
CHAPTER FOUR OVERVIEW SECTION ETHICS
3.6 Fundamentals of cyber security
IT Security  .
Security in the Workplace: Information Assurance
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Securing Information Systems
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Chapter 13 Security and Ethical Challenges.
HOW DO I KEEP MY COMPUTER SAFE?
PROTECTING PEOPLE & INFORMATION
Faculty of Science IT Department By Raz Dara MA.
CHAPTER FOUR OVERVIEW SECTION ETHICS
Computer Security By: Muhammed Anwar.
Chapter # 3 COMPUTER AND INTERNET CRIME
G061 - Network Security.
ONLINE SECURITY, ETHICS AND ETIQUETTES EMPOWERMENT TECHNOLOGY.
Presentation transcript:

Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet CHAPTER 4 ETHICS AND INFORMATION SECURITY Opening Case Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet

Chapter Four Overview SECTION 4.1 - ETHICS Information Ethics Developing Information Management Policies Ethics in the Workplace SECTION 4.2 - INFORMATION SECURITY Protecting Intellectual Assets The First Line of Defense - People The Second Line of Defense - Technology

Organizational Fundamentals – Ethics and Security Ethics and security are two fundamental building blocks that organizations must base their businesses on to be successful In recent years, such events as the Enron and Martha Stewart, along with 9/11 have shed new light on the meaning of ethics and security

SECTION 4.1 ETHICS

LEARNING OUTCOMES Explain the ethical issues surrounding information technology Identify the differences between an ethical computer use policy and an acceptable computer use policy Describe the relationship between an e-mail privacy policy and an Internet use policy

LEARNING OUTCOMES Explain the effects of spam on an organization Summarize the different monitoring technologies and explain the importance of an employee monitoring policy

ETHICS Ethics – the principles and standards that guide our behavior toward other people Issues affected by technology advances Intellectual property Copyright Fair use doctrine Pirated software Counterfeit software

ETHICS Privacy is a major ethical issue Privacy – the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent Confidentiality – the assurance that messages and information are available only to those who are authorized to view them

ETHICS One of the main ingredients in trust is privacy Primary reasons privacy issues lost trust for e-business

INFORMATION ETHICS Individuals form the only ethical component of IT

Information Has No Ethics Acting ethically and legally are not always the same

Information Has No Ethics Information does not care how it is used Information will not stop itself from sending spam, viruses, or highly-sensitive information Information cannot delete or preserve itself

DEVELOPING INFORMATION MANAGEMENT POLICIES Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement ePolicies typically include: Ethical computer use policy Information privacy policy Acceptable use policy E-mail privacy policy Internet use policy Anti-spam policy

Ethical Computer Use Policy Ethical computer use policy – contains general principles to guide computer user behavior The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules

Ethical Computer Use Policy

Information Privacy Policy The unethical use of information typically occurs “unintentionally” when it is used for new purposes For example, social security numbers started as a way to identify government retirement benefits and are now used as a sort of universal personal ID Information privacy policy - contains general principles regarding information privacy

Information Privacy Policy Information privacy policy guidelines Adoption and implementation of a privacy policy Notice and disclosure Choice and consent Information security Information quality and access

Acceptable Use Policy Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet An AUP usually contains a nonrepudiation clause Nonrepudiation – a contractual stipulation to ensure that e-business participants do not deny (repudiate) their online actions

Acceptable Use Policy

E-Mail Privacy Policy Organizations can mitigate the risks of e-mail and instant messaging communication tools by implementing and adhering to an e-mail privacy policy E-mail privacy policy – details the extent to which e-mail messages may be read by others

E-Mail Privacy Policy

E-Mail Privacy Policy

Internet Use Policy Internet use policy – contains general principles to guide the proper use of the Internet

Anti-Spam Policy Spam – unsolicited e-mail Spam accounts for 40% to 60% of most organizations’ e-mail and cost U.S. businesses over $14 billion in 2005 Anti-spam policy – simply states that e-mail users will not send unsolicited e-mails (or spam)

ETHICS IN THE WORKPLACE Workplace monitoring is a concern for many employees Organizations can be held financially responsible for their employees’ actions The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees, however, some people feel that monitoring employees is unethical

Monitoring Technologies

Monitoring Technologies Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed Common monitoring technologies include: Key logger or key trapper software Hardware key logger Cookie Adware Spyware Web log Clickstream

Employee Monitoring Policies Employee monitoring policies – explicitly state how, when, and where the company monitors its employees

OPENING CASE QUESTIONS Sarbanes-Oxley Define the relationship between ethics and the Sarbanes-Oxley Act Why is records management an area of concern for the entire organization and not just the IT department? Identify two policies an organization can implement to achieve Sarbanes-Oxley compliance?

OPENING CASE QUESTIONS Sarbanes-Oxley What ethical dilemmas are being solved by implementing Sarbanes-Oxley? What is the biggest roadblock for organizations that are attempting to achieve Sarbanes-Oxley compliance?

SECTION 4.2 INFORMATION SECURITY

LEARNING OUTCOMES Describe the relationship between information security policies and an information security plan Summarize the five steps to creating an information security plan Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response Describe the relationships and differences between hackers and viruses

PROTECTING INTELLECTUAL ASSETS Organizational information is intellectual capital - it must be protected Information security – the protection of information from accidental or intentional misuse by persons inside or outside an organization E-business automatically creates tremendous information security risks for organizations

PROTECTING INTELLECTUAL ASSETS

PROTECTING INTELLECTUAL ASSETS

THE FIRST LINE OF DEFENSE - PEOPLE Organizations must enable employees, customers, and partners to access information electronically The biggest issue surrounding information security is not a technical issue, but a people issue 33% of security incidents originate within the organization Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

THE FIRST LINE OF DEFENSE - PEOPLE The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan Information security policies – identify the rules required to maintain information security Information security plan – details how an organization will implement the information security policies

THE FIRST LINE OF DEFENSE - PEOPLE Hackers frequently use “social engineering” to obtain password Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker

THE FIRST LINE OF DEFENSE - PEOPLE Five steps to creating an information security plan: Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and reevaluate risks Obtain stakeholder support

THE FIRST LINE OF DEFENSE - PEOPLE

THE SECOND LINE OF DEFENSE - TECHNOLOGY There are three primary information technology security areas Authentication and authorization Prevention and resistance Detection and response

Authentication and Authorization Authentication – a method for confirming users’ identities Authorization – the process of giving someone permission to do or have something The most secure type of authentication involves: Something the user knows such as a user ID and password Something the user has such as a smart card or token Something that is part of the user such as a fingerprint or voice signature

Something the User Knows Such As a User ID and Password This is the most common way to identify individual users and typically contains a user ID and a password This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related

Something the User Knows Such As a User ID and Password Identity theft – the forging of someone’s identity for the purpose of fraud Phishing – a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail

Something the User Knows Such As a User ID and Password

Something the User Knows Such As a User ID and Password Smart cards and tokens are more effective than a user ID and a password Tokens – small electronic devices that change user passwords automatically Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

Unfortunately, this method can be costly and intrusive Something That Is Part Of The User Such As a Fingerprint or Voice Signature This is by far the best and most effective way to manage authentication Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting Unfortunately, this method can be costly and intrusive

Prevention and Resistance Downtime can cost an organization anywhere from $100 to $1 million per hour Technologies available to help prevent and build resistance to attacks include: Content filtering Encryption Firewalls

Content Filtering Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting and stop spam and viruses from spreading. Content filtering – occurs when organizations use software that filters content to prevent the transmission of unauthorized information Spam – a form of unsolicited e-mail Corporate losses caused by Spam

Encryption If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information Public key encryption (PKE) – an encryption system that uses two keys: a public key for everyone and a private key for the recipient

Encryption

Firewalls One of the most common defenses for preventing a security breach is a firewall Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network

Firewalls Sample firewall architecture connecting systems located in Chicago, New York, and Boston

Detection and Response If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology

Detection and Response Hacker - people very knowledgeable about computers who use their knowledge to invade other people’s computers White-hat hacker Black-hat hacker Hactivist Script kiddies or script bunnies Cracker Cyberterrorist

Detection and Response Virus - software written with malicious intent to cause annoyance or damage Worm Denial-of-service attack (DoS) Distributed denial-of-service attack (DDoS) Trojan-horse virus Backdoor program Polymorphic virus and worm

Detection and Response Security threats to e-business include: Elevation of privilege Hoaxes Malicious code Spoofing Spyware Sniffer Packet tampering

OPENING CASE QUESTIONS Sarbanes-Oxley What information security dilemmas are being solved by implementing Sarbanes-Oxley? How can Sarbanes-Oxley help protect a company’s information security? What impact does implementing Sarbanes-Oxley have on information security in a small business? What is the biggest information security roadblock for organizations attempting to achieve Sarbanes-Oxley compliance?

CLOSING CASE ONE Banks Banking on Security What reason would a bank have for not wanting to adopt an online-transfer delay policy? What are the two primary lines of security defense and why are they important to financial institutions? Explain the differences between the types of security offered by the banks in the case

CLOSING CASE ONE Banks Banking on Security What additional types of security, not mentioned in the case above, would you recommend a bank implement? Identify three policies a bank should implement to help it improve information security Describe monitoring policies along with the best way for a bank to implement monitoring technologies

CLOSING CASE TWO Hacker Hunters What types of technology could big retailers use to prevent identity thieves from purchasing merchandise? What can organizations do to protect themselves from hackers looking to steal account data? Authorities frequently tap online service providers to track down hackers. Do you think it is ethical for authorities to tap an online service provider and read people’s e-mail? Why or why not?

CLOSING CASE TWO Hacker Hunters Do you think it was ethical for authorities to use one of the high-ranking officials to trap other gang members? Why or why not? In a team, research the Internet and find the best ways to protect yourself from identity theft

CLOSING CASE THREE Thinking Like the Enemy How could an organization benefit from attending one of the courses offered at the Intense School? What are the two primary lines of security defense and how can organizational employees use the information taught by the Intense School when drafting an information security plan? Determine the difference between the two primary courses offered at the Intense school, “Professional Hacking Boot Camp” and “Social Engineering in Two Days.” Which course is more important for organizational employees to attend?

CLOSING CASE THREE Thinking Like the Enemy If your employer sent you to take a course at the Intense School, which one would you choose and why? What are the ethical dilemmas involved with having such a course offered by a private company?