Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet CHAPTER 4 ETHICS AND INFORMATION SECURITY Opening Case Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet CHAPTER FOUR OPENING CASE – Additional Case Information Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet According to critics, the Sarbanes-Oxley Act has caused a litany of ills: Executives are retiring early, public companies are going private, foreign firms are listing abroad and U.S. firms are losing their competitive edge. The sweeping law, written in the wake of the Enron scandal, has served as a scapegoat for all the evils facing corporate America since it was passed in 2002. Beginning July, 2006, the law's foes will have one less reason to complain. Foreign companies listed on U.S. exchanges must start complying with Sarbanes-Oxley beginning with fiscal years ending after July 15, if their market capitalization exceeds $75 million. Toyota Motor, Sony, HSBC Bank, British Petroleum, and hundreds of other companies that previously escaped the law will now be forced to comply. That is good news for U.S. companies, which can now compete on a more level playing field.

Chapter Four Overview SECTION 4.1 - ETHICS Information Ethics Developing Information Management Policies Ethics in the Workplace SECTION 4.2 - INFORMATION SECURITY Protecting Intellectual Assets The First Line of Defense - People The Second Line of Defense - Technology

Organizational Fundamentals – Ethics and Security Ethics and security are two fundamental building blocks that organizations must base their businesses on to be successful In recent years, such events as the Enron and Martha Stewart, along with 9/11 have shed new light on the meaning of ethics and security Share any examples of unethical behavior you have recently observed? Share any security issues you have recently encountered? Many students have already experienced identity theft, stolen items, and phishing scams. Asking students to share their stories gets the class excited and involved with ethics and security

ETHICS SECTION 4.1 CLASSROOM OPENER NOT-SO-GREAT BUSINESS DECISIONS – Scrushy Faces 30 Years in Prison Richard Scrushy, former chief executive of HealthSouth, was convicted of bribing Don Siegelman, former governor of Alabama, for a seat on the state's hospital regulatory board, which oversaw some of his company's facilities. The verdict came a year and a day after Mr. Scrushy was found not guilty of involvement in a $2.7 billion accounting fraud at HealthSouth, which he built from scratch into America's largest provider of rehabilitative healthcare. Mr. Siegelman, a Democrat who was governor from 1999 to 2003, was also convicted of bribery and mail fraud, following a seven-week trial and 11 days of jury deliberations. Prosecutors accused Mr. Siegelman of operating a "pay to play" scheme in which companies and contractors gave political donations in return for contracts and favors. The pair could each face up to 30 years in jail for the crimes. UBS, the Swiss investment bank, was embroiled in the case through its role as former banker to HealthSouth. A former UBS banker testified that the bank had helped engineer Mr. Scrushy's payment to the lottery campaign by forgiving $250,000 in fees it was owed by a healthcare company through which the donation was funneled. Mike Martin, HealthSouth's former chief financial officer, told the jury he had put pressure on UBS, at Mr. Scrushy's behest, to help finance the donation. Mr. Scrushy denied the donation was a bribe, arguing he wanted to foster good relations with the governor and support his push to improve public education through a lottery. HealthSouth was among the raft of US companies where large scale frauds were discovered in the wake of the accounting scandals at Enron and WorldCom.

LEARNING OUTCOMES Explain the ethical issues surrounding information technology Identify the differences between an ethical computer use policy and an acceptable computer use policy Describe the relationship between an e-mail privacy policy and an Internet use policy 4.1 Explain the ethical issues surrounding information technology. Technology poses new challenges for our ethics— the principles and standards that guide our behavior toward other people. Intellectual property - Intangible creative work that is embodied in physical form. Copyright The legal protection afforded an expression of an idea, such as a song, video game, and some types of proprietary documents. Fair use doctrine - In certain situations, it is legal to use copyrighted material. Pirated software - The unauthorized use, duplication, distribution, or sale of copyrighted software. Counterfeit software - Software that is manufactured to look like the real thing and sold as such. 4.2 Identify the differences between an ethical computer use policy and an acceptable computer use policy Ethical computer use policy contains general principles to guide computer user behavior. The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules. Acceptable use policy (AUP) is a policy that a user must agree to follow in order to be provided access to a network or to the Internet. An AUP usually contains a nonrepudiation clause: Nonrepudiation is a contractual stipulation to ensure that e-business participants do not deny (repudiate) their online actions. 4.3 Describe the relationship between an e-mail privacy policy and an Internet use policy Organizations can mitigate the risks of e-mail and instant messaging communication tools by implementing and adhering to an e-mail privacy policy. E-mail privacy policy details the extent to which e-mail message may be read by others. An Internet use policy contains general principles to guide the proper use of the Internet. The Internet use policy covers all acts taking place on the Internet, whereas the e-mail privacy policy simply includes e-mail.

LEARNING OUTCOMES Explain the effects of spam on an organization Summarize the different monitoring technologies and explain the importance of an employee monitoring policy 4.4 Explain the effects of spam on an organization Spam is unsolicited e-mail. Spam accounts for 40% to 60% of most organizations’ e-mail and costs U.S. businesses over $13 billion in 2005 Anti-spam policy simply states that e-mail users will not send unsolicited e-mails (or spam) 4.5 Summarize the different monitoring technologies and explain the importance of an employee monitoring policy Different monitoring technologies include: Key logger, or key trapper software – records keystrokes and mouse clicks Hardware key logger – captures keystrokes from the keyboard to the motherboard Cookie – small file deposited on a hard drive by a Web site containing information about customers and their Web activities Adware – generates self-installing ads Spyware – hidden software that tracks online movements Web log – consists of one line of information for every visitor to a Web site Clickstream – records information about a customer during a Web surfing session An employee monitoring policy explicitly states how, when, and where the company monitors its employees. An organization must formulate the right policies and put them into practice. CSOs that are explicit about what the company does in the way of monitoring and the reasons for it, along with actively educating their employees about what unacceptable behavior looks like, will find that employees not only acclimate quite quickly to a policy, but also reduce the CSO’s burden by policing themselves.

ETHICS Ethics – the principles and standards that guide our behavior toward other people Issues affected by technology advances Intellectual property Copyright Fair use doctrine Pirated software Counterfeit software Break your students into groups and ask them to find a real-world example of each type of ethical issue displayed in the figure 4.1 Ask your students to find additional ethical issues stemming from technology advances not mentioned in the figure 4.1 Intellectual property - Intangible creative work that is embodied in physical form Copyright - The legal protection afforded an expression of an idea, such as a song, video game, and some types of proprietary documents Fair use doctrine - In certain situations, it is legal to use copyrighted material Pirated software - The unauthorized use, duplication, distribution, or sale of copyrighted software Counterfeit software - Software that is manufactured to look like the real thing and sold as such

ETHICS Privacy is a major ethical issue Privacy – the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent Confidentiality – the assurance that messages and information are available only to those who are authorized to view them Privacy is an ethical issue There are numerous examples of ethical issues surrounding IT List a few ethical IT examples that are currently in the news Discuss the infamous case of Napster and present your students with the ethical issues surrounding music sharing and copyright laws Do you think tracking customer information from a Web site visit is ethical? What if the company sells the information? Can you explain the difference between privacy and confidentiality?

ETHICS One of the main ingredients in trust is privacy Primary reasons privacy issues lost trust for e-business Privacy during Web interactions is a major concern for many individuals Violating someone’s privacy is a sure way to ruin a relationship E-business is built on the practice of exchanging large amounts of information between many parties Without privacy, there will not be any trust Have you ever had their privacy violated on the Internet? One of the most common example is someone forwarding or bcc (blind carbon copy) an e-mail without the person’s knowledge or consent For e-business to work, companies, customers, partners, and suppliers must trust each other

INFORMATION ETHICS Individuals form the only ethical component of IT Have you encountered any ethical dilemmas due to technology? CLASSROOM EXERCISE WHAT RIGHT DO I HAVE? Bring a USB drive into class At the beginning of class state that you found the USB drive and does it belong to anyone? How can you determine whose USB drive it is? Should you plug it into your computer and read the information? Is that ethical? What if the drive has all of the salaries of everyone at college or all of the grades for every student? What if the drive contains a virus that wipes out your computer? What should you do?

Information Has No Ethics Acting ethically and legally are not always the same Explain to your students that most organizations want to make decisions somewhere in quadrant I, both legal and ethical Obviously this does not always happen, or we would not have examples such as Enron and Martha Stewart Can you name a company that operates in each quadrant? I – Amazon II – Microsoft – the government ruled that Microsoft was breaking antitrust laws and operating a monopoly, although Microsoft felt it was operating ethically and legally III – Some lawyers IV – Drug Dealer

Information Has No Ethics Information does not care how it is used Information will not stop itself from sending spam, viruses, or highly-sensitive information Information cannot delete or preserve itself For these reasons it falls on the shoulders of those who lord over the information to develop ethical guidelines on how to mange it Review the figure discussing the current established information-related laws

DEVELOPING INFORMATION MANAGEMENT POLICIES Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement ePolicies typically include: Ethical computer use policy Information privacy policy Acceptable use policy E-mail privacy policy Internet use policy Anti-spam policy Organizations should develop written policies establishing employee guidelines, personnel procedures, and organizational rules These policies set employee expectations about the organization's practices and standards and protect the organization from misuse of computer systems and IT resources Are any of these policies used at your college?

Ethical Computer Use Policy Ethical computer use policy – contains general principles to guide computer user behavior The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules For example: an ethical computer use policy might state that users should refrain from playing computer games during working hours CLASSROOM EXERCISE Analyzing An Ethical Computer Use Policy Break your students into groups and ask them to develop and define several ethical computer use policies that would be appropriate for your school or for a business of your choice. Have your students present their policies to the entire class. Examples: Users will not send spam Users will not send harmful viruses Users will not use offensive language or send offensive material Extra exercise: Have your students research the Internet for current law suits based on offensive e-mail

Ethical Computer Use Policy Review the six principles for ethical information management and rank them in order of greatest importance to least importance for an organization Makes for an excellent classroom debate

Information Privacy Policy The unethical use of information typically occurs “unintentionally” when it is used for new purposes For example, social security numbers started as a way to identify government retirement benefits and are now used as a sort of universal personal ID Information privacy policy - contains general principles regarding information privacy Would you mind if your Visa company shared all of your purchasing information? Who owns the information on your Visa? Why would people want to purchase Visa information? To find marketing and sales opportunities

Information Privacy Policy Information privacy policy guidelines Adoption and implementation of a privacy policy Notice and disclosure Choice and consent Information security Information quality and access Adoption and implementation of a privacy policy – an organization engaged in online activities or e-business has a responsibility to adopt and implement a policy for protecting the privacy of personal information Notice and disclosure – an organization’s privacy policy must be easy to find, read, and understand Choice and consent – individuals must be given the opportunity to exercise choice regarding how personal information collected from them online may be used when such use is unrelated to the purpose for which the information was collected Information security – organization’s creating, maintaining, using, or disseminating personal information should take appropriate measures to assure its reliability and protect it from loss, misuse, or alteration Information quality and access – organizations should establish appropriate processes or mechanisms so that inaccuracies in material personal information may be corrected.

Acceptable Use Policy Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet An AUP usually contains a nonrepudiation clause Nonrepudiation – a contractual stipulation to ensure that e-business participants do not deny (repudiate) their online actions Do you have any incidents when someone online repudiated their actions? Remind your students that they should keep all of their e-mail since this is one way to hold someone accountable (nonrepudiation)

Acceptable Use Policy Most of your students probably signed an AUP when signing up with their ISP ISPs typically require each customer to sign an AUP Ask your students to rank the acceptable use policy stipulations in order of greatest importance to least importance for an ISP

E-Mail Privacy Policy Organizations can mitigate the risks of e-mail and instant messaging communication tools by implementing and adhering to an e-mail privacy policy E-mail privacy policy – details the extent to which e-mail messages may be read by others Explain to your students that e-mail is not safe E-mail can easily be read by: Anyone who works for the Internet service provider Anyone who works for the recipient's Internet service provider Anyone who operates any of the perhaps dozens of Internet routers that the data packets will pass through Anyone with physical access to the telephone switching equipment in the phone company's office Do your students know that if they speak on the telephone with anyone in the United States, the telephone switching equipment at the phone company offices has wiretaps built into it for easy access by authorities - or actually anyone with the password, such as maintenance personnel. These wiretaps started appearing after the U.S. Congress passed the Digital Telephony Act, because of complaints by law enforcement that modern digital telephone systems were becoming harder to tap.

E-Mail Privacy Policy Explain to your students that e-mail is not safe E-mail can easily be read by: Anyone who works for the Internet service provider Anyone who works for the recipient's Internet service provider Anyone who operates any of the perhaps dozens of Internet routers that the data packets will pass through Anyone with physical access to the telephone switching equipment in the phone company's office Do your students know that if they speak on the telephone with anyone in the United States, the telephone switching equipment at the phone company offices has wiretaps built into it for easy access by authorities - or actually anyone with the password, such as maintenance personnel. These wiretaps started appearing after the U.S. Congress passed the Digital Telephony Act, because of complaints by law enforcement that modern digital telephone systems were becoming harder to tap.

E-Mail Privacy Policy 80 percent of professional workers identified e-mail as their preferred means of corporate communications Trends also show a dramatic increase in the adoption rate of instant messaging (IM) in the workplace Ask your students to rank the e-mail privacy policy stipulations in order of greatest importance to least importance for an ISP

Internet Use Policy Internet use policy – contains general principles to guide the proper use of the Internet There are many reasons why an organization should implement an Internet use policy including: Large amounts of computing resources that Internet users can expend Numerous materials that some might feel are offensive Ask your students to rank the Internet use policy stipulations in order of greatest importance to least importance for an ISP

Anti-Spam Policy Spam – unsolicited e-mail Spam accounts for 40% to 60% of most organizations’ e-mail and cost U.S. businesses over $14 billion in 2005 Anti-spam policy – simply states that e-mail users will not send unsolicited e-mails (or spam) A few methods that an organization can follow to prevent spam include Disguise e-mail addresses posted in a public electronic place – instead of actually posting all of your employee e-mails on the corporate Web site, just post the name without the @xyz.com. That way spam collecting devices will not recognize the e-mail addresses and will not be able to send e-mail Opt-out of member directories that may place an e-mail address online – choose not to participate in any activities that place e-mail addresses online Use a filter – Use a spam filter to help prevent spam

ETHICS IN THE WORKPLACE Workplace monitoring is a concern for many employees Organizations can be held financially responsible for their employees’ actions The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees, however, some people feel that monitoring employees is unethical The organization needs to protect itself by knowing what its employees are doing, however does it have to monitor everything throughout the workplace? It is difficult to determine when employee monitoring crosses the ethical lines What can an organization do to protect itself from such things as sexual harassment, discrimination, and other forms of unethical behavior where it can be held liable? A recent survey of workplace monitoring and surveillance practices by the American Management Association (AMA) and the ePolicy Institute showed the degree to which companies are turning to monitoring: 82 percent (of the 1,627 companies surveyed) acknowledged conducting some form of electronic monitoring or physical surveillance 63 percent stated that they monitor Internet connections 47 percent acknowledged storing and reviewing employee e-mail messages

Monitoring Technologies Discuss the different types of monitoring technologies outlined in the figure Monitoring Employee E-Mail: Efficient Workplaces Vs. Employee Privacy Try this as a debate with your students http://searchtechtarget.techtarget.com/originalContent/0,289142,sid19_gci1202445,00.html

Monitoring Technologies Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed Common monitoring technologies include: Key logger or key trapper software Hardware key logger Cookie Adware Spyware Web log Clickstream Key logger, or key trapper software A program that, when installed on a computer, records every keystroke and mouse click Hardware key logger A hardware device that captures keystrokes on their journey from the keyboard to the motherboard. Cookie A small file deposited on a hard drive by a Web site containing information about customers and their Web activities. Cookies allow Web sites to record the comings and goings of customers, usually without their knowledge or consent Adware Software generates ads that install themselves on a computer when a person downloads some other program from the Internet. Spyware (sneakware or stealthware) Software that comes hidden in free downloadable software and tracks online movements, mines the information stored on a computer, or uses a computer’s CPU and storage for some task the user knows nothing about Web log Consists of one line of information for every visitor to a Web site and is usually stored on a Web server Clickstream Records information about a customer during a Web surfing session such as what Web sites were visited, how long the visit was, what ads were viewed, and what was purchased

Employee Monitoring Policies Employee monitoring policies – explicitly state how, when, and where the company monitors its employees Ask your students to rank the employee monitoring policy stipulations in order of greatest importance to least importance for an organization

OPENING CASE QUESTIONS Sarbanes-Oxley Define the relationship between ethics and the Sarbanes-Oxley Act Why is records management an area of concern for the entire organization and not just the IT department? Identify two policies an organization can implement to achieve Sarbanes-Oxley compliance? 1. Define the relationship between ethics and the Sarbanes-Oxley Act The Sarbanes-Oxley Act (SOX) of 2002 is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices by organizations. One of the primary components of the Sarbanes-Oxley Act is the definition of which records are to be stored and for how long. When an organization decides which records to store and for how long, without changing, deleting, or destroying the records is where an organization’s ethics will come into play. Simply deciding to comply with SOX will be an ethical issue for some organizations. 2. Why is records management an area of concern for the entire organization and not just the IT department Essentially, any public organization that uses IT as part of its financial business processes will find that it must put in place IT controls in order to be compliant with SOX. Since every department in an organization uses electronic records the entire organization will be required to comply with records management, not just the IT department or the accounting department. 3. Identify two policies an organization can implement to achieve Sarbanes-Oxley compliance? Ensure the current financial systems meet regulatory requirements for more accurate, detailed, and speedy filings. Segregate the duties within the systems development staff so the people that code are different from the people that test.

OPENING CASE QUESTIONS Sarbanes-Oxley What ethical dilemmas are being solved by implementing Sarbanes-Oxley? What is the biggest roadblock for organizations that are attempting to achieve Sarbanes-Oxley compliance? 4. What ethical dilemmas are being solved by implementing Sarbanes-Oxley? Organizations want to make decisions that are both legal and ethical. SOX helps define what is legal and ethical. Prior to SOX it was up to the organization to determine what electronic records it would store, how long to store the electronic records, and what was considered destruction of electronic records. Organizations were storing different amounts of records for different time periods. The penalties for destroying information varied from organization to organization. SOX clearly defines what is ethical and legal in terms of electronic records management giving organizations clear guidelines for ethical behavior. 5. What is the biggest roadblock for organizations that are attempting to achieve Sarbanes-Oxley compliance? The expense of updating the systems and storing all of the records is one of the biggest roadblocks, as well as getting all people involved in adhering to the SOX act.

INFORMATION SECURITY SECTION 4.2 This section takes a look at information security two primary lines of defense People Technology CLASSROOM OPENER GREAT BUSINESS DECISIONS – The American Express Charge Card The product that led to the question “cash or charge?” was the American Express card, or, as Forbes called it: “the late-twentieth-century piece of magic that replaced checks, money, and charge accounts.” The American Express card, and every other charge card, evolved from the company’s greatest invention, the traveler’s check, which was introduced in 1891. With an American Express traveler’s check in hand, a visitor otherwise unknown, could obtain hard cash in a matter of moments. It was a whole new concept, selling people the honor of being trusted, and it caught on. The security of carrying a traveler’s check instead of cash was one of its biggest benefits. The security of carrying a credit card instead of cash was an even bigger benefit. American Express celebrated its 100th birthday in 1950, and its staying power can be ascribed to its understanding that “A credit card, in short, is not a mere commodity, {but} it says something about the person who uses it.” The company understood that the card could be considered much more than financial security, it could be a status symbol.

LEARNING OUTCOMES Describe the relationship between information security policies and an information security plan Summarize the five steps to creating an information security plan Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response Describe the relationships and differences between hackers and viruses 4.6 Describe the relationship between information security policies and an information security plan The information security plan details how the organization will implement the information security policies Information security policies identify the rules required to maintain information security 4.7 Summarize the five steps to creating an information security plan Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and reevaluate risks Obtain stakeholder support 4.8 Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response Authentication and authorization - something the user knows such as a user ID and password, something the user has such as a smart card or token, something that is part of the user such as fingerprint or voice signature Prevention and resistance - content filtering, encryption, firewalls Detection and response – antivirus software 4.9 Describe the relationships and differences between hackers and viruses Hackers are people very knowledgeable about computers who use their knowledge to invade other people’s computers Viruses are software written with malicious intent to cause annoyance or damage

PROTECTING INTELLECTUAL ASSETS Organizational information is intellectual capital - it must be protected Information security – the protection of information from accidental or intentional misuse by persons inside or outside an organization E-business automatically creates tremendous information security risks for organizations Do you agree that information requires protection? What happens if all sales information for a business falls into the hands of its customers? What happens if all employee pay rates and bonus information are distributed to all employees? What happens if customer credit card numbers are posted to a Web site for anyone to view? These are a few of the reasons why it is critical that information must be highly-protected With business strategies such as CRM organizations can determine such things as their most valuable customers Why would an organization want to protect this type of information? Why does e-business automatically creates security risks? How much critical information is freely flowing over the Internet to customers, partners, and suppliers? How has HIPAA helped protect the privacy and security of personal health records? HIPAA requires health care organizations to develop, implement, and maintain appropriate security measures when sending electronic health information

PROTECTING INTELLECTUAL ASSETS Knowing how important information security is for an organization, do the above spending amounts seem correct? Why or why not? CLASSROOM EXERCISE Pizza Video You can use this video in a number of classes – it relates well to both information security and ethics http://www.adcritic.com/interactive/view.php?id=5927

PROTECTING INTELLECTUAL ASSETS The figure displays the spending per employee on computer security The highest average computer security spending per employee was in the transportation industry and federal government - not surprising after 9/11 Why is the transportation industry spending so high? Why is the medical and retail industry spending so low? Why is there such a large gap between federal government spending and local government spending?

THE FIRST LINE OF DEFENSE - PEOPLE Organizations must enable employees, customers, and partners to access information electronically The biggest issue surrounding information security is not a technical issue, but a people issue 33% of security incidents originate within the organization Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident Most information security breaches result from people misusing an organization's information either advertently or inadvertently. For example, many people freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open to intruders CLASSROOM EXERCISE Ask your students to research the Internet to find the latest version of the CSI/FBI Computer Crime and Security Survey to find the newest information on computer crime and security breeches

THE FIRST LINE OF DEFENSE - PEOPLE The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan Information security policies – identify the rules required to maintain information security Information security plan – details how an organization will implement the information security policies Have your students to review the sample information security plan in Figure 4.18 CLASSROOM EXERCISE: Break your students into groups and ask them to research and review your school’s information security plan What did the plan address that your students found surprising? What is the plan missing or failing to address? If your students were responsible for updating the plan, what would they add?

THE FIRST LINE OF DEFENSE - PEOPLE Hackers frequently use “social engineering” to obtain password Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker Ask your students to share any experiences they have had with social engineering through stolen passwords or identity theft If they had to try to social engineer a password from another student what would they do?

THE FIRST LINE OF DEFENSE - PEOPLE Five steps to creating an information security plan: Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and reevaluate risks Obtain stakeholder support Have your students review the five steps for creating an information security plan detailed in Figure 4.19 Develop the information security policies Simple yet effective types of information security policies include: Requiring users to log off of their systems before leaving for lunches or meetings Never sharing passwords, and changing personal passwords every 60 days. Ask your students what other types of information security policies they have encountered Communicate the information security policies Train all employees and establish clear expectations for following the policies. For example – a formal reprimand can be expected if a computer is left unsecured. Identify critical information assets and risks Require the use of user IDs, passwords, and antivirus software on all systems. Ensure that systems that contain links to external networks have firewalls and IDS software. Test and reevaluate risks Continually perform security reviews, audits, background checks, and security assessment Obtain stakeholder support Gain the approval and support of the information security policies by the Board of Directors and all stakeholders

THE FIRST LINE OF DEFENSE - PEOPLE CLASSROOM EXERCISE Defending People Break your students into groups and ask them to rank the questions in order of importance Ask your students to identify any additional questions not covered in the text Have your students present their ranking and additional questions to the rest of the class This makes for an excellent debate

THE SECOND LINE OF DEFENSE - TECHNOLOGY There are three primary information technology security areas Authentication and authorization Prevention and resistance Detection and response International Data Corp. estimated worldwide spending on IT security software, hardware, and services would top $35 billion in 2004. Organizations can deploy numerous technologies to prevent information security breaches. When determining which types of technologies to invest in, it helps to understand the three primary information security areas: Authentication and authorization Prevention and resistance Detection and response

Authentication and Authorization Authentication – a method for confirming users’ identities Authorization – the process of giving someone permission to do or have something The most secure type of authentication involves: Something the user knows such as a user ID and password Something the user has such as a smart card or token Something that is part of the user such as a fingerprint or voice signature What types of authentication are you using today? What type is used at your bank? What type is used for your online banking? Is it secure? Why or why not? What type would you like for your online banking?

Something the User Knows Such As a User ID and Password This is the most common way to identify individual users and typically contains a user ID and a password This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related Have any of you ever had your authentication method hacked? What was the outcome? How many of you have had to call a help-desk due to a password related issue?

Something the User Knows Such As a User ID and Password Identity theft – the forging of someone’s identity for the purpose of fraud Phishing – a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail Discuss the identity theft examples covered in Figure 4.21 An 82-year-old woman in Fort Worth, Texas, discovered that her identity had been stolen when the woman using her name was involved in a four-car collision. For 18 months, she kept getting notices of lawsuits and overdue medical bills that were really meant for someone else. It took seven years for her to get her financial good name restored after the identity thief charged over $100,000 on her 12 fraudulently acquired credit cards. A 42-year-old retired Army captain in Rocky Hill, Connecticut, found that an identity thief had spent $260,000 buying goods and services that included two trucks, a Harley-Davidson motorcycle, and a time-share vacation home in South Carolina. The victim discovered his problem only when his retirement pay was garnished to pay the outstanding bills. In New York, members of a pickpocket ring forged the driver’s licenses of their victims within hours of snatching the women’s purses. Stealing a purse typically results in around $200, if not less. But stealing the person’s identity can net on average between $4,000 and $10,000.A crime gang took out $8 million worth of second mortgages on victims’ homes. It turned out the source of all the instances of identity theft came from a car dealership. The largest identity-theft scam to date in U.S. history was broken up by police in 2002 when they discovered that three men had downloaded credit reports using stolen passwords and sold them to criminals on the street for $60 each. Many millions of dollars were stolen from people in all 50 states.

Something the User Knows Such As a User ID and Password The above figure displays identity theft losses by 2005 (billions of dollars) Have any of you ever been the victim of identity theft? How did the theft occur? What was stolen? How difficult was it to recover? What could you have done to prevent the theft? A new business is growing for identity theft insurance, which costs between $15 and $50 per month. Would you purchase this insurance? Why or why not?

Something the User Knows Such As a User ID and Password Smart cards and tokens are more effective than a user ID and a password Tokens – small electronic devices that change user passwords automatically Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing Smart cards can act as identification instruments, a form of digital cash, or a data storage device with the ability to store an entire medical record Identify a business opportunity that could take advantage of smart card technology? Europe is deploying smart cards for season ticket holders of soccer games. Could the U.S. use the same for NFL games? Yes, we could offer smart cards for NFL games, however, many NFL season tickets are owned be a group of people who share the tickets – how would they share a smart card?

Unfortunately, this method can be costly and intrusive Something That Is Part Of The User Such As a Fingerprint or Voice Signature This is by far the best and most effective way to manage authentication Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting Unfortunately, this method can be costly and intrusive How many of your students would like to have an iris scan performed each time they entered your classroom or took an exam?

Prevention and Resistance Downtime can cost an organization anywhere from $100 to $1 million per hour Technologies available to help prevent and build resistance to attacks include: Content filtering Encryption Firewalls How much it would cost eBay or Amazon.com if their systems were down for one day? One 22-hour outage in June 2000 caused eBay’s market cap to plunge $5.7 billion

Content Filtering Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting and stop spam and viruses from spreading. Content filtering – occurs when organizations use software that filters content to prevent the transmission of unauthorized information Spam – a form of unsolicited e-mail Corporate losses caused by Spam How many spam messages do you receive each day? What types of preventative measures have they taken to stop spam? How many use antivirus software to prevent spam? More importantly, how many have current, up-to-date antivirus software, and how frequently do they actually run it and scan their computers for viruses? Research the Internet and find several different spam filters and antivirus software that protect computer users

Encryption If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information Public key encryption (PKE) – an encryption system that uses two keys: a public key for everyone and a private key for the recipient How long would it take a hacker to break an encryption code on a Word document? Many hundreds of years, although on television it only take 10 minutes Research the Web to find information about encryption technologies that you can use to protect sensitive information

Encryption An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.

Firewalls One of the most common defenses for preventing a security breach is a firewall Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network A firewall examines each message that wants entrance to the network, and unless the message has the correct marking, the firewall prevents it from entering the network What would happen to an organization that did not have firewalls at the entrance of its networks? This organization’s servers would not be operating for long because they would be continually hacked

Firewalls Sample firewall architecture connecting systems located in Chicago, New York, and Boston A firewall examines each message that wants entrance to the network, and unless the message has the correct marking, the firewall prevents it from entering the network Point out to your students the placement of the firewalls between the servers and the Internet

Detection and Response If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology A single worm can cause massive damage In August 2003, the “Blaster worm” infected over 50,000 computers worldwide and was one of the worst outbreaks of the year Jeffrey Lee Parson, 18, was arrested by U.S. cyber investigators for unleashing the damaging worm on the Internet The worm replicated itself repeatedly, eating up computer capacity, but did not damage information or programs The worm generated so much traffic that it brought entire networks down

Detection and Response Hacker - people very knowledgeable about computers who use their knowledge to invade other people’s computers White-hat hacker Black-hat hacker Hactivist Script kiddies or script bunnies Cracker Cyberterrorist White-hat hackers—work at the request of the system owners to find system vulnerabilities and plug the holes Black-hat hackers—break into other people’s computer systems and may just look around or may steal and destroy information Hactivists—have philosophical and political reasons for breaking into systems and will often deface the Web site as a protest Script kiddies or script bunnies—find hacking code on the Internet and click-and-point their way into systems to cause damage or spread viruses Cracker—a hacker with criminal intent Cyberterrorists—seek to cause harm to people or to destroy critical systems or information and use the Internet as a weapon of mass destruction

Detection and Response Virus - software written with malicious intent to cause annoyance or damage Worm Denial-of-service attack (DoS) Distributed denial-of-service attack (DDoS) Trojan-horse virus Backdoor program Polymorphic virus and worm Worm—a type of virus that spreads itself, not only from file to file, but also from computer to computer. The primary difference between a virus and a worm is that a virus must attach to something, such as an executable file, in order to spread. Worms do not need to attach to anything to spread and can tunnel themselves into computers. Denial-of-service attack (DoS)—floods a Web site with so many requests for service that it slows down or crashes the site Distributed denial-of-service attack (DDoS)—attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes. A common type is the Ping of Death, in which thousands of computers try to access a Web site at the same time, overloading it and shutting it down. Trojan-horse virus—hides inside other software, usually as an attachment or a downloadable file Backdoor programs—viruses that open a way into the network for future attacks Polymorphic viruses and worms—change their form as they propagate

Detection and Response Security threats to e-business include: Elevation of privilege Hoaxes Malicious code Spoofing Spyware Sniffer Packet tampering Elevation of privilege is a process by which a user misleads a system into granting unauthorized rights, usually for the purpose of compromising or destroying the system. For example, an attacker might log on to a network by using a guest account, and then exploit a weakness in the software that lets the attacker change the guest privileges to administrative privileges. Hoaxes attack computer systems by transmitting a virus hoax, with a real virus attached. By masking the attack in a seemingly legitimate message, unsuspecting users more readily distribute the message and send the attack on to their co-workers and friends, infecting many users along the way. Malicious code includes a variety of threats such as viruses, worms, and Trojan horses Spoofing is the forging of the return address on an e-mail so that the e-mail message appears to come from someone other than the actual sender. This is not a virus but rather a way by which virus authors conceal their identities as they send out viruses. Spyware is software that comes hidden in free downloadable software and tracks online movements, mines the information stored on a computer, or uses a computer’s CPU and storage for some task the user knows nothing about. According to the National Cyber Security Alliance, 91 percent of the study had spyware on their computers that can cause extremely slow performance, excessive pop-up ads, or hijacked home pages. A snifferis a program or device that can monitor data traveling over a network. Sniffers can show all the data being transmitted over a network, including passwords and sensitive information. Sniffers tend to be a favorite weapon in the hacker’s arsenal. Packet tampering consists of altering the contents of packets as the travel over the Internet or altering data on computer disks after penetrating a network. For example, an attacker might place a tap on a network line to intercept packets as they leave the computer. The attacker could eavesdrop or alter the information as it leaves the network.

OPENING CASE QUESTIONS Sarbanes-Oxley What information security dilemmas are being solved by implementing Sarbanes-Oxley? How can Sarbanes-Oxley help protect a company’s information security? What impact does implementing Sarbanes-Oxley have on information security in a small business? What is the biggest information security roadblock for organizations attempting to achieve Sarbanes-Oxley compliance? 6. What information security dilemmas are being solved by implementing Sarbanes-Oxley? SOX defines rules regarding the destruction, alteration, or falsification of information. It states that persons who knowingly alter, destroy, mutilate, conceal, or falsify documents shall be fined or imprisoned for not more than 20 years, or both. Stating a clear punishment for tampering with information is an additional deterrent that will make hackers and insiders think twice before performing illegal actions. 7. How can Sarbanes-Oxley help protect a company’s information security? The first line of defense in information security is people. Ensuring all people using or having access to organizational information are aware of SOX compliance will help protect the company’s information. Just by implementing SOX an organization is protecting its information by storing the many different types of information for long periods of time. 8. What impact does implementing Sarbanes-Oxley have on information security in a small business? Sarbanes-Oxley will be a large expense to implement for a small business. Part of this expense will be offset by the benefits achieved from an information security point-of-view. By requiring the company to archive certain types of information, the company will find itself in a better position if it experiences some form of disaster or data loss. Many small businesses fail to save and archive information and putting the appropriate processes in place to achieve Sarbanes-Oxley compliance just might be a good thing for small business to implement. 9. What is the biggest information security roadblock for organizations attempting to achieve Sarbanes-Oxley compliance? The expense of updating the systems and storing all of the records is one of the biggest roadblocks, as well as getting all people involved in adhering to the SOX act.

CLOSING CASE ONE Banks Banking on Security What reason would a bank have for not wanting to adopt an online-transfer delay policy? What are the two primary lines of security defense and why are they important to financial institutions? Explain the differences between the types of security offered by the banks in the case 1. What reason would a bank have for not wanting to adopt an online-transfer delay policy? Operating in a 24x7 world means instant gratification for many people. Barclay’s online-transfer delay provides additional security, but losses real-time response, which many people expect when dealing with the Internet. A bank may choose not to implement an online-transfer delay if its customers view speed and efficiency a key factor. 2. What are the two primary lines of security defense and why are they important to financial institutions? The two primary lines of security defense are people and technology. Since banks deal with money they must offer the most advanced security features to keep their customers finances safe. According to Figure 4.17, the financial industry has the fifth highest expenditure/investment per employee for computer security. An unsafe bank will not operate long. 3. Explain the difference between the types of security offered by the banks in the case. Which bank would you open an account with and why? Bank of America is implementing authentication and authorization technologies such as online computer identification Wells Fargo & Company is implementing authentication and authorization technologies such as additional password criteria E-Trade Financial Corporation is implementing authentication and authorization technologies such as Digital Security IDs Barclay’s Bank is implementing prevention technologies such as online-transfer delays and account monitoring

CLOSING CASE ONE Banks Banking on Security What additional types of security, not mentioned in the case above, would you recommend a bank implement? Identify three policies a bank should implement to help it improve information security Describe monitoring policies along with the best way for a bank to implement monitoring technologies 4. What additional types of security, not mentioned in the case above, would you recommend a bank implement? Banks need to implement security technologies for all three primary areas including: Authentication and authorization - something the user knows such as a user ID and password, something the user has such as a smart card or token, something that is part of the user such as fingerprint or voice signature Prevention and resistance - content filtering, encryption, firewalls Detection and response – antivirus software Providing a combination of all three types is optimal 5. Identify three policies a bank should implement to help it improve information security? Information security plans detail how the organization will implement the information security policies. Information security policies identify the rules required to maintain information security. Banks must implement information security plans that focus on the following: Identification and assessment of risks to customer information, ensure the security and confidentiality of protected information, protect against unauthorized access to or use of protected information that could result in substantial harm or inconvenience to any customer, interception of data during transmission, loss of data integrity, physical loss of data in a disaster, errors introduced into the system, corruption of data or systems, unauthorized access of data and information, unauthorized transfer of data to third parties 6. Describe monitoring policies along with the best way for a bank to implement monitoring technologies Information technology monitoring is tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed. An organization must formulate the right monitoring policies and put them into practice. The best path for an organization planning to engage in employee monitoring is open communication surrounding the issue. Employee monitoring policies explicitly state how, when, and where the company monitors its employees. CSOs that are explicit about what the company does in the way of monitoring and the reasons for it, along with actively educating their employees about what unacceptable behavior looks like, will find that employees not only acclimate quickly to a policy, but also reduce the CSO’s burden by policing themselves.

CLOSING CASE TWO Hacker Hunters What types of technology could big retailers use to prevent identity thieves from purchasing merchandise? What can organizations do to protect themselves from hackers looking to steal account data? Authorities frequently tap online service providers to track down hackers. Do you think it is ethical for authorities to tap an online service provider and read people’s e-mail? Why or why not? 1. What types of technology could big retailers use to prevent identity thieves from purchasing merchandise? Authentication and authorization technologies such as biometrics could help big retailers prevent identify theft by ensuring the customer is the customer. Detection and response technologies could help big retailers identify fraudulent accounts such as multiple transactions from different locations around the country, or unusually large purchases in a short period of time. The retailer could then contact the customer directly if account information looked suspicious to verify the account was being used legally. 2. What can organizations do to protect themselves from hackers looking to steal account data? The first step in information security is people. Informing employees about social engineering, safeguarding against insiders, and implementing information security policies and procedures is a solid start for any organization looking to prevent information theft. The second step is technology including: Authentication and authorization - something the user knows such as a user ID and password, something the user has such as a smart card or token, something that is part of the user such as fingerprint or voice signature Prevention and resistance - content filtering, encryption, firewalls Detection and response – antivirus software 3. Authorities frequently tap online service providers to track down hackers. Do you think it is ethical for authorities to tap an online service provider and read people’s e-mail? Why or why not? Answers to this question will vary based on each student’s ethics. Privacy is the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent. E-mail monitoring without the person’s knowledge can be considered an invasion of that person’s privacy. An organization has the responsibility to act ethically and legally and must take measures to ensure it does so according to law, policies, and procedures. Authorities must be able to protect the community from potentially dangerous situations. Organizations and authorities must be able to use monitoring technologies to determine if there might be dangerous situation or a person acting unethically or illegally. There is a fine line between privacy and social responsibility.

CLOSING CASE TWO Hacker Hunters Do you think it was ethical for authorities to use one of the high-ranking officials to trap other gang members? Why or why not? In a team, research the Internet and find the best ways to protect yourself from identity theft 4. Do you think it was ethical for authorities to use one of the high-ranking officials to trap other gang members? Why or why not? Answers to this question will vary based on each student’s ethics. Using any means possible to catch criminals is typically a valid point of view. However, if those means become unethical then it is difficult to determine who is breaking the law. 5. In a team, research the Internet and find the best ways to protect yourself from identity theft http://www.consumer.gov/idtheft/ This is the Federal Trade Commission national resource about identity theft. The Web site offers a one-stop national resource to learn about the crime of identity theft. It provides detailed information to help you Deter, Detect, and Defend against identity theft. While there are no guarantees about avoiding identity theft, there are steps you can take to minimize your risk and minimize the damage if a problem occurs: Deter identity thieves by safeguarding your information Detect suspicious activity by routinely monitoring your financial accounts and billing statements Defend against ID theft as soon as you suspect a problem

CLOSING CASE THREE Thinking Like the Enemy How could an organization benefit from attending one of the courses offered at the Intense School? What are the two primary lines of security defense and how can organizational employees use the information taught by the Intense School when drafting an information security plan? Determine the difference between the two primary courses offered at the Intense school, “Professional Hacking Boot Camp” and “Social Engineering in Two Days.” Which course is more important for organizational employees to attend? 1. How could an organization benefit from attending one of the courses offered at the Intense School? Information technology departments must know how to protect organizational information. Therefore, organizations must teach their IT personnel how to protect their systems, especially in light of the many new government regulations that demand secure systems, such as HIPPA. By understanding how hackers work, how they break locks, and what types of information they steal, an organization can defend itself against such attacks by building more secure IT infrastructures. For example, by knowing that most break-ins occur through an unlocked basement window, a person can place locks on all basement windows, thereby decreasing the chance of having someone break-in to their home. Without this initial knowledge, it would be difficult for the person to know where to apply the locks. 2. What are the two primary lines of security defense and how organizational employees can use the information taught by the Intense School when drafting an information security plan? The two primary lines of security defense are through people first and technology second. Employees can use the information taught at the Intense School to draft an information security plan that details how an organization will implement the information security policies. The school will most likely teach many of the tricks to social engineering and hacking, which the employees can use to create the detailed information security policies. For example: Employees are not required to reveal authentication information to anyone that does not have a current corporate IT badge Employees are not to leave any computer stations unsecured over lunches or during meetings All employee computers should have screen saver locks set to automatically turn-off whenever the computer is idle for more than ten minutes All employees must have current antivirus software that runs daily at 12:00 noon 3. Determine the difference between the two primary courses offered at the Intense school, “Professional Hacking Boot Camp” and “Social Engineering in Two Days.” Which course is more important for organizational employees to attend? The professional hacking boot camp probably includes topics such as hackers, viruses, malicious code, hoaxes, spoofing, and sniffers. The Social Engineering in Two Days probably includes such topics as building trust, dressing appropriately, and using/building relationships. Determine which course to send employees to would depend on the type of business. Chances are an organization will benefit from sending its employees to both.

CLOSING CASE THREE Thinking Like the Enemy If your employer sent you to take a course at the Intense School, which one would you choose and why? What are the ethical dilemmas involved with having such a course offered by a private company? 4. If your employer sent you to take a course at the Intense School, which one would you choose and why? Student answers to this question will vary. The Professional Hacking Boot Camp would be of interest to students who want to learn how to technically safeguard an organization from hackers. The Social Engineering in Two Days course would be of interest to students who want to learn how to use people to safeguard an organization. Looking at majors might help students determine which course to attend. Human resources and management majors might want to attend Social Engineering, while finance, accounting, and marketing majors might want to attend Hacking Boot Camp. Of course, it is best for everyone to attend both to ensure they are protected using both people and technology. 5. What are the ethical dilemmas involved with having such a course offered by a private company? There is the opportunity that unethical students will take the course to learn more about hacking and use course information to perform illegal activities. The Intense school needs to ensure it screens all students to try to prevent a person attending the school who has the wrong intent.