MIS 301 Information Systems in Organizations Dave Salisbury salisbury@udayton.edu (email) http://www.davesalisbury.com/ (web site)

Talking Points Security, Ethics and Privacy Ethical Issues Information Systems Defense and Control Corporate Individual Law & Order

Security & Ethical Challenges Privacy Accuracy Property Access Computer Crime Human Impacts

Security Issues Physical Security Logical Security Making sure the hardware is safe and not tampered with Logical Security Making sure that software and data are not manipulated, stolen or tampered with

Security Issues Physical Security Issues Access methods Security Codes Theft of equipment Fire Natural Disaster Man-made disaster Electrical failure Logical Security Issues Viruses Denial of Service Email as virus transmission Disaster Recovery & Backups Phishing & Pharming Identity Theft Tampering with data

Ethical Considerations Delta & Pine Land Company 11/25/97 Ethical Considerations Ethical Principles Proportionality Informed Consent Justice Minimized Risk Standard of Conduct Act with integrity Protect information privacy & confidentiality Do not misrepresent or withhold information Do not misuse resources Do not exploit weakness of systems Advance general health & welfare As a business end user, you have a responsibility to promote ethical uses of information technology in the workplace. As a manager or business professional, it will be your responsibility to make decisions about business activities and use of information technologies which may have an ethical dimension that must be considered. Business ethics is concerned with the numerous ethical questions that managers must confront as part of their daily business decision making. Such issues include employee and customer privacy, protection of corporate information, workplace safety, honesty in business practices, and equity in corporate policies. How can managers make ethical decisions when confronted with many of these controversial issues? Managers and business professionals alike should use ethical principles to evaluate potential harm or risks of the use of E-Business technologies. Ethical principles for responsible use of IT include: Proportionality. The good achieved by technology must outweigh any harm or risk in its use. Informed Consent. Those affected by the technology should understand and accept the risks associated with that use. Justice. The benefits and burdens of the technology should be distributed fairly. Minimized Risk. To the extent that any risk is judged acceptable by the preceding three guidelines, technology should be implemented so as to eliminate all unnecessary risk. These are guiding principles that can be used to govern ethical conduct by managers and users. However, more specific standards of conduct are needed to govern ethical use of information technology. The Association of Information Technology Professionals (AITP) provides the following guidelines for becoming a responsible end user: Act with integrity, avoid conflicts of interest and ensure your employer is aware of any potential conflicts. Protect the privacy and confidentiality of any information you are entrusted with. Do not misrepresent or withhold information that is germane to a situation. Do not attempt to use the resources of an employer for personal gain or for any purpose without proper approval. Do not exploit the weakness of a computer system for personal gain or personal satisfaction. Set high standards for your work. Accept responsibility for your work. Advance the health, privacy, and general welfare of the public.

Ethical Issues Privacy Accuracy Property Access Internet privacy Corporate email Matching Accuracy Credit card accounts Student Records Property Intellectual property Software piracy Identity Theft Access Who can see it? Who should see it?

Delta & Pine Land Company 11/25/97 Privacy Issues IT makes it technically and economically feasible to collect, store, integrate, interchange, and retrieve data and information quickly and easily. Benefit – increases efficiency and effectiveness But, may also have a negative effect on individual’s right to privacy Accessing private e-mail and computer records & sharing information about individuals gained from their visits to websites and newsgroups

Delta & Pine Land Company 11/25/97 Privacy Issues Always knowing where a person is via mobile and paging services Computer Matching Computer profiling and matching personal data to that profile Mistakes can be a major problem Protect your privacy by Encrypting your messages Post to newsgroups through anonymous re-mailers Ask your ISP not to sell your information to mailing list providers and other marketers Decline to reveal personal data and interests online

Laws to Defend Individual Privacy Delta & Pine Land Company 11/25/97 Laws to Defend Individual Privacy Attempt to enforce the privacy of computer-based files and communications Electronic Communications Privacy Act Computer Fraud and Abuse Act The Health Insurance Portability and Accountability Act (HIPAA)

Delta & Pine Land Company 11/25/97 Computer Libel and Censorship (The opposite side of the privacy debate) Right to know (freedom of information) Right to express opinions (freedom of speech) Right to publish those opinions (freedom of the press) Spamming Flaming Anonymity of domain ownership

Human Impacts Employee Monitoring (especially online) Deskilling (robotic welders) Intellectual Property Protection (Napster or KaZaA or Morpheus) Human Control (Airbus Fly-by-Wire) Outsourcing & Offshoring

Delta & Pine Land Company 11/25/97 Other Challenges Employment New jobs have been created and productivity has increased, yet there has been a significant reduction in some types of jobs as a result of IT. Working Conditions IT has eliminated many monotonous, obnoxious tasks, but has created others Individuality Computer-based systems criticized as impersonal systems that dehumanize and depersonalize activities Excessive regimentation

Delta & Pine Land Company 11/25/97 Computer Monitoring Concerns for workplace privacy Monitors individuals, not just work Is done continually. May be seen as violating workers’ privacy & personal freedom Workers may not know that they are being monitored or how the information is being used May increase workers’ stress level May rob workers of the dignity of their work

Delta & Pine Land Company 11/25/97 Health Issues Job stress Muscle damage Eye strain Radiation exposure Accidents Ergonomics (human factors engineering)

Delta & Pine Land Company 11/25/97 Societal Solutions Beneficial effects on society Solve human and social problems Medical diagnosis Computer-assisted instruction Governmental program planning Environmental quality control Law enforcement Crime control Job placement

Security Management Policies Delta & Pine Land Company 11/25/97 Security Management Policies Minimize errors, fraud, and losses in the business systems that interconnect businesses with their customers, suppliers, and other stakeholders Aligned with organizational goals. Enterprisewide. Continuous. Proactive. Validated. Formal. Authority Responsibility Accountability.

Corporate Security Plan

Risk Management

IT Security Trends Increasing the reliability of systems Self-healing computers Intelligent systems for early intrusion detection Intelligent systems in auditing and fraud detection Artificial intelligence in biometrics Expert systems for diagnosis, prognosis, and disaster planning Smart cards

Defense strategy objectives Prevention and deterrence Detection Limitation of damage Recovery Correction Awareness and compliance

Computer Crime Malicious access Viruses Theft Money Service Data Identity

Information System Controls Input controls Input masks Control totals Processing controls Hardware Software Output controls Distribution Access Storage controls Passwords Backups

Information System Controls Facility controls Networks Encryption Firewalls Equipment & Access Possessed object (key or key card) Biometrics (retina scans, hand scanner)

Information System Controls Procedures Standards Documentation Authorization Disaster recovery Backups Equipment Failure controls Electrical Fire Water Software Software variety Windows monoculture Other varieties (e.g. Linux) might enhance “genetic” diversity

Internetworked Security Defenses Delta & Pine Land Company 11/25/97 Internetworked Security Defenses Encryption Passwords, messages, files, and other data is transmitted in scrambled form Mathematical algorithms to encode data Public and private keys Firewalls Serves as a “gatekeeper” system that protects a company’s intranets and other computer networks from intrusion Provides a filter and safe transfer point Screens all network traffic for proper passwords or other security codes

Security Layers

Internetworked Security Defenses Delta & Pine Land Company 11/25/97 Internetworked Security Defenses Denial of Service Defenses These assaults depend on three layers of networked computer systems Victim’s website Victim’s ISP Sites of “zombie” or slave computers Defensive measures and security precautions must be taken at all three levels

Delta & Pine Land Company 11/25/97 E-mail Monitoring “Spot checks just aren’t good enough anymore. The tide is turning toward systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security.” Widespread monitoring of email Magic Lantern Carnivore

Viruses Programs written with malicious intent General Types Trojan-horse File Logic or Time Bomb Worm Defense may be accomplished through Centralized distribution and updating of antivirus software Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies

Delta & Pine Land Company 11/25/97 Security Measures Security codes Multilevel password system Log onto the computer system Gain access into the system Access individual files Backup Duplicate files of data or programs File retention measures Sometimes several generations of files are kept for control purposes

Delta & Pine Land Company 11/25/97 Biometric Security Measure physical traits that make each individual unique Voice Fingerprints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition and Genetic pattern analysis

More Security Measures Delta & Pine Land Company 11/25/97 More Security Measures Computer Failure Controls Preventive maintenance of hardware & management of software updates Backup computer system Carefully scheduled hardware or software changes Highly trained data center personnel Fault tolerant systems Computer systems that have redundant processors, peripherals, and software Disaster recovery plan Which employees will participate and their duties What hardware, software, and facilities will be used Priority of applications that will be processed

Business Continuity The purpose of a business continuity plan is to keep the business running after a disaster occurs. Recovery planning is part of asset protection. Planning should focus on recovery from a total loss of all capabilities. Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. All critical applications must be identified and their recovery procedures addressed. The plan should be written so that it will be effective in case of disaster.

System Controls and Audits Delta & Pine Land Company 11/25/97 System Controls and Audits Information System Controls Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities Designed to monitor and maintain the quality and security of input, processing, and storage activities Auditing Business Systems Review and evaluate whether proper and adequate security measures and management policies have been developed and implemented Testing the integrity of an application’s audit trail Has legal implications (i.e. Sarbanes-Oxley)

Auditing Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task. There are two types of auditors: An internal auditor is usually a corporate employee who is not a member of the ISD. An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit. There are two types of audits. The operational audit determines whether the ISD is working properly. The compliance audit determines whether controls have been implemented properly and are adequate.

Personal Security Management Examples Install and regularly use antivirus and spy-ware cleaning software, and keep it up to date Don’t store credit card information online with merchants (or at least only with trusted ones) Don’t be predictable with passwords Keep OS, apps and browsers up to date with most recent patches Send sensitive information only to secure sites Make sure the website you’re accessing is correct (check the underlying URL) – avoid phishing attempts Don’t open email attachments, or click on URLs in email unless you’ve verified the source Install firewalls (this is particularly important with fast internet connections)

Law & Order Irony of a private person being accessible by so many It’s always been doable; just not this easily (see examples throughout the episode) Worms Privacy and the law Who’s morally responsible for how information is used? If your software or service is used by somebody as a means to kill another, who’s responsible?