Information
Systems: Ethics, Privacy and Information Security
Ethical Issues
Ethics: a branch of
philosophy that deals with what is considered to be right and wrong.
A Code of Ethics : is a
collection of principles that are intended to guide decision making by members
of an organization.
Fundamental Tenets of Ethics
Responsibility means that
you accept the consequences of your decisions and actions.
Accountability means a
determination of who is responsible for actions that were taken.
Liability is a legal
concept meaning that individuals have the right to recover the damages done to
them by other individuals, organizations, or systems.
The Four Categories of Ethical
Issues
Privacy Issues involve
collecting, storing and disseminating information about individuals.
Accuracy Issues involve
the authenticity, fidelity and accuracy of information that is collected and
processed.
Property Issues involve
the ownership and value of information.
Accessibility Issues revolve
around who should have access to information and whether they should have to
pay for this access.
Privacy is the
right to be left alone and to be free of unreasonable personal intrusions.
Court decisions have followed two rules:
The right of privacy is not absolute.
Your privacy
must be balanced against the needs of society.
The public’s right to know is
superior to the individual’s right of privacy.
Threats to Privacy
Data aggregators, digital dossiers,
and profiling
Electronic Surveillance
Personal Information in Databases
Information on Internet Bulletin
Boards, Newsgroups, and Social Networking Sites
Personal Information in Databases
Personal
Information in Databases
is an information about individuals is being kept in many databases: banks,
government and etc. The most visible locations are credit-reporting
agencies.
Banks
Utility companies
Government agencies
Credit reporting agencies
Information on Internet Bulletin
Boards, Newsgroups, and Social Networking Sites
Social Networking Sites often
include electronic discussions such as chat rooms. These sites appear on the
Internet, within corporate intranets, and on blogs.
A blog (Weblog) is an
informal, personal journal that is frequently updated and intended for general
public reading.
The logos represent popular social networking sites.
Protecting Privacy
Privacy Codes and Policies: An organization’s guidelines with respect to protecting the privacy of
customers, clients, and employees.
Opt-out
model of informed
consent permits the company to collect personal information until the customer
specifically requests that the data not be collected.
Opt-in model
of informed
consent means that organizations are prohibited from collecting any personal
information unless the customer specifically authorizes it. International Aspects of Privacy:
Privacy issues that international organizations and governments face when
information spans countries and jurisdictions.
Threats to Information Security
Factors Increasing the Threats to Information
Security
interconnected,
interdependent, wirelessly-networked business environment
Government legislation
Smaller, faster,
cheaper computers and storage devices
Decreasing skills
necessary to be a computer hacker
International
organized crime turning to cybercrime
Downstream liability
Increased employee use
of unmanaged devices
Lack of management
support
Key Information Security Terms
A threat to an
information resource is any danger to which a system may be exposed.
The exposure of an information
resources is the harm, loss or damage that
can result if a threat compromises that resource.
A system’s vulnerability is the
possibility that the system will suffer harm by a threat.
Risk is the
likelihood that a threat will occur.
Information system controls are the
procedures, devices, or software aimed at preventing a compromise to the
system.
Categories of Threats to Information
Systems
Unintentional acts
Natural disasters
Technical failures
Management failures
Deliberate acts
Unintentional Acts
Human errors
Deviations in quality of service by
service providers (e.g., utilities)
Environmental hazards (e.g., dirt,
dust, humidity)
Human Errors
Tailgating
Shoulder surfing
Carelessness with
laptops and portable computing devices
Opening questionable
e-mails
Careless Internet
surfing
Poor password selection and use
Social engineering is
an attack where the attacker uses social skills to trick a legitimate employee
into providing confidential company information such as passwords
Social engineering is a typically
unintentional human error on the part of an employee, but it is the result of a
deliberate action on the part of an attacker.
Deliberate Acts
Espionage or trespass
Information extortion
Compromises to
intellectual property
Intellectual property: Property
created by individuals or corporations which is protected under trade
secret, patent, and copyright laws.
Trade secret:
Intellectual work, such as a business plan, that is a company secret and is not
based on public information.
Patent :Document
that grants the holder exclusive rights on an invention or process for 20
years.
Copyright:Statutory
grant that provides creators of intellectual property with ownership of the
property for life of the creator plus 70 years.
Piracy:Copying a
software program without making payment to the owner.
Virus is a
segment of computer code that performs malicious actions by attaching to another
computer program.
Worm is a
segment of computer code that performs malicious actions and will spread by
itself without requiring another computer program.
Logic bomb is a
segment of computer code that is embedded inside an organization’s existing
computer programs and is designed to activate and perform a destructive action
at a certain time or date.
A virus is a segment of computer code that performs
malicious actions by attaching to another computer program.
A Trojan horse is a software program that hides in
other computer programs and reveal its designed behavior only when it is
activated. A typical behavior of a
Trojan horse is to capture your sensitive information (e.g., passwords, account
numbers, etc.) and send them to the creator of the Trojan horse.
Phishing attacks use
deception to acquire sensitive personal information by masquerading as
official-looking e-mails or instant messages.
In a distributed
denial-of-service attack, the attacker first takes over many computers. These computers are called zombies or
bots. Together, these bots form a botnet.
The botnet demonstration shows how botnets
are created and how they work.
Spyware collects personal information about users without
their consent. Two types of spyware are
keystroke loggers (keyloggers) and screen scrapers. Keystroke loggers record your keystrokes and
your Web browsing history. Screen
scrapers record a continuous “movie” of what you do on a screen.
The spyware video provides a nice overview of
spyware and how to avoid it.
Spamware is alien
software that is designed to use your computer as a launchpad for
spammers. Spam is unsolicited e-mail.
Cookies are
small amounts of information that Web sites store on your computer.
The cookie demo will
show you how much information your computer sends when you connect to a Web site.
A supervisory control and data acquisition (SCADA)
system is a large-scale, distributed, measurement and control system. SCADA
systems are the link between the electronic world and the physical world.
Protecting Information Resources
Risk Management
Risk: The
probability that a threat will impact an information resource.
Risk management: To
identify, control and minimize the impact of threats.
Risk analysis: To assess
the value of each asset being protected, estimate the probability it might be
compromised, and compare the probable costs of it being compromised with the
cost of protecting it.
Risk mitigation is when
the organization takes concrete actions against risk. It has two functions:
implement controls to prevent
identified threats from occurring.
developing a means of recovery
should the threat become a reality.
Risk Mitigation Strategies
Risk Acceptance: Accept the
potential risk, continue operating with no controls, and absorb any damages
that occur.
Risk limitation: Limit the
risk by implementing controls that minimize the impact of threat.
Risk transference:Transfer
the risk by using other means to compensate for the loss, such as purchasing
insurance.
Controls
Physical controls. Physical
protection of computer facilities and resources.
Access controls:
Restriction of unauthorized user access to computer resources; use biometrics
and passwords controls for user identification.
Communications (network) controls: To protect
the movement of data across networks and include border security controls, authentication and
authorization.
Application
controls protect specific applications.
Access Controls
Authentication : Major
objective is proof of identity.
Something the User Is : Also known as biometrics, these access
controls examine a user's innate physical characteristics.
The biometrics
video is an outstanding look at all types of biometrics. (28 minutes)
The Raytheon
Personal Identification Device combines biometrics and RFID.
Something the User Has :These
access controls include regular ID cards, smart cards, and tokens.
Something the User Does : These access controls include voice and
signature recognition.
Something the User Knows : These access
controls include passwords and passphrases. A password is a private combination
of characters that only the user should know. A passphrase is a series of
characters that is longer than a password but can be memorized easily.
Authorization : Permission
issued to individuals and groups to do certain activities with information
resources, based on verified identity.
A privilege is a collection of related computer
system operations that can be performed by users of the system.
Least privilege is a
principle that users be granted the privilege for some activity only if there
is a justifiable need to grant this authorization.
Communication or Network Controls
Firewalls. System that enforces
access-control policy between two networks.
Anti-malware systems are
software packages that attempt to identify and eliminate viruses, worms, and
other malicious software. The logos show
three well-known anti-malware companies.
Whitelisting is a
process in which a company identifies the software that it will allow to run
and does not try to recognize malware.
Blacklisting is a
process in which a company allows all software to run unless it is on the
blacklist.
Intrusion Detection Systems are designed to detect all
types of malicious network traffic and computer usage that cannot be detected
by a firewall.
Encryption is Process of
converting an original message into a form that cannot be read by anyone except
the intended receiver In a basic home firewall, the firewall is implemented as
software on the home computer.
An organizational firewall has the
following components:
(1) external
firewall facing the Internet
(2) a
demilitarized zone (DMZ) located between the two firewalls; the DMZ contains
company
servers that typically handle Web page requests and e-mail.
(3) an internal
firewall that faces the company network
How Digital Certificates Work?
A digital certificate is an electronic document
attached to a file certifying that the file is from the organization that it claims to be from
and has not been modified from its original format.
Certificate authorities which are
trusted intermediaries between two organizations, issue digital certificates.
A virtual private network is a private network that
uses a public network (usually the Internet) to connect users.
Secure socket layer (SSL): now called
transport layer security (TLS), is an encryption standard used for secure
transactions such as credit card purchases and online banking.
Vulnerability management systems extend the
security perimeter that exists for the organization’s managed devices, to
unmanaged, remote devices.
Employee monitoring systems monitor
employees’ computers, e-mail activities, and Internet surfing activities.
Virtual Private Network and
Tunneling
Tunneling encrypts each data
packet that is sent and places each encrypted packet inside another packet.
Business Continuity Planning,
Backup, and Recovery
Hot Site is a fully
configured computer facility, with all services, communications links, and
physical plant operations.
Warm Site provides
many of the same services and options of the hot site, but it typically does
not include the actual applications the company runs.
Cold Site provides
only rudimentary services and facilities and so does not supply computer
hardware or user workstations.
Information Systems Auditing
Information systems auditing:
Independent or unbiased observers task to ensure that information systems work
properly.
Audit. Examination of information systems, their inputs,
outputs and processing.
Types of Auditors and Audits
Internal: Performed
by corporate internal auditors.
External: Reviews
internal audit as well as the inputs, processing and outputs of information
systems.
IS Auditing Procedure
Auditing around the
computer means verifying processing by checking for known outputs or specific
inputs.
Auditing through the
computer means inputs, outputs and processing are checked.
Auditing with the
computer means using a combination of client data, auditor software, and client
and auditor hardware.
ليست هناك تعليقات:
إرسال تعليق