Chapter3
.docx
keyboard_arrow_up
School
York University *
*We aren’t endorsed by this school
Course
2511
Subject
Information Systems
Date
May 11, 2024
Type
docx
Pages
17
Uploaded by ailineileens on coursehero.com
Chapter3 Security and privacy problems occur every day
Improve security
Deterrence: fines and arrest for hacking: Canada, Russia and U.S. worked together to arrest those
charged with 1.5 billion account Yahoo hack.
Adding new tools, such as improved surveillance: Turn your Apple phone into a surveillance camera
using the At Home Camera app.
How to bypass a locked Apple phone (although apparently this breach has been fixed – try it if you own an
Apple phone, makes stolen phones usable).——
serious security hazard, enabling equipment to be used if it
has been stolen or lost: a cautionary note to be careful with your equipment.
3.1 Ethics in the corporate environment and raised by IS
Ethics is the set of principles of right and wrong that individuals use to make choices that guide their
behaviour.
Ethical Framework
The utilitarian approach
states that an ethical action is the one that provides the most good or does the
least harm.
The rights approach maintains that an ethical action is the one that best protects and respects the moral
rights of the affected parties. Moral rights can include the rights to make one's own choices about what
kind of life to lead, to be told the truth, to be not injured, and to enjoy a degree of privacy.
The fairness approach
posits that ethical actions treat all human beings equally, or, if unequally, then
fairly, based on some defensible standard.
The common good approach
highlights the interlocking relationships that underlie all societies.
A code of ethics
is a collection of principles intended to guide decision making by members of the
organization.
Fundamental tenets of ethics include responsibility, accountability, and liability:
Responsibility
means that you accept the consequences of your decisions and actions.
Accountability
means determining who is responsible for actions that were taken.
Liability
is a legal concept that gives individuals the right to recover the damages done to them by other
individuals, organizations, or systems.
1. A framework for IT ethical issues
1)
Privacy issues
involve collecting, storing, and disseminating information about individuals.
2)
Accuracy issues
involve the authenticity, fidelity, and correctness of information that is collected and
processed.
3)
Property issues
involve the ownership and value of information
.
4)
Accessibility issues revolve around who should have access to information
and whether they should pay a
fee for this access.
——Data is everywhere – how much is private?
Data aggregators use the Internet and other sources to develop personal profiles (also called a digital
dossier
). Refer to text, Section 3.2, p. 70. ( data aggregators, who collect data about individuals and
businesses then sell the organized collected data for a fee)
Time Doctor lets you view employee computer activity. How much observation is intrusive? Video of
“capabilities” of the software: how to use software that monitors employees
——It provides a graphic illustration of the fact that companies can take screenshots of what an employee is
doing as well as searching the traffic detail. There is exact detail available of what the employee searched and
which web sites were accessed. The employer can also see when an employee is working,
2. Four Step approach to solve an ethical dilemma (Table 3.1, p. 66)
1)
Recognize an ethical issue
(why or how it is an ethical issue and whether you can do anything about it.)
2)
Get the facts
(collect details about it (gather the facts))
3)
Evaluate alternative actions
(usually more than one available course of action to respond to a situation)
4)
Make a decision and test it
(select the best course of action and implement it)
3. Compare this to the GVV (Giving voice to values )Approach (Table 3.1, p. 66)
It makes the assumption that you decide to act in an ethical way, and that you use this framework to help you. 1)
Identify an ethical issue
2)
Purpose and choice (i.e. yours)
3)
Stakeholder analysis
4)
Powerful response
5)
Scripting and coaching
——Ethical dilemma practice (traditional framework)
Security Company Database:
Problem: Last week, you purchased a used computer from a friend who is a recently retired security company
officer. Upon using the computer, you found several large files that seem to contain data about the activities
and profiles of hundreds of people in your city.
Use the four steps for resolving an ethical issue to decide what you should do.
1. Recognizing the ethical issue:
Confidential data has been located on a used personal computer. The
machine was purchased from a friend, and was apparently used for work purposes by the friend. I should not
have access to this data.
2. Get the facts:
The data on this hard drive is now available for my use or misuse. Should the individuals
listed on the hard drive be informed about the data? Should you tell your friend about it or his/her previous
employer?
Determine who is affected by the outcome and how:
As a minimum the people affected are yourself (the
purchaser), your friend (the vendor), the people whose names are listed on the hard drive, and the security
company that was my friend’s previous employer.
3. Evaluate reasonable alternative actions:
Is the simplest action to reformat the hard drive (i.e. eliminating
the data)? Another possible option is to return the machine to the friend and let him/her remove the data. You
could also call the newspaper and inform them about the data (not really a reasonable alternative), or sell the
data and make some money – not a good idea either.
Identify the consequences of each alternative:
The last two alternatives above are not really that healthy –
they could result in the loss of your friend or other problems. Technically, it can be difficult to erase data
from a hard drive (as utilities are available to recover deleted files), so erasing the information yourself might
not be productive. A key question is whether your friend would ultimately remember that the data is present
on the hard drive – if not, it could
never become an issue!
4. Make a decision and test it:
The action taken depends upon your own perspective of the situation. It
would be wise to consider the law when making your decision. My own decision would likely be to return
the computer to my friend and ask him to take care of it.
3.2 Privacy and how IT affects privacy
——What could go wrong with a digital dossier?
Privacy issues
(p. 70) involve collecting, storing and disseminating information about individuals
This video illustrates a bit of a privacy nightmare. How many privacy violations can you count in the video?
What about video camera recordings
?
1. Privacy: privacy is the right to be left alone and to be free of unreasonable personal intrusions.
Information privacy is the right to determine when, and to what extent, information about you can be
gathered and/or communicated to others.
Privacy rights apply to individuals, groups, and institutions.
Two rules fairly closely:
The right of privacy is not absolute. Privacy must be balanced against the needs of society.
The public's right to know supersedes the individual's right of privacy.
2) Digital dossier: is an electronic profile of you and your habits.
3) Profiling: The process of forming a digital dossier
4) Electronic surveillance is rapidly increasing, particularly with the emergence of new technologies. Electronic
surveillance is conducted by employers, the government, and other institutions
1) Privacy: privacy is the right to
be left alone and to be free of unreasonable personal intrusions.
2. Privacy policy guidelines: a sampler (Table 3.3, p. 76)
an organization’s privacy policy guideline provides guidance about how information should be collected. It
also explains responsibilities about data accuracy and data confidentiality.
A specific policy for an organization will provide more detail, for example, listing those individuals who may
have access to particular information, and who should provide permission if information is to be disclosed.
Codify requirements for employees
Provide a standard set of procedures
Help protect organizations from litigation
Can be used as a measurement tool if disciplinary action is required
3.3 Impact of legislation and privacy codes on privacy
.
1. Two major pieces of federal legislation that affect individual privacy
1) Privacy in Canada: PIPEDA (Personal Information Protection and Electronic Documents Act, 2004)
The ten basic principles of PIPEDA
provide processes for an organization to handle information, protect it, and allow for an individual to
assess its accuracy and correct the information where necessary.
promote consistent handling of information (whether in manual or automated form) by all organizations.
PIPEDA is privacy legislation intended to protect individuals.
It is federal legislation, based upon the privacy principles that are incorporated in the Canadian Standards
Association (CSA) model.
The Canadian Charter of Rights and Freedoms is intended to protect an individual’s right to privacy, whereas
PIPEDA is limited to the privacy of personal information.
PIPEDA covers factual or subjective information about an individual person that would include all of these. In
addition, it establishes a class of information called sensitive personal information which might include
information such as religious beliefs, health conditions, or ethnic origin
Benefits of high quality information privacy
are from a business perspective:
To protect the organization’s public image or brand images;
To maintain or enhance trust and promote continued consumer confidence in the organization and promote goodwill;
To achieve a competitive advantage in the marketplace by maintaining high quality, accurate customer information;
To meet legal requirements of industry associations or organizations (such as of e-payment and credit card processors);
To efficiently managing personal information, reducing administration or data handling costs and avoiding additional financial costs, such as the need to modify information systems to meet legal requirements.
——Annual privacy reports to Parliament by the Office of the Privacy Commissioner of Canada (OPC):
2) Anti-spam legislation
Canada’s anti-spam legislation (CASL, Bill C-28) came into effect July 1, 2014
Some asked me to opt-in and specify what type of emails I was prepared to receive (for example, about
which technical topics or types of events that were coming up), while others only provided an option to
opt-out if I no longer wanted to receive emails.
The organization must request consent before sending emails and must have a record of that consent – how
will this affect spam?
3. Privacy Codes and Policies
Privacy policies or privacy codes are an organization's guidelines for protecting the privacy of its customers,
clients, and employees.
The opt-out model
of informed consent that permits a company to collect personal information until the
customer specifically requests that the data not be collected of informed consent permits the company to
collect personal information until the customer specifically requests that the data not be collected.
Privacy advocates prefer the opt-in model
of informed consent in which a business is prohibited from
collecting any personal information unless the customer specifically authorizes it. of informed consent, which
prohibits an organization from collecting any personal information unless the customer specifically authorizes
it.
3.4 Threats and risks to information security and IS
——One of the jobs of management is to keep assets and systems secure and operating at organizations. To do
this, organizations need to understand threats and risks to information systems so that they can be mitigated using
controls.
1. CANADA’s Treasury Board: Management of Information Technology Security Standards
The policy explains that security requires regular risk assessment, along with controls to prevent and mitigate
risks.
Provides standards for federal deputy ministers and department heads
The IT departments will be responsible for implementing the procedures and processes to meet the standards
If systems are broken into, affects confidence of Canadians
2. Introduction to Information Security
Security can be defined as the degree of protection against criminal activity, danger, damage, and/or loss.
Following
Information security
is all of the processes and policies designed to protect an organization's information
and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or
destruction.
A threat
to an information resource is any danger to which a system may be exposed.
The exposure
of an information resource is the harm, loss, or damage that can result if a threat compromises
that resource.
An information resource's vulnerability
is the possibility that the system will be harmed by a threat.
Five key factors
are contributing to the increasing vulnerability of organizational information resources
Today's interconnected, interdependent, wirelessly networked business environment.
Smaller, faster, cheaper computers and storage devices.
Decreasing skills necessary to be a computer hacker.
International organized crime taking over cybercrime.
Lack of management support.
The Difficulties in Protecting Information Resources
Hundreds of potential threats exist.
Computing resources may be situated in many locations.
Many individuals control or have access to information assets.
Computer networks can be located outside the organization, making them difficult to protect.
Rapid technological changes make some controls obsolete as soon as they are installed.
Many computer crimes are undetected for a long period of time, so it is difficult to learn from experience.
People tend to violate security procedures because the procedures are inconvenient.
The amount of computer knowledge necessary to commit computer crimes is usually minimal. As a
matter of fact, a potential criminal can learn hacking, for free, on the Internet.
The costs of preventing hazards can be very high. Therefore, most organizations simply cannot afford to
protect themselves against all possible hazards.
It is difficult to conduct a cost–benefit justification for controls before an attack occurs because it is
difficult to assess the impact of a hypothetical attack. 3. Threats and risks to IT security Fig 4.1, p. 87
——The two major categories of threats are unintentional threats and deliberate threats.
Security Threats
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help