You are on page 1of 2

Chapter 3 Ethical problems are arising about the appropriate use of customer information, personal privacy, and the

e protection of intellectual property - Privacy issues: involve collecting, storing, and disseminating information about individuals - Accuracy issues: authenticity, integrity, and accuracy of information - Property issues: the ownership and value of information - Accessibility issues: revolve around who should have access to information or pay for it Two rules show why it is difficult in some cases to determine and enforce privacy regulations - The right of privacy is not absolute. Privacy must be balanced against the need of society - The Publics right to know supersedes the individuals right to privacy Electronic surveillance - Monitored by Employers, the government, and other institutions - Organization also use software to block connection to inappropriate websites, a practice called URL filtering - discouraging employee wasting time Privacy Codes and Policies are an organizations guidelines for protecting the privacy of customers, clients, and employees. The Opt-Out model of informed consent permit the company to collects personal information until the customer specifically request that the data not be collected The Opt-In model of informed consent, in which a business prohibited from collecting any personal information unless the customer specific authorize it The Platform for Privacy Preferences (P3P) Personal Information Protection and Electronic Documents Act (PIPEDA) Jan 1, 2004 Privacy Policy Guidelines: - Data Collection - Data Accuracy - Data Confidentiality Threat to Information Security - Complex, interconnected, interdependent, wirelessly networked business environment - Government legislation, dictates that many types of information must be protected by law - Modern computers and storage devices continue to become smaller, faster, cheaper, and more portable, with greater storage capacity - Computer skills necessary to be a hacker are decreasing - International organized crime is taking over cyber-crime - Downstream liability, which occurs in the following manner - Increased employee use of unmanaged devices, which are devices outside the control of an organizations IT department - Lack of Management support

Unintentional Acts: Human errors, deviations in the quality of service by service providers, and environmental hazards Deliberate Acts - Espionage or trespass - Information extortion - Sabotage or vandalism - Theft of equipment or information - Identity theft - Compromises to intellectual property - Software attacks - Supervisory control and data acquisition attacks - Cyber-terrorism and cyber-warfare Risk Analysis is the process by which an organization assesses the value of each asset being protected, estimated the probability that each asset will be compromised, and compares the probable costs of the assets being compromised with the cost of protecting that asset Risk mitigation, the organization takes concrete actions against risks 1) Implementing controls to prevent identified threats from occurring 2) Developing a means of recovery should the threat become a reality Risk mitigation strategies - Risk acceptance - Risk limitation - Risk transference Control evaluation, the organization identifies security deficiencies and calculates the cost of implementing adequate control measures. (Cost effective or not) The purpose of Controls is to safeguard assets, optimize the use of the organizations resources, and prevent or detect errors or fraud. General controls Application controls Physical controls prevent unauthorized individuals from gaining access to a companys facilities. Access Control restrict unauthorized individuals from using information resources - Something the User is - Something the User has -Something the User Does - Something the User Knows Communications Controls secure the movement of data across networks Application Controls, which protect specific applications. - Input controls are programmed routines that edit input data for errors before they are processed - Processing controls are programmed routines that perform actions that are part of the record-keeping of the organization, reconcile and check transactions, or monitor the operation of applications - Output controls are programmed routines that edit output data for errors, or help to ensure that output is provided only to authorized individuals.