chapter 13 security, privacy, and ethics why and what managers need to know about it risk...
Post on 26-Dec-2015
222 Views
Preview:
TRANSCRIPT
Chapter 13Security, Privacy, and EthicsWhy and what managers need to know about IT risk management,
privacy, and information systems ethics.
Chapter 13
1
Course Roadmap
• Part I: Foundations• Part II: Competing in the Internet Age• Part III: The Strategic use of Information Systems• Part IV: Getting IT Done– Chapter 10: Funding Information Systems– Chapter 11: Creating Information Systems– Chapter 12: Information System Trends– Chapter 13: Security, Privacy and Ethics
2
Learning Objectives1. Learn to make the case that information systems security, privacy, and ethics are
issues of interest to general and functional managers, and why it is a grave mistake to delegate them exclusively to IT professionals.
2. Understand the basic IT risk management processes, including risk assessment, risk analysis, and risk mitigation.
3. Understand the principal security threats, both internal and external, and the principal safeguards that have been developed to mitigate these risks.
4. Be able to identify the nature of privacy concerns that modern organizations face, and be able to articulate how general and functional managers can safeguard the privacy of their customers and employees.
5. Define ethics, apply the concept of ethical behavior to information systems decisions, and be able to articulate how general and functional managers can help ensure that their organization behaves ethically.
3
Introduction• Information systems security, privacy, and ethical concerns
were born along with the introduction of computer systems and information technology in organizations
• The recent widespread adoption of the Internet and the proliferation of information for business use have dramatically amplified these threats
• A failure in security, privacy, or ethics can have dramatic repercussions on the organization, both because of its potentially damaging direct effects (e.g., computer outages, disruptions to operations) and its increasingly negative indirect effects (e.g., legal recourse, image damage)
4
Why to Safeguard Customer Data
5
IT Risk Management and Security
• IT Risk Management– The process of identifying and measuring
information systems security risks– Objective: To devise the optimal risk mitigation
strategy
• Security– The set of defenses put in place to mitigate threats
to technology infrastructure and data resources
6
Security: Not an IT Problem
• Security should be a management priority, not an IT problem
• Security is a negative deliverable– Produces no revenues – Creates no efficiencies
• Security is difficult to fund– IT departments have limited budgets – They should not be left to fund security measures
• The Trade-off:– Purchase more security or accept higher risks?
7
Risk Assessment
• Audit the current resources • Map the current state of information systems
security in the organization• The audit will:– Expose vulnerabilities– Provide the basis for risk analysis
• Risk Analysis:– The process of quantifying the risks identifies in
the audit
8
Risk Mitigation
• The process of matching the appropriate response to the security threats your firm identified
• Designed to help manage the trade-off between the degree of desired security and the investment necessary to achieve it
9
Three Risk Mitigation Strategies• Risk Acceptance– Not investing in countermeasures and not reducing the
security risk– Consciously taking the risk of security breach
• Risk Reduction– Actively investing in the safeguards designed to mitigate
security threats– Consciously paying for security protection
• Risk Transference– Passing a potion (or all) of the risks associated with
security to a third party– Consciously paying for someone else to assume the risk
10
Cost/Security Trade-Offs
Anticipation Cost
Failure Cost
Cost
Degree of security
Total Cost
11
Internal Threats
• Intentional Malicious Behavior– Typically associated with disgruntled or ill-willed
employees– Example: A marketing employee selling customers’
e-mail addresses to spammers• Careless Behavior– Associated with ignorance of or disinterest in
security problems– Example: Failing to destroy sensitive data
according to planned schedules
12
External Threats
• Intrusion Threat– An unauthorized attacker gains access to organizational IT
resources
• Social Engineering– Lying to and deceiving legitimate users so that they divulge
restricted or private information
• Phishing– Sending official sounding spam from known institutions
and asking individuals to confirm private data in an effort to capture the data
13
Have You Seen Something Like These?
14
The External Threats
• Security Weaknesses– Exploiting weaknesses in the software
infrastructure of the organization under attack– Example: Bugs that enable unauthorized access
• Backdoors– Code expressly designed into software programs
to allow access to the application by circumventing password protection
15
The External Threats
• Malicious Code– Any software code expressly designed to cause
damage to IT assets.
• Viruses– Malicious code that spreads by attaching itself to
other, legitimate, executable programs.– After infecting a machine, a harmful set of actions,
know as the payload, are performed
16
Malicious Code• Trojan Horses
– A computer program that claims to, and sometimes does, deliver useful functionality
– Delivers a hidden, malicious payload, after installation
• Worms– Malicious code that exploits
security holes in network software to self-replicate
– Does not deliver a payload– Generates enough network
traffic to slow or bring a network down
17
Malicious Code
• Spyware– Software that, unbeknownst to the owner of the
computer:• Monitors behavior• Collects information• Either transfers this information to a third party or• Performs unwanted operations
– Diverts resources and often slow down a user’s legitimate work
18
The External Threats
• Denial-of-Service Attack– A digital assault carried out over a computer
network with the objective of overwhelming an online service so as to force it offline.
– Can be used to divert attention allowing the intruder to create a backdoor to be exploited later
19
Responding to Internal Security Threats
• Security Policies– Spell out what the organization believes are the
behaviors that individual employees within the firm should follow in order to minimize security risks
– They should specify: – Password standards– User right– Legitimate uses of portable devices
– The firm should audit the policies to ensure compliance
20
Responding to External Security Threats
• Intrusion– The cornerstone of securing against intrusion is
the use of passwords– Firewalls can be used to screen and manage traffic
in and out of a computer network• Only as strong as the weakest link
– The Encryption process scrambles content so that it is rendered unreadable
21
Responding to External Security Threats
• Malware– Safeguarding against malware requires that the
firm’s IT professionals install detection software– Training and Policies are also necessary
• Denial-of-Service Attacks– Preventing a denial-of-service attack is very
difficult– It is difficult to identify the location of the attack
22
Security Threat Tools
23
Managing Security: Overall Guidelines
• Have a plan and specify responsibilities– Who should be contacted in an emergency?– What should the first reaction measures be?
• Revisit often– New technologies should be proactively addressed
• Develop a mitigation plan– Determine how the attack took place– Assess the damage
• Waiting for a crisis to take these decisions and develop policy is too late!
24
Privacy
• The ability of individuals to control the terms and conditions under which their personal information is collected, managed, and utilized.
• Private information can be traced back to the individual
• Privacy subsumes security
25
Privacy Risks
• Function Creep– Occurs when data collected for a stated or implied
purpose are then reused for other, unrelated objectives.
• Proliferating Data Sources– New technological advances and devices generate
more data than ever– This proliferation creates opportunities but also
many risks
26
Privacy Risks
• Data Management Risks– It is increasingly simple, and cost effective, to merge data
repositories– IT creates pressure for, and the risk of, function creep if not
managed carefully
• The Legal Landscape– Currently, technology evolution outpaces legal
development– The internet has all but destroyed traditional geographical
boundaries
• Privacy management is not an IT job27
Safeguarding Privacy
• Fair Information Practice Principles – Notice • The right of individuals to be informed when their
personal data is being collected • The right of individuals to be informed about how their
data is or will be used.
– Choice• The ability of individuals to be informed of, and object
to, function creep whether within one firm or across firms who share information.
28
Safeguarding Privacy• Fair Information Practice Principles (cont) – Access
• The right of individuals to be able to access their information and correct any errors that may have occurred in their records
– Security• Organizations that house individuals’ private information
must ensure its safekeeping and to protect it from unauthorized access.
– Enforcement• Organizations that collect and use private information must
develop enforceable procedures to ensure that the above principles are upheld.
29
The Greatest Breaches
30
Fair Information Practice Principles
• Fair Information Practice Principles – Access
• The right of individuals to be able to access their information • The right of individuals to correct any errors that may have
occurred in their records.– Security
• The responsibility of the firm that houses private information to ensure its safekeeping and to protect it from unauthorized access.
– Enforcement• The responsibility of the organizations that collect and use private
information to develop enforceable procedure to ensure that the above principals are upheld.
31
Protecting Privacy• Say What You Do– The firm develop a codified set of policies and
procedures for safeguarding privacy and communicates these policies to affected individuals (e.g., customers, employees)
• Do What You Say– Those who represent the firm know, understand, and
can enact the policies the firm has developed• Be Able to Prove It– The firm document its policies and the processes it
has developed to ensure privacy
32
Ethics
• The discipline dealing with what is good and bad and with moral duty and obligation
• The problem:– Ethical choices are rarely straightforward– Ethical choices typically engender multiple sub-
optimal options
33
Enabling IS Ethics
• Developing a culture of ethical decision making is critical
• Establish an information systems ethics code of conduct that:– Identifies the principles of ethical information
system use for your organization– Identifies the firm’s formal stance on ethics
• Apply the principle of harm minimization
34
The Recap
• Information systems must be secured against both internal and external threats
• Information systems security and risk management are not “IT issues”
• Privacy concerns, like security threats, need general and functional managers’ full attention.
35
The Recap• In order for the firm to safeguard the privacy of its employees and
customers, it must subscribe to fair information practices– Notice– Choice– Access– Security– Enforcement.
• The recent flurry of corporate scandals has ignited interest in business ethics
• When it comes to information systems, ethics becomes a crucial guiding light for management behavior as legislation often lags behind technology improvements
36
What did we Learned1. Learn to make the case that information systems security, privacy, and ethics are
issues of interest to general and functional managers, and why it is a grave mistake to delegate them exclusively to IT professionals.
2. Understand the basic IT risk management processes, including risk assessment, risk analysis, and risk mitigation.
3. Understand the principal security threats, both internal and external, and the principal safeguards that have been developed to mitigate these risks.
4. Be able to identify the nature of privacy concerns that modern organizations face, and be able to articulate how general and functional managers can safeguard the privacy of their customers and employees.
5. Define ethics, apply the concept of ethical behavior to information systems decisions, and be able to articulate how general and functional managers can help ensure that their organization behaves ethically.
37
top related