Done
Discount Assign
InformationTechnologylaw.edited1.docxRunning Head: INFORMATION TECHNOLOGY LAW 1
INFORMATION TECHNOLOGY LAW 12
Information Technology law
Student's Name:
Institution Affiliation:
Date:
Question 1
In a perfect world, the employees would strictly stick to their work throughout the day through the application of common sense and solid work ethics. However, today's world is full of so many online distractions that take off employees from their assigned tasks and duties. The major online distractors are social media, games and personal emails which contribute to reduced productivity at work. These distractors waste a lot of employees' time which would have rather been used in work productivity. Therefore, there is a need for an effective computer and network usage policy that will be assisted by sensible monitoring tools in addressing the real problems costing businesses a lot of money in lost productivity every day.
The Canadian Supreme Court take on the Workplace computer use policy and privacy.
The Supreme Court of Canada released the R.v.Cole decision which stated that employees might be granted a reasonable privacy expectation in the data and information stored on their workplace computers, at least where personal use is allowed, or the employer reasonably expects it. The decision arose from a criminal proceeding, but it does not have direct application to employees in the private sector, including those of charities and non-profit organizations. The decision provides useful insight into how Canadian courts should approach workplace computer privacy issues. The decision has crucial implications for employers regarding the management of employee expectations of workplace computer privacy and protection of the employer from workplace computers abuse.
R.v. Cole is a criminal case with important workplace implications. Richard Cole was a high school computer teacher charged with possession of child pornography and unauthorized computer use. During the regular computer maintenance processes by the school technician, hidden files were discovered on Mr Coles computer containing nude pictures of an underage female student. The policy of the school stated that the email correspondence of teachers would remain private, but the school administrators were allowed access under specified conditions. The school's use policy that applied to both the students and teachers stated that they should expect privacy in the files stored in their computers (Jochelson & Doerksen, 2016).
The Supreme Court of Canada noted the diminishment of employee's expectation of workplace computer privacy by the workplace policies and practices. The policies of the workplace may be relevant, and the realities of operation may decrease the employee's expectation of privacy. The employer should not only rely on written policies in determining the computer privacy of their employees. The employers should implement clear policies which address permitted employee computer usage and access and monitoring of the computer by the employer. The policies should stipulate the circumstances under which the employer can access information on the computer or its network more broadly. These policies should confirm that information and data sent over the network remain to be the employer's property, and the employees with the intentions of maintaining privacy in personal communication should not send them over the network of the employer. These policies cannot guarantee review of personal information relating to the employee will be upheld as reasonable and not privacy-invasive.
What organizations should do to address the situation
Privacy is an integral aspect of individuals lives; thus, it needs to be strongly upheld. In any organization, it is the duty of the management to hold employee privacy through the creation of policies that support employee privacy. Upholding the privacy of employees' information is vital as it directly or indirectly affects the employee's productivity in the organization. Organizational management is tasked with the responsibility of protecting employee information and data. There are several ways of protecting sensitive employee data. One way is by developing formal policies and procedures that clearly define the type of information the organization will protect and the methods the organization will use in protecting such information and data. The policies should state restrict the collection of employee data to only legitimate business purpose and ask employees to notify the employer of any unauthorized access into their information. Additionally, the policies should clearly outline the disciplinary measures that would be taken against unauthorized copying, passing, viewing or use of employee sensitive information.
Moreover, the record-keeping laws should be well followed to ensure utmost privacy of employee information. The record-keeping and privacy laws state that information should be retained as long as it is necessary. The records should be kept securely through the implementation of administrative and physical controls that would properly safeguard employee records. Paper records should be kept in a locked room which can only be accessed by an individual permitted by the organization. Electronic records which are the most common should be encrypted, password protected and maintained in secure servers. The computer systems storing the information should be evaluated regularly to ensure viruses and the new technology do not compromise data and information security.
Organizations need to promptly investigate the incidents of unauthorized access into the computer systems storing the data and information. The organization can act upon receipt of a complaint from employees on unauthorized access into their records. The organization needs to regularly evaluate the system to identify areas of weaknesses that require improvement to secure the employee data and information efficiently. Information that is no longer needed should be properly disposed to avoid falling into the wrong hands. Some people may have malicious motives that may lead them to access other people's information without their consent. They may want to gain access into one's privacy and take very sensitive information which they may hold and ask for ransom, or otherwise, they expose the person. Organizations should heighten their data security measures to ensure that their information and that of their employees is well guarded against any unauthorized intrusion (Chory et al., 2016)
Nevertheless, organizations should employ security models that recognize the vital information, which could and should have the permission to access it, and then examine the finest methods to guard it with the help of a reliable IT consultant. Several data security models have proven to be effective in protecting data and information in an organization. Organizations should choose what type of data security model appropriately meets their needs and properly incorporate it into their system for maximum protection of their data. The best data security model should be able to detect any malicious activities in the organization's data system and be able to develop measures that would effectively counter those activities. Appropriate data security models would ensure information and data is well guarded, and there is no gap left for unauthorized access by people with ill motives with the organization. The technical team of the organization should properly incorporate the data security models into the organization's computer system to effectively protect the organization's data against internal and external threats.
Employers should always uphold their employees' privacy which is still a vital aspect in their personal life. Organizations can come up with policies that clearly define the extent to which an employee can use workplace computer systems. The policies should comprehensively cover all aspects of data privacy and computer use at the workplace to avoid loophole that may result in workplace conflicts. Without invading the employees' privacy, the organizations can give regulations on the use of computers in their premises. The setting of some limitations would help the organization in avoiding conflicts that may arise due to data privacy and computer use at the workplace. The employees would clearly understand what is expected of them at the workplace and work towards achieving the organization's objectives and goals (Chua et al., 2018).
The organizations always involve the employees when coming up with policies that touch on the welfare at work to give them a chance of contributing to the development of the policies. Involving the employees in policy development would make them feel like part of the organization, and it helps them in adhering to the terms and conditions stipulated by the policies. Strict adherence to the policies set out in the organization would assist in moving the agendas of the organization forward. With well laid out workplace policies, the organization would be able to concentrate more on achieving its goals and objectives rather than solving data issues. Policies to a great extent, prevent the emergence of any form of conflict between the management and employees and among the employees themselves. Therefore, organizations should put more emphasis on the formulation of appropriate policies which act as guiding principles at the workplace. Employees should be involved in the implementation of data and computer use policies as they directly affect their productivity at work.
Question 2
This paper explores a case study where a company suffers a cyber-breach. This involves strong encryption of the company's operational data that disables the continued operation of the company, with the attackers demanding a ransom of 5-bit coin in 48 hours. Based on the protections in place, the IT systems security manager hence advises the CEO regarding the mitigations to take insofar as the ransom demand and to overcome the attack are concerned.
Ransom payment
When a company's systems have been breached, it is important to reduce the impact of the cyber breach. The impact is largely dependent on the security protocols put in place before the attack. One of the most important security protocols is frequently backing up the system. The fact that, in this instance, all operational data is backed up to the cloud hourly, with then consecutive backups been available, is the basis for advice to the CEO not to pay the ransom. Notably, the backups are stored offline on the network service provider's servers, with the internet been a channel to transfer the files back to the company's network. It is also important to note that paying the ransom does not necessarily lead to decryption of a company's servers, and hence paying the ransom is not a guarantee of the network's recovery. Further, [paying the ransom encourages the attackers. The company will be pinpointed as a target for future attacks since the management will be deemed gullible. Paying criminals is also not encouraged by the laws of the land, and it could be actionable in a court of law.
The data protection in place minimizes the chances of data exfiltration in a situation where the ransom is not paid. The attackers will hence not be able to share the company data as industrial sabotage effectively. Protections aimed at minimizing data exfiltration include penetration testing by third parties. This enables improvement of the system by identifying vulnerabilities and redressing them. It also includes limiting user access and privilege by granting users access only to the data that a user needs through managed user authentication. Strong authentication and access control are especially important for administrator access. Logical access by administrators includes configuration of operating systems, managed deployment of apps and control of physical access to the technological infrastructure. There is also an audit trail of data access as well as an active audit plan. This ensures that it is possible to identify users and protocols accessing the company's data and block any unauthorized access. Suspicious queries lead to automated alerts, with the company's IT departments be able to redress this.
Mitigating cyber breach
Before handling the ransom demands and data exfiltration, there are certain steps to take to mitigate the effects of the cyber breach. First, all decrypted devices should be disconnected from the network connections. Such devices include desktops, laptops, phones and tablets. They include wired, wireless and or mobile devices. Further, core network connections should be disabled. Wi-Fi should also be turned off, and all other internet connections been disconnected. The credentials, for administrator and system accounts, should then be reset. In so doing, recovery processes should remain intact, ensuring change in such credentials as passwords do not affect system recovery.
Thus, it is important to report the cyber breach to the Canadian Centre for Cyber Security (the Cyber Centre) that is part of the Communications Security Establishment (CSE). The Cyber Centre can offer the necessary support, including decryption expertise if appropriate. Reporting also helps the Cyber Centre to develop its capacity to cope with future cyber breaches, especially as regards encryption by attackers. The next step should be to try and recover the encrypted devices. Usually, it is only the attacker who can decrypt the devices. Efforts should be made to get the attacker(s) to decrypt the devices. Whereas there can be promises of payments, the ransom should not be actually paid. Notably, there are such resources as decryption tools that can be used to decrypt the malicious encryption. Such resources should be tried out as well.
If the decryption efforts fail, it is then important to reset the infected devices. This involves wiping out all the infected devices. The wiping out should be safe to ensure no residues. Upon wiping out the device, the Operating System is reinstalled on all the wiped-out devices.
Now check for a backup that is not infected by the malware. There must be a number of backups stored on the cloud. The ransomware could infect the most recent backups, and hence it is important to determine the most up-to-date backup that is not infected. Usually, the best backups are those that are stored offline as these are less susceptible to attack. Apart from the backups located in the cloud services, there are other backups located in USB devices and external hard drives. Restore the most recent, clean backup to the cleaned devices. To download, install and update most software on the devices, the devices must be connected to the local network. The cleanness of the network should be ensured before the devices are connected. One of the most important software that should be installed before the other software is internet security software. This should be able to effectively protect the devices and network from viruses and other malware. The intranet can then be reconnected to the internet. The network traffic is then monitored to detect and rectify any malicious activity. This involves scanning the devices and networks using antivirus/internet security software.
After the attack
It is important to review the protocols used to prevent and overcome cyber-attacks once the cyber breach is overcome. This involves reviewing the security training for the users. The training should be updated so that the users are aware and can detect the latest phishing and typosquatting attacks. It is also important to ensure that all devices are patched. This involves installing the latest patches for systems and servers. Patching the Operating System and other software ensures that the risk of a future cyber breach is reduced. The backup and disaster recovery of the company's systems should also be tested and updated to overcome any identified vulnerabilities. Continuous updating of the systems would ensure that the latest version is acquired and would be able to keep up with the emerging data security trends. Testing and updating the backup and disaster recovery systems will ensure that future attacks lead to minimal loss of data and or productivity for the company. It is hence advisable that the backup and disaster recovery systems are tailored to suit the needs of the company.
The company should also consider incorporating advanced endpoint security. This will involve machine learning and artificial intelligence in system protection. This is more effective than existing internet security. Spam and phishing attacks are some of the most effective ways of ransomware attacks. The company must have additional layers of security for its email system. This would include the use of content filter software. The endpoint security would assist in protecting data in the organization against any possible internal or external attack. Further, to stop emails being used to spread malware and ransomware within an organization, two-factor authentication can be employed. This is an easy and cost-effective way of stopping the ransomware attack (Stewart & Jürjens, 2017)
Data security is very important as it helps in safeguarding organization data for future use. Organizations should educate all its employers on the need to protect data from manipulation by external users or any untrustworthy individual within the organization. System administrators in an organization should always be responsible by tracking users' actions and holding them accountable for their activities. Organizations should install some dependable means of monitoring who and how operations are performed on the data. With the constantly changing trends in cyber-crimes, organizations should adequately invest in data security to ensure their information is well protected from unauthorized personnel. Continuous updating of the data security systems would ensure that the latest version is acquired and would be able to keep up with the emerging data security trends. Outdated data and information should be properly disposed to avoid getting into the wrong hands.
References
Chory, R. M., Vela, L. E., & Avtgis, T. A. (2016). Organizational surveillance of computer-mediated workplace communication: employee privacy concerns and responses. Employee Responsibilities and Rights Journal, 28(1), 23-43.
Chua, H. N., Wong, S. F., Low, Y. C., & Chang, Y. (2018). Impact of employees' demographic characteristics on the awareness and compliance of information security policy in organizations. Telematics and Informatics, 35(6), 1770-1780.
Jochelson, R., & Doerksen, M. (2016). The Supreme Court of Canada presents The surveillant charter and the judicial creation of police powers in Canada. In National Security, Surveillance and Terror (pp. 75-97). Palgrave Macmillan, Cham.
Stewart, H., & Jürjens, J. (2017). Information security management and the human aspect of organizations. Information & Computer Security.
https://sbshrs.adpinfo.com/blog/9-ways-to-protect-sensitive-employee-information
https://www.carters.ca/pub/bulletin/charity/2012/chylb295.htm
https://compliancecosmos.org/privacy-issues-organizations
