need help

profileadlons
mis_chapter_10.pdf

6/10/2015

1

McGraw-Hill-Ryerson ©2015 The McGraw-Hill Companies, All Rights Reserved

Opening Case:

The Privacy Commissioner of Canada’s Work

10-2 Copyright © 2015 McGraw-Hill Ryerson Limited

Chapter Ten Overview

• SECTION 10.1 – INFORMATION ETHICS AND PRIVACY – Introduction – Information Ethics – Information Privacy – Developing Information Management Policies

• SECTION 10.2 – INFORMATION SECURITY – Introduction – Protecting Information – Protecting Data – People: The First Line of Defence – The Second Line of Defence: Technology

10-3 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning Outcomes

1. Explain what information ethics is and its importance in the workplace.

2. Describe what information privacy is and the differences in privacy legislation around the world.

3. Identify the differences between various information ethics and privacy policies in the workplace.

4. Describe information security, and explain why people are the first line of defence for protecting information.

5. Describe how information technologies can be used to enhance information security.

6/10/2015

2

McGraw-Hill-Ryerson ©2015 The McGraw-Hill Companies, All Rights Reserved

INFORMATION

ETHICS AND

PRIVACY

10-5 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Ethics

– The principles and standards that guide our behaviour towards other people

• Privacy is a major ethical issue

– Privacy is the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent

– Confidentiality is the assurance that messages and information are available only to those who are authorized to view them

Introduction

10.1

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-6

Technology-Related Ethical Issues & Concepts

Figure 10.1

10.1

Intellectual Property Intangible creative work that is embodied in physical form

Copyright The legal protection afforded an expression of an idea, such as a song, video game, and some types of proprietary documents

Fair Dealing The principle by which, in certain situations, it is legal to use copyrighted material

Pirated Software Copyrighted software that is used, duplicated, or sold without authorization by the copyright holder

Counterfeit Software Software that is manufactured to look like the real thing and sold as such

6/10/2015

3

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-7

Trust Supports Business

1. There is a loss of personal privacy.

2. Internet users are more inclined to purchase a product on a website that has a privacy policy.

3. Effective privacy would convert more Internet users to Internet buyers.

From Figure 10.2

10.1

Trust between companies, partners, and suppliers is the support structure of business, in particular, e-business

Primary Reasons Privacy Issues Reduce Trust for E-Business

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-8

Information Ethics

Acting Ethically and Legally Are Not Always the Same

Figure 10.4

10.1

Ethics • The principles and

standards that guide our behaviour towards other people

Information Ethics • The ethical and moral issues

arising from the development and use of information technologies, as well as the creation, duplication, processing and distribution of information itself.

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-9

Information Has No Ethics

10.1

From Figure 10.3

Individuals copy, use and distribute software.

Employees search organizational databases for sensitive corporate and personal information.

Organizations collect, buy, and use information without checking validity or accuracy of the information.

Individuals create and spread viruses that cause trouble for those using and maintaining information systems.

Individuals hack into computers to steal proprietary information.

Employees destroy or steal proprietary organizational information such as schematics, sketches, customer lists and reports.

Examples of Ethically Questionable or Unacceptable Use of Information Systems

6/10/2015

4

10-10 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Information Ethics in the Workplace

– Replacing people with computers, one set of boring jobs with a new set of boring jobs

• Systems & Respect for Human Dignity

– “Dehumanizing” jobs, making jobs overly regimented & inflexible, disrespecting human intelligence

– Health & safety concerns from poorly designed interfaces

• Tracking People’s Activities

– Monitoring Web browsing and social media use at work

– Cyberstalking—tracking individuals through social media for malicious or criminal reasons

– Spyware—unauthorized tracking of browsing

Information & Ethical Concerns

10.1

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-11

Employee Monitoring

10.1

From Figure 10.5

Employee absenteeism reached its highest point in several years in 2009.

Studies indicate that electronic monitoring results in lower job satisfaction, in part, because people begin to believe the quantity of their work is more important than the quality.

Electronic monitoring also induces what psychologists call “psychological reactance”: the tendency to rebel against constraint.

Effects of Employee Monitoring

10-12 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome Canada’s Copyright Modernization Act received royal assent on June 29, 2012. Key changes include:

• Legalizing format shifting

• Legalizing time shifting

• Allowing back up copies of content to be made against loss or damage

• Allowing “mash ups” (create blend of copies) if not for re-sale

• Enacting a system where copyright holders can inform ISPs of possible privacy by their customers

Protecting Digital Content

10.1

6/10/2015

5

10-13 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome Additional changes from Canada’s Copyright Modernization Act include:

• Protecting search engines and ISPs from copyright violations of their users

• Differentiating commercial and individual copyright violations in terms of penalties

• Expanding the meaning of fair dealing to include purposes of parody, satire and education

• Criminalizing cracking a digital lock placed on a device, disc, or file

Protecting Digital Content

10.1

10-14 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome How personal information is collected and shared

• Personal Information

– Data or information that can be directly related to an identified person

– Regardless of data format and content

• Breaches of Information Privacy

– Not about preventing collection of information to complete business transactions

– Breaches occur with inappropriate disclosure or unauthorized access

• Protecting Personal Data

– Just as steps are taken to protect physical assets, personal information must be proactively protected

Information Privacy

10.2

10-15 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Strong Privacy Laws

– Directives indicate the required results but allow EU members to determine their own methods

• Citizens are granted the following rights:

– To know the source of the personal data processing and the purpose of such processing

– To access and/or rectify inaccuracies in one’s personal data

– To disallow the use of personal data with the proviso that personal data can only be transferred outside the borders to countries offering the same level of protection

– Based on eight key principles that have also been adopted in Canada

Information Privacy in Europe

10.2

6/10/2015

6

10-16 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Less Centralized approach than in Canada or Europe

– No single encompassing law

– Access to public information is culturally acceptable

• Exceptions:

– California legislates an individual’s inalienable right to privacy and 2003 Online Privacy & Protection Act ensures websites post privacy policies

– COPPA, US Federal law established in 1998, governs collection of personal information from children under 13

– HIPAA, 1996, governs protects personal health care information

Information Privacy in the US

10.2

10-17 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Federal Legislation

– PIPEDA Personal Information Protection and Electronic Documents Act follows the European model and governs all organizations dealing with the federal government and all for-profit commercial organizations except those operating entirely within a specific province.

– The Privacy Act protects personal information collected and used by the Federal Government

– The Bank Act is an example of a federal law with specific privacy protections, in this case, financial data held by financial institutions.

• Provincial Legislation

– Each province has its own ‘public-sector’ legislation

– Almost all provinces have the equivalent of PIPEDA to govern those enterprises operating only within provincial boundaries

Information Privacy Canada

10.2

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-18

Ten Guiding Principles of PIPEDA for Organizations

Figure 10.6

10.2

1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

2. Identifying Purpose

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent The knowledge and consent of the individual are required for collection, use, or disclosure of personal information, except when inappropriate.

4. Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

6/10/2015

7

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-19

Ten Guiding Principles of PIPEDA for Organizations

Figure 10.6

10.2 5. Limiting Use, disclosure, and retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes.

6. Accuracy Personal information shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used.

7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-20

Ten Guiding Principles of PIPEDA for Organizations

Figure 10.6

10.2

8. Openness The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

9. Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization’s compliance.

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-21

Developing Information Management Policies

10.3

Overview of E-Policies

Figure 10.7

E-Policies are guidelines and procedures that encourage ethical use of computers and the Internet in business.

6/10/2015

8

10-22 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Ethical Computer Use Policy – Established as an essential step in creating an ethical corporate

culture

– Ensures that employees know how to behave, communicates expectations and penalties

– Control should be by informed consent through corporate training or other forms of education and direction

• Information Privacy Policy – Contains general principles regarding information privacy

– Processes and penalties should prevent unauthorized access to information for malicious or fraudulent reasons but also accidental, non-malicious access that may have equally serious repercussions

Ethical Computer Use and Information Privacy E-Policies

10.3

10-23 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Acceptable Use Policy – Requires the user to agree to follow it to be provided access to

corporate email, information systems, and the Internet

– Nonrepudiation occurs when a user denies their action. Acceptable Use Policies often have nonrepudiation clauses

– Also included are stipulations for lawful use, respect of others in the community and outside

• Internet Use Policy – Describes the Internet services available to the user

– Defines the purpose of Web access and any restrictions to it

– Describes guidelines for protecting the user and the company

– States penalties if the policy is violated

Acceptable Use and Internet Use E-Policies

10.3

10-24 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Email Privacy Policy

– Details the extent to which email may be read by others

– Defines legitimate email uses and responsibly manages accounts after employee has left the company

– Explains backup procedures to employees

– Discourages junk mail or SPAM

– Prohibits disruptive email behaviour

– Describes legitimate grounds for reading employee mail – Limits the organization’s responsibility for mail leaving

the organization – Some companies include a specific Anti-Spam policy to

restrict the sending of unsolicited mail

Email Privacy

10.3

6/10/2015

9

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-25

Managing Email Privacy

Figure 10.8

10.3 Email Is Stored on Multiple Computers

10-26 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Social Media is public communication not controlled by a company, but concerning it, that can be beneficial or risky

– Social Media Policy outlines guidelines or principles that should govern employee online communications about the company

– Should include blog and personal blog policies

– Cover employee social network and personal social network policies including Facebook, Twitter, LinkedIn and You Tube

– Control communications detailing brand activity and organizational proprietary information of any kind

Social Media Policy

10.3

10-27 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Is a risk management obligation

– Ensures that actions and activities harmful to the organization are discovered and terminated or deterred

– Is virtually unregulated, employees should act as though they are being observed

– Workplace MIS monitoring tracks computer activity by number of keystrokes, error rate, transactions processed etc.

– Employee Monitoring Policy provides transparency and informs employees when, how, why and where the company is watching

– Should provide specific details as appropriate, indicate consequences of violating the policy and enforce the policy evenly

Workplace Monitoring Policy

10.3

6/10/2015

10

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-28

Internet Monitoring Technologies

Key logger or key trapper, software

A program that records every keystroke and mouse click a user makes.

Hardware key logger A device that captures keystrokes from keyboard to motherboard.

Cookie A small file deposited in the user’s hard drive to record browsing information.

Adware Software attached to a download that generates ads on a user’s machine.

Spyware(sneakware or stealthware)

An unauthorized app hidden within legitimate software to record browsing behaviour.

Web log Browser data stored on a web server.

Clickstream Records user browsing sessions including what websites, how long, what was viewed/purchased

10.3

Figure 10.9

10-29 Copyright © 2015 McGraw-Hill Ryerson Limited

OPENING CASE QUESTIONS

The Privacy Commissioner of Canada’s Work

1. Why is protecting personal information in the best interests

of both Canadians and the Government of Canada?

2. What policies has the Government of Canada implemented

to protect citizen information privacy?

3. What lessons can be learned from the opening case study

that will help other organizations better protect the personal

information they collect?

4. How does the recent trend of governments allowing public

access to data raise awareness of the need for governments

to embrace privacy planning as part of normal, everyday

business practice?

McGraw-Hill-Ryerson ©2015 The McGraw-Hill Companies, All Rights Reserved

Data Warehousing

6/10/2015

11

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-31

Sources of Unplanned Downtime

Figure 10.10

10.4

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-32

The Cost of Downtime

Figure 10.11

10.4

10-33 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Vulnerabilities to an organization can occur for reasons that have nothing to do with IS decisions.

– Moving smoking outside opened a security door

– Loss of CDs sent through internal mail caused a breach of customer information

– Poor hiring practices lead to negligent and malicious employees

• Data and information are intangible. Difficult to know what is not secure, stolen or re-directed.

• Solid security processes & practices are critical.

• Information security is a broad term encompassing protection of information assets from accidental or intentional misuse

Protecting Information

10.4

6/10/2015

12

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-34

Data Backup and Recovery

Figure 10.12

10.4

Data Backup and Recovery, Disaster Recovery, and Business

Continuity Planning

10-35 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Disaster

– Natural: such as flood, fire, earthquake; Malicious: such as hackers; Negligence: due to employee ignorance, fatigue, or human fallibility

• Fault Tolerance

– A system that has a back up component when it does collapse.

• Failover

– Provides a secondary system to take over the duties of one that becomes unavailable.

• Disaster Recover Plan

– Detailed process regaining data and making the system operationally available again

• Hot Site A fully equipped failover facility

• Cold Site A separate wired facility to which a company can move

Disaster Recovery

10.4

10-36 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome A Plan for the recovery and restoration of partly or completely interrupted critical business functions within a pre-determined time after a disaster or extended disruption.

1. Establish a committee that makes sure control is established after a disaster.

2. Ensure a business impact analysis exists to identify the organization’s goals and priorities.

3. Ensure plans, measures and arrangements are available for the business to continue operating.

4. Establish quality assurance techniques to assess the plan’s accuracy, relevance effectiveness and identify weak spots.

Business Continuity Planning

10.4

6/10/2015

13

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-37

Disaster Recovery Cost Curve

Figure 10.13

10.4

10-38 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome

• Prevent system intrusion

– Network security management

– Anti-SPAM

– Content filtering

– Upgrade encryption

• Apply patches which are sent out by software companies to correct anomalies in the applications that otherwise could be exploited

• Train employees in safe computing practices such as password protection

Securing Data

10.4

10-39 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Computer Security Survey reported 41.1% of respondents had experienced a security incident

• Insiders

– Legitimate users who maliciously or accidentally create a computer incident

– Most computer incidents are due to insiders

• Social Engineering

– Techniques to persuade people to do something against policy or the law

– Used by hackers to get insiders to give access to the system to them

– Employees need to be trained to resist these techniques

People: The First Line of Defence

10.4

6/10/2015

14

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-40

Information Security Plan Objectives

Figure 10.14

10.4

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-41

Information Security Plan Objectives

Figure 10.15

10.4

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-42

Top 10 Questions Managers Should Ask Regarding Information Security

Figure 10.16

10.5

6/10/2015

15

10-43 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Authentication

– Method for confirming user identity

– Something a user knows (password), something a user has (smart card, ID), something that is a part of a user (biometric)

– Biometrics IDs user through a unique physical attribute of user such as a fingerprint or retinal scan

– Identity Theft is fraud that occurs when the perpetrator uses a victim’s personal information to fraudulently acquire their assets

• Authorization

– Giving someone permission to do something

– Different degrees of data access

– Read, Read-Write, Read-Write-Copy privileges

Authentication and Authorization

10.5

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-44

Examples of Identity Theft

Figure 10.17

10.5

10-45 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Prevention & Resistance – Intrusion Detection System (IDS) monitors incoming network

traffic and flags any communication, usually at the packet level, that does not conform to the usual patterns

• Content Filtering – An application that reviews the content of network incoming

and outgoing traffic to prevent transmission of confidential information, SPAM, and viruses

• Encryption – Systems that encode and decode messages

– Public Key Encryption (PKE) provides a public key for anyone wishing to send a message to a recipient whose private key is the only one that can decrypt the message

Methods to Secure Data

10.5

6/10/2015

16

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-46

Public Key Encryption (PKE) System

Figure 10.18

10.5

10-47 Copyright © 2015 McGraw-Hill Ryerson Limited

Learning

Outcome • Firewalls – Hardware or software that guards a

private network by analyzing data entering and leaving it

– Detects machine-to-machine interaction as well as human-sourced transmissions

• Detection and Response – Based on the premise that prevention is

never 100%

– Provides corrective procedures for unauthorized intrusion into the system once an event happens

Methods to Secure Data

10.5

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-48

Public Key Encryption (PKE) System

Figure 10.19

10.5 Sample Firewall Architecture Connecting Systems Located in

Toronto, New York and Munich

6/10/2015

17

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-49

Types of Hackers

Figure 10.20

10.5

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-50

Types of Malicious Software (Malware)

Figure 10.21

10.5

Learning

Outcome

Copyright © 2015 McGraw-Hill Ryerson Limited 10-51

Technology-Related Ethical Issues & Concepts

From Figure 10.22

10.5

Elevation of Privilege A user misleads a system into granting unauthorized rights.

Hoaxes A real virus is transmitted in a message appearing to be a harmless hoax virus.

Malicious Code The broad term describing a variety of threats including virus, worms and Trojans.

Sniffer A program or device that can monitor data travelling over a network.

Packet tampering Consists of altering content of packets as they travel over the Internet.

Pharming Reroutes requests for legitimate websites to false ones to collect user information.

6/10/2015

18

10-52 Copyright © 2015 McGraw-Hill Ryerson Limited

OPENING CASE QUESTIONS

The Privacy Commissioner of Canada’s Work

5. In the example, how can the company’s embrace of privacy mitigate future information security problems?

6. What is the biggest information security roadblock facing organizations attempting to achieve compliance with privacy legislation?

7. Can technology alone guarantee that information is kept secure? Why or why not?

8. Unfortunately, privacy and security breaches are a common occurrence in organizations today. What recent privacy and security breaches have been in the media lately? Do you think things will get worse before they get better? How can organizations better prepare themselves against future privacy and security breaches?

10-53 Copyright © 2015 McGraw-Hill Ryerson Limited

CLOSING CASE ONE: WestJet Accepts Blame for Spying on Air Canada

1. Was WestJet’s access to Air Canada’s website information ethical? Legal? Explain.

2. How common in organizations is unauthorized access to private competitor information?

3. Does Air Canada have any responsibility in WestJet’s ability to access Air Canada’s private information? Explain.

4. What people measures could Air Canada implement to prevent future unauthorized access to private information?

5. What technology measures might Air Canada implement to prevent future unauthorized access to private information?

10-54 Copyright © 2015 McGraw-Hill Ryerson Limited

CLOSING CASE TWO: Information Ethics and Privacy Issues with Facebook

Make Headlines

1. Was Nationale Suisse justified in its online monitoring of employees who called in sick? If companies want to conduct such monitoring activities, what steps can they take to lesson negative backlash from the public and their employees? What steps can employees take?

2. Do you think the Privacy Commissioner went to far in her demands? Is this a bit of “much ado about nothing”?

3. Will the changes that Facebook implements to address the Commissioner’s concerns negatively affect the site in any way? What do you think the average Facebook user thinks of the new features?

6/10/2015

19

10-55 Copyright © 2015 McGraw-Hill Ryerson Limited

CLOSING CASE TWO: Information Ethics and Privacy Issues with Facebook

Make Headlines

4. Do you know of any other examples in the popular press

that showcase information ethics or privacy issues with the

use of social networking sites like Facebook?

5. Does the above case make you wish to change how you use

Facebook in any way?

10-56 Copyright © 2015 McGraw-Hill Ryerson Limited

CLOSING CASE THREE: Thinking Like the Enemy

1. How could an organization benefit from attending one of

the courses offered at the Intense School?

2. What are the two primary lines of security defence, and

how can organizational employees use the information

taught by the Intense School when drafting an information

security plan?

3. If your employer sent you to take a course at the Intense

School, what type of course would interest you and why?

4. What ethical dilemmas are involved in having such a

course offered by a private company?