need help
6/10/2015
1
McGraw-Hill-Ryerson ©2015 The McGraw-Hill Companies, All Rights Reserved
Opening Case:
The Privacy Commissioner of Canada’s Work
10-2 Copyright © 2015 McGraw-Hill Ryerson Limited
Chapter Ten Overview
• SECTION 10.1 – INFORMATION ETHICS AND PRIVACY – Introduction – Information Ethics – Information Privacy – Developing Information Management Policies
• SECTION 10.2 – INFORMATION SECURITY – Introduction – Protecting Information – Protecting Data – People: The First Line of Defence – The Second Line of Defence: Technology
10-3 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning Outcomes
1. Explain what information ethics is and its importance in the workplace.
2. Describe what information privacy is and the differences in privacy legislation around the world.
3. Identify the differences between various information ethics and privacy policies in the workplace.
4. Describe information security, and explain why people are the first line of defence for protecting information.
5. Describe how information technologies can be used to enhance information security.
6/10/2015
2
McGraw-Hill-Ryerson ©2015 The McGraw-Hill Companies, All Rights Reserved
INFORMATION
ETHICS AND
PRIVACY
10-5 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Ethics
– The principles and standards that guide our behaviour towards other people
• Privacy is a major ethical issue
– Privacy is the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent
– Confidentiality is the assurance that messages and information are available only to those who are authorized to view them
Introduction
10.1
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-6
Technology-Related Ethical Issues & Concepts
Figure 10.1
10.1
Intellectual Property Intangible creative work that is embodied in physical form
Copyright The legal protection afforded an expression of an idea, such as a song, video game, and some types of proprietary documents
Fair Dealing The principle by which, in certain situations, it is legal to use copyrighted material
Pirated Software Copyrighted software that is used, duplicated, or sold without authorization by the copyright holder
Counterfeit Software Software that is manufactured to look like the real thing and sold as such
6/10/2015
3
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-7
Trust Supports Business
1. There is a loss of personal privacy.
2. Internet users are more inclined to purchase a product on a website that has a privacy policy.
3. Effective privacy would convert more Internet users to Internet buyers.
From Figure 10.2
10.1
Trust between companies, partners, and suppliers is the support structure of business, in particular, e-business
Primary Reasons Privacy Issues Reduce Trust for E-Business
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-8
Information Ethics
Acting Ethically and Legally Are Not Always the Same
Figure 10.4
10.1
Ethics • The principles and
standards that guide our behaviour towards other people
Information Ethics • The ethical and moral issues
arising from the development and use of information technologies, as well as the creation, duplication, processing and distribution of information itself.
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-9
Information Has No Ethics
10.1
From Figure 10.3
Individuals copy, use and distribute software.
Employees search organizational databases for sensitive corporate and personal information.
Organizations collect, buy, and use information without checking validity or accuracy of the information.
Individuals create and spread viruses that cause trouble for those using and maintaining information systems.
Individuals hack into computers to steal proprietary information.
Employees destroy or steal proprietary organizational information such as schematics, sketches, customer lists and reports.
Examples of Ethically Questionable or Unacceptable Use of Information Systems
6/10/2015
4
10-10 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Information Ethics in the Workplace
– Replacing people with computers, one set of boring jobs with a new set of boring jobs
• Systems & Respect for Human Dignity
– “Dehumanizing” jobs, making jobs overly regimented & inflexible, disrespecting human intelligence
– Health & safety concerns from poorly designed interfaces
• Tracking People’s Activities
– Monitoring Web browsing and social media use at work
– Cyberstalking—tracking individuals through social media for malicious or criminal reasons
– Spyware—unauthorized tracking of browsing
Information & Ethical Concerns
10.1
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-11
Employee Monitoring
10.1
From Figure 10.5
Employee absenteeism reached its highest point in several years in 2009.
Studies indicate that electronic monitoring results in lower job satisfaction, in part, because people begin to believe the quantity of their work is more important than the quality.
Electronic monitoring also induces what psychologists call “psychological reactance”: the tendency to rebel against constraint.
Effects of Employee Monitoring
10-12 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome Canada’s Copyright Modernization Act received royal assent on June 29, 2012. Key changes include:
• Legalizing format shifting
• Legalizing time shifting
• Allowing back up copies of content to be made against loss or damage
• Allowing “mash ups” (create blend of copies) if not for re-sale
• Enacting a system where copyright holders can inform ISPs of possible privacy by their customers
Protecting Digital Content
10.1
6/10/2015
5
10-13 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome Additional changes from Canada’s Copyright Modernization Act include:
• Protecting search engines and ISPs from copyright violations of their users
• Differentiating commercial and individual copyright violations in terms of penalties
• Expanding the meaning of fair dealing to include purposes of parody, satire and education
• Criminalizing cracking a digital lock placed on a device, disc, or file
Protecting Digital Content
10.1
10-14 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome How personal information is collected and shared
• Personal Information
– Data or information that can be directly related to an identified person
– Regardless of data format and content
• Breaches of Information Privacy
– Not about preventing collection of information to complete business transactions
– Breaches occur with inappropriate disclosure or unauthorized access
• Protecting Personal Data
– Just as steps are taken to protect physical assets, personal information must be proactively protected
Information Privacy
10.2
10-15 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Strong Privacy Laws
– Directives indicate the required results but allow EU members to determine their own methods
• Citizens are granted the following rights:
– To know the source of the personal data processing and the purpose of such processing
– To access and/or rectify inaccuracies in one’s personal data
– To disallow the use of personal data with the proviso that personal data can only be transferred outside the borders to countries offering the same level of protection
– Based on eight key principles that have also been adopted in Canada
Information Privacy in Europe
10.2
6/10/2015
6
10-16 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Less Centralized approach than in Canada or Europe
– No single encompassing law
– Access to public information is culturally acceptable
• Exceptions:
– California legislates an individual’s inalienable right to privacy and 2003 Online Privacy & Protection Act ensures websites post privacy policies
– COPPA, US Federal law established in 1998, governs collection of personal information from children under 13
– HIPAA, 1996, governs protects personal health care information
Information Privacy in the US
10.2
10-17 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Federal Legislation
– PIPEDA Personal Information Protection and Electronic Documents Act follows the European model and governs all organizations dealing with the federal government and all for-profit commercial organizations except those operating entirely within a specific province.
– The Privacy Act protects personal information collected and used by the Federal Government
– The Bank Act is an example of a federal law with specific privacy protections, in this case, financial data held by financial institutions.
• Provincial Legislation
– Each province has its own ‘public-sector’ legislation
– Almost all provinces have the equivalent of PIPEDA to govern those enterprises operating only within provincial boundaries
Information Privacy Canada
10.2
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-18
Ten Guiding Principles of PIPEDA for Organizations
Figure 10.6
10.2
1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
2. Identifying Purpose
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
3. Consent The knowledge and consent of the individual are required for collection, use, or disclosure of personal information, except when inappropriate.
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
6/10/2015
7
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-19
Ten Guiding Principles of PIPEDA for Organizations
Figure 10.6
10.2 5. Limiting Use, disclosure, and retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes.
6. Accuracy Personal information shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used.
7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-20
Ten Guiding Principles of PIPEDA for Organizations
Figure 10.6
10.2
8. Openness The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization’s compliance.
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-21
Developing Information Management Policies
10.3
Overview of E-Policies
Figure 10.7
E-Policies are guidelines and procedures that encourage ethical use of computers and the Internet in business.
6/10/2015
8
10-22 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Ethical Computer Use Policy – Established as an essential step in creating an ethical corporate
culture
– Ensures that employees know how to behave, communicates expectations and penalties
– Control should be by informed consent through corporate training or other forms of education and direction
• Information Privacy Policy – Contains general principles regarding information privacy
– Processes and penalties should prevent unauthorized access to information for malicious or fraudulent reasons but also accidental, non-malicious access that may have equally serious repercussions
Ethical Computer Use and Information Privacy E-Policies
10.3
10-23 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Acceptable Use Policy – Requires the user to agree to follow it to be provided access to
corporate email, information systems, and the Internet
– Nonrepudiation occurs when a user denies their action. Acceptable Use Policies often have nonrepudiation clauses
– Also included are stipulations for lawful use, respect of others in the community and outside
• Internet Use Policy – Describes the Internet services available to the user
– Defines the purpose of Web access and any restrictions to it
– Describes guidelines for protecting the user and the company
– States penalties if the policy is violated
Acceptable Use and Internet Use E-Policies
10.3
10-24 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Email Privacy Policy
– Details the extent to which email may be read by others
– Defines legitimate email uses and responsibly manages accounts after employee has left the company
– Explains backup procedures to employees
– Discourages junk mail or SPAM
– Prohibits disruptive email behaviour
– Describes legitimate grounds for reading employee mail – Limits the organization’s responsibility for mail leaving
the organization – Some companies include a specific Anti-Spam policy to
restrict the sending of unsolicited mail
Email Privacy
10.3
6/10/2015
9
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-25
Managing Email Privacy
Figure 10.8
10.3 Email Is Stored on Multiple Computers
10-26 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Social Media is public communication not controlled by a company, but concerning it, that can be beneficial or risky
– Social Media Policy outlines guidelines or principles that should govern employee online communications about the company
– Should include blog and personal blog policies
– Cover employee social network and personal social network policies including Facebook, Twitter, LinkedIn and You Tube
– Control communications detailing brand activity and organizational proprietary information of any kind
Social Media Policy
10.3
10-27 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Is a risk management obligation
– Ensures that actions and activities harmful to the organization are discovered and terminated or deterred
– Is virtually unregulated, employees should act as though they are being observed
– Workplace MIS monitoring tracks computer activity by number of keystrokes, error rate, transactions processed etc.
– Employee Monitoring Policy provides transparency and informs employees when, how, why and where the company is watching
– Should provide specific details as appropriate, indicate consequences of violating the policy and enforce the policy evenly
Workplace Monitoring Policy
10.3
6/10/2015
10
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-28
Internet Monitoring Technologies
Key logger or key trapper, software
A program that records every keystroke and mouse click a user makes.
Hardware key logger A device that captures keystrokes from keyboard to motherboard.
Cookie A small file deposited in the user’s hard drive to record browsing information.
Adware Software attached to a download that generates ads on a user’s machine.
Spyware(sneakware or stealthware)
An unauthorized app hidden within legitimate software to record browsing behaviour.
Web log Browser data stored on a web server.
Clickstream Records user browsing sessions including what websites, how long, what was viewed/purchased
10.3
Figure 10.9
10-29 Copyright © 2015 McGraw-Hill Ryerson Limited
OPENING CASE QUESTIONS
The Privacy Commissioner of Canada’s Work
1. Why is protecting personal information in the best interests
of both Canadians and the Government of Canada?
2. What policies has the Government of Canada implemented
to protect citizen information privacy?
3. What lessons can be learned from the opening case study
that will help other organizations better protect the personal
information they collect?
4. How does the recent trend of governments allowing public
access to data raise awareness of the need for governments
to embrace privacy planning as part of normal, everyday
business practice?
McGraw-Hill-Ryerson ©2015 The McGraw-Hill Companies, All Rights Reserved
Data Warehousing
6/10/2015
11
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-31
Sources of Unplanned Downtime
Figure 10.10
10.4
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-32
The Cost of Downtime
Figure 10.11
10.4
10-33 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Vulnerabilities to an organization can occur for reasons that have nothing to do with IS decisions.
– Moving smoking outside opened a security door
– Loss of CDs sent through internal mail caused a breach of customer information
– Poor hiring practices lead to negligent and malicious employees
• Data and information are intangible. Difficult to know what is not secure, stolen or re-directed.
• Solid security processes & practices are critical.
• Information security is a broad term encompassing protection of information assets from accidental or intentional misuse
Protecting Information
10.4
6/10/2015
12
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-34
Data Backup and Recovery
Figure 10.12
10.4
Data Backup and Recovery, Disaster Recovery, and Business
Continuity Planning
10-35 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Disaster
– Natural: such as flood, fire, earthquake; Malicious: such as hackers; Negligence: due to employee ignorance, fatigue, or human fallibility
• Fault Tolerance
– A system that has a back up component when it does collapse.
• Failover
– Provides a secondary system to take over the duties of one that becomes unavailable.
• Disaster Recover Plan
– Detailed process regaining data and making the system operationally available again
• Hot Site A fully equipped failover facility
• Cold Site A separate wired facility to which a company can move
Disaster Recovery
10.4
10-36 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome A Plan for the recovery and restoration of partly or completely interrupted critical business functions within a pre-determined time after a disaster or extended disruption.
1. Establish a committee that makes sure control is established after a disaster.
2. Ensure a business impact analysis exists to identify the organization’s goals and priorities.
3. Ensure plans, measures and arrangements are available for the business to continue operating.
4. Establish quality assurance techniques to assess the plan’s accuracy, relevance effectiveness and identify weak spots.
Business Continuity Planning
10.4
6/10/2015
13
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-37
Disaster Recovery Cost Curve
Figure 10.13
10.4
10-38 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome
• Prevent system intrusion
– Network security management
– Anti-SPAM
– Content filtering
– Upgrade encryption
• Apply patches which are sent out by software companies to correct anomalies in the applications that otherwise could be exploited
• Train employees in safe computing practices such as password protection
Securing Data
10.4
10-39 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Computer Security Survey reported 41.1% of respondents had experienced a security incident
• Insiders
– Legitimate users who maliciously or accidentally create a computer incident
– Most computer incidents are due to insiders
• Social Engineering
– Techniques to persuade people to do something against policy or the law
– Used by hackers to get insiders to give access to the system to them
– Employees need to be trained to resist these techniques
People: The First Line of Defence
10.4
6/10/2015
14
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-40
Information Security Plan Objectives
Figure 10.14
10.4
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-41
Information Security Plan Objectives
Figure 10.15
10.4
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-42
Top 10 Questions Managers Should Ask Regarding Information Security
Figure 10.16
10.5
6/10/2015
15
10-43 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Authentication
– Method for confirming user identity
– Something a user knows (password), something a user has (smart card, ID), something that is a part of a user (biometric)
– Biometrics IDs user through a unique physical attribute of user such as a fingerprint or retinal scan
– Identity Theft is fraud that occurs when the perpetrator uses a victim’s personal information to fraudulently acquire their assets
• Authorization
– Giving someone permission to do something
– Different degrees of data access
– Read, Read-Write, Read-Write-Copy privileges
Authentication and Authorization
10.5
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-44
Examples of Identity Theft
Figure 10.17
10.5
10-45 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Prevention & Resistance – Intrusion Detection System (IDS) monitors incoming network
traffic and flags any communication, usually at the packet level, that does not conform to the usual patterns
• Content Filtering – An application that reviews the content of network incoming
and outgoing traffic to prevent transmission of confidential information, SPAM, and viruses
• Encryption – Systems that encode and decode messages
– Public Key Encryption (PKE) provides a public key for anyone wishing to send a message to a recipient whose private key is the only one that can decrypt the message
Methods to Secure Data
10.5
6/10/2015
16
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-46
Public Key Encryption (PKE) System
Figure 10.18
10.5
10-47 Copyright © 2015 McGraw-Hill Ryerson Limited
Learning
Outcome • Firewalls – Hardware or software that guards a
private network by analyzing data entering and leaving it
– Detects machine-to-machine interaction as well as human-sourced transmissions
• Detection and Response – Based on the premise that prevention is
never 100%
– Provides corrective procedures for unauthorized intrusion into the system once an event happens
Methods to Secure Data
10.5
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-48
Public Key Encryption (PKE) System
Figure 10.19
10.5 Sample Firewall Architecture Connecting Systems Located in
Toronto, New York and Munich
6/10/2015
17
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-49
Types of Hackers
Figure 10.20
10.5
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-50
Types of Malicious Software (Malware)
Figure 10.21
10.5
Learning
Outcome
Copyright © 2015 McGraw-Hill Ryerson Limited 10-51
Technology-Related Ethical Issues & Concepts
From Figure 10.22
10.5
Elevation of Privilege A user misleads a system into granting unauthorized rights.
Hoaxes A real virus is transmitted in a message appearing to be a harmless hoax virus.
Malicious Code The broad term describing a variety of threats including virus, worms and Trojans.
Sniffer A program or device that can monitor data travelling over a network.
Packet tampering Consists of altering content of packets as they travel over the Internet.
Pharming Reroutes requests for legitimate websites to false ones to collect user information.
6/10/2015
18
10-52 Copyright © 2015 McGraw-Hill Ryerson Limited
OPENING CASE QUESTIONS
The Privacy Commissioner of Canada’s Work
5. In the example, how can the company’s embrace of privacy mitigate future information security problems?
6. What is the biggest information security roadblock facing organizations attempting to achieve compliance with privacy legislation?
7. Can technology alone guarantee that information is kept secure? Why or why not?
8. Unfortunately, privacy and security breaches are a common occurrence in organizations today. What recent privacy and security breaches have been in the media lately? Do you think things will get worse before they get better? How can organizations better prepare themselves against future privacy and security breaches?
10-53 Copyright © 2015 McGraw-Hill Ryerson Limited
CLOSING CASE ONE: WestJet Accepts Blame for Spying on Air Canada
1. Was WestJet’s access to Air Canada’s website information ethical? Legal? Explain.
2. How common in organizations is unauthorized access to private competitor information?
3. Does Air Canada have any responsibility in WestJet’s ability to access Air Canada’s private information? Explain.
4. What people measures could Air Canada implement to prevent future unauthorized access to private information?
5. What technology measures might Air Canada implement to prevent future unauthorized access to private information?
10-54 Copyright © 2015 McGraw-Hill Ryerson Limited
CLOSING CASE TWO: Information Ethics and Privacy Issues with Facebook
Make Headlines
1. Was Nationale Suisse justified in its online monitoring of employees who called in sick? If companies want to conduct such monitoring activities, what steps can they take to lesson negative backlash from the public and their employees? What steps can employees take?
2. Do you think the Privacy Commissioner went to far in her demands? Is this a bit of “much ado about nothing”?
3. Will the changes that Facebook implements to address the Commissioner’s concerns negatively affect the site in any way? What do you think the average Facebook user thinks of the new features?
6/10/2015
19
10-55 Copyright © 2015 McGraw-Hill Ryerson Limited
CLOSING CASE TWO: Information Ethics and Privacy Issues with Facebook
Make Headlines
4. Do you know of any other examples in the popular press
that showcase information ethics or privacy issues with the
use of social networking sites like Facebook?
5. Does the above case make you wish to change how you use
Facebook in any way?
10-56 Copyright © 2015 McGraw-Hill Ryerson Limited
CLOSING CASE THREE: Thinking Like the Enemy
1. How could an organization benefit from attending one of
the courses offered at the Intense School?
2. What are the two primary lines of security defence, and
how can organizational employees use the information
taught by the Intense School when drafting an information
security plan?
3. If your employer sent you to take a course at the Intense
School, what type of course would interest you and why?
4. What ethical dilemmas are involved in having such a
course offered by a private company?