Information Technology for Managers - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Information Technology for Managers

Description:

Information Technology for Managers Chapter 12 Ethical, Privacy, and Security Issues Prevention (continued) Installing antivirus software on personal computers Virus ... – PowerPoint PPT presentation

Number of Views:173
Avg rating:3.0/5.0
Slides: 45
Provided by: hercules4
Category:

less

Transcript and Presenter's Notes

Title: Information Technology for Managers


1
Information Technology for Managers
  • Chapter 12
  • Ethical, Privacy, and Security Issues

2
Objectives
  • What are some of the ethical issues raised by the
    use of information technology?
  • What privacy issues are raised by the use of
    information technology, and how do organizations
    deal with them?
  • What are some common information technology
    security issues, and how can organizations
    minimize their potential negative impact?

3
What is Ethics?
  • Ethics
  • Set of beliefs about right and wrong behavior
  • Ethical behavior
  • Conforms to generally accepted social norms
  • Doing what is ethical can be difficult

4
Improving Corporate Ethics
  • Unethical behavior has led to serious negative
    consequences that have had a global impact
  • Failure of major corporations like Enron and
    WorldCom due to accounting scandals
  • Collapse of many financial institutions due to
    unwise and unethical decision making
  • Organizations today recognize the need to take
    action to ensure that their employees operate in
    an ethical manner when using technology

5
Appointing a Corporate Ethics Officer
  • Corporate ethics
  • Includes ethical conduct, legal compliance, and
    corporate social responsibility
  • Corporate ethics officer
  • Senior-level manager
  • Provides vision and direction in the area of
    business conduct
  • Corporation will place a higher emphasis on
    ethics policies following a major scandal within
    the organization

6
Ethical Standards Set by Board of Directors
  • Board of directors
  • Responsible for supervising the management team
  • Expected to conduct themselves according to the
    highest standards of personal and professional
    integrity
  • Set the standard for company-wide ethical conduct
    and ensure compliance with laws and regulations

7
Establishing a Corporate Code of Ethics
  • Code of ethics
  • Highlights an organizations key ethical issues
  • Identifies the overarching values and principles
    that are important to the organization
  • Formal, written statements about
  • Purpose of the organization
  • Values
  • Principles that guide its employees actions
  • Develop with employee participation
  • Fully endorsed by the organizations leadership

8
Establishing a Corporate Code of Ethics
(continued)
9
Requiring Employees to Take Ethics Training
  • Companys code of ethics must be promoted and
    continually communicated within the organization
  • From top to bottom
  • Comprehensive ethics education program
  • Small workshop formats
  • Existence of formal training programs
  • Can reduce a companys liability in the event of
    legal action

10
Including Ethical Criteria in Employee Appraisals
  • Employees evaluated on their demonstration of
    qualities and characteristics highlighted in the
    corporate code of ethics
  • Considered along with more traditional criteria
    used in performance appraisals

11
Privacy
  • Balance the needs of those who use the
    information against the rights and desires of the
    people whose information may be used
  • Various states have passed laws that require
    disclosure of any breach of security to any
    resident whose data is believed to have been
    compromised

12
Privacy (continued)
13
Right to Privacy
  • Historical perspective on the right to privacy
  • Protected by a number of amendments in the Bill
    of Rights

14
Treating Customer Data Responsibly
  • Code of Fair Information Practices and the 1980
    Organization for Economic Cooperation and
    Development (OECD) privacy guidelines
  • Five widely accepted core principles
  • European adequacy standard for privacy protection
  • United States does not meet these standards
  • Organizations should appoint an executive
  • Chief Privacy Officer, or CPO
  • Define, implement, and oversee data privacy
    policies

15
Treating Customer Data Responsibly (continued)
  • Establish an effective data privacy program
  • Conduct a thorough assessment
  • Define a comprehensive data privacy program
  • Assign a high-level executive
  • Develop a data breach response plan
  • Track ongoing changes to regulatory and legal
    requirements

16
Workplace Monitoring
  • IT usage policy
  • Establishes boundaries of acceptable behavior
  • Enables management to take action against
    violators
  • Organizations monitor workers to ensure compliance

17
Workplace Monitoring (continued)
18
Workplace Monitoring (continued)
  • Fourth Amendment of the Constitution
  • Protects citizens from unreasonable searches by
    the government
  • Often used to protect the privacy of government
    employees
  • Cannot be used to control how a private employer
    treats its employees
  • Public sector employees have far greater privacy
    rights than those in private industry
  • State privacy statutes tend to favor employers
    over employees

19
A Manager Takes Inappropriate Action City of
Ontario, California
  • Contracted with Arch Wireless to provide wireless
    text-messaging Services
  • Jeff Quon, a member of the Ontario Police
    Department (OPD) SWAT team
  • Received alphanumeric pager
  • Sent sexually explicit messages to two other
    workers in the police department and to his wife
  • General computer usage, Internet, and e-mail
    policy
  • Not specific to pagers

20
A Manager Takes Inappropriate Action City of
Ontario, California (continued)
  • Ontario Police Department was unable to access
    the message directly
  • Requested that Arch Wireless provide the
    transcripts
  • Stored Communications Act (SCA)
  • Attempt to address a number of potential privacy
    issues not addressed by the Fourth Amendment
  • U.S. Court of Appeals for the Ninth Circuit
  • Ruled that Arch Wireless was an electronic
    communications service and had violated the SCA
    when it provided transcripts of Quons messages
    to the OPD

21
Cybercrime and Computer Security
  • Cybercrime
  • Criminal activity in which a computer or a
    computer network is used as a tool to commit a
    crime or is the target of criminal activity
  • Electronic fraud
  • Class of cybercrime
  • Involves the use of computer hardware, software,
    or networks to misrepresent facts for the purpose
    of causing someone to do or refrain from doing
    something that causes loss

22
Types of Attacks
  • Attack on a networked computer from an outside
    source
  • One of the most frequent types of attack
  • Viruses
  • Piece of programming code
  • Usually disguised as something innocuous
  • Cause some unexpected and undesirable event
  • Often attached to a file
  • Do not spread themselves from computer to
    computer
  • Macro viruses

23
Types of Attacks (continued)
  • Worms
  • Harmful computer programs that reside in the
    active memory of the computer
  • Can propagate over a network without human
    intervention
  • May install malware (malicious software) on a
    computer

24
Types of Attacks (continued)
  • Distributed Denial-of-Service Attack (DDOS)
  • Malicious hacker takes over computers connected
    to the Internet
  • Causes them to flood a target site with demands
    for data and other small tasks
  • Zombie
  • Compromised computer
  • Botnet
  • Group of zombie computers running software that
    is being remotely controlled without the
    knowledge or consent of the owners

25
(No Transcript)
26
Types of Attacks (continued)
  • DDOS (continued)
  • Spoofing
  • Zombies are often programmed to put false return
    addresses on the packets they send out
  • Egress filtering
  • Ensure that spoofed packets do not leave their
    corporate network

27
Perpetrators
28
Defensive Measures
  • Risk assessment
  • Organizations review of potential threats to its
    computers and networks
  • Identify which investments of time and resources
    will best protect the organization from its most
    likely and serious threats
  • Reasonable assurance
  • Managers must use their judgment to ensure that
    the cost of control does not exceed the systems
    benefits or the risks involved

29
(No Transcript)
30
Establishing a Security Policy
  • Security policy
  • Defines an organizations security requirements
  • Defines controls and sanctions needed to meet
    those requirements
  • National Institute of Standards and Technology
    (NIST)
  • Computer Security Division
  • Automated system rules should mirror an
    organizations written policies

31
Establishing a Security Policy (continued)
  • E-mail attachments
  • Critical security issue
  • Virtual private network (VPN)
  • Uses the Internet to relay communications
  • Maintains privacy through security procedures and
    tunneling protocols

32
Educating Employees, Contractors, and Part-Time
Workers
  • Must be educated about the importance of security
  • Discuss recent security incidents
  • Protect an organizations information systems and
    data by
  • Guarding their passwords
  • Applying strict access controls
  • Reporting all unusual activity to the
    organizations IT security group

33
Prevention
  • Installing a corporate firewall
  • Established through the use of software,
    hardware, or a combination of both
  • Can lead to complacency
  • Intrusion prevention systems
  • Prevent an attack by blocking viruses, malformed
    packets, and other threats from getting into the
    company network

34
Prevention (continued)
  • Installing antivirus software on personal
    computers
  • Virus signature
  • Specific sequence of bytes
  • United States Computer Emergency Response Team
    (US-CERT)
  • Most of the virus and worm attacks that the team
    analyzes use already known programs
  • Crucial that antivirus software be updated
    continually with the latest virus detection
    information

35
Prevention (continued)
  • Implementing safeguards against attacks by
    malicious insiders
  • IT staff must delete the computer accounts, login
    IDs, and passwords of departing employees
  • Create roles and user accounts so that users have
    the authority to perform their responsibilities
    and no more

36
Prevention (continued)
  • Addressing the most critical Internet security
    threats
  • Overwhelming majority of successful computer
    attacks are made possible by taking advantage of
    well-known vulnerabilities
  • SANS (System Administration, Networking, and
    Security) Institute and US-CERT regularly update
    a summary of the most frequent, high-impact
    vulnerabilities

37
Prevention (continued)
  • Conducting periodic IT security audits
  • Evaluate whether an organization has a
    well-considered security policy in place and if
    it is being followed
  • Test system safeguards
  • Federal Computer Security Report Card

38
Prevention (continued)
39
Detection
  • Intrusion detection system
  • Software and/or hardware
  • Monitors system and network resources and
    activities and notifies network security
    personnel when it identifies possible intrusions
  • Different approaches to intrusion detection
  • Knowledge-based approaches
  • Behavior-based approaches

40
Response
  • Primary goal
  • Regain control and limit damage
  • Not to attempt to monitor or catch an intruder
  • Incident notification
  • Define who to notify and who not to notify
  • Protecting evidence and activity logs
  • Document all details of a security incident
  • Incident containment
  • Act quickly to contain an attack

41
Response (continued)
  • Eradication
  • Collect and log all possible criminal evidence
    from the system
  • Verify that all necessary backups are current
  • Create a forensic disk image of each compromised
    system
  • Keep a log of all actions taken

42
Response (continued)
  • Incident follow-up
  • Determine how the organizations security was
    compromised
  • Develop an estimate of the monetary damage
  • Determine amount of effort that should be put
    into capturing the perpetrator

43
(No Transcript)
44
Summary
  • Ethics
  • Set of beliefs about right and wrong behavior
  • Treat customer data responsibly
  • Information technology usage policy
  • Laws governing employee privacy and monitoring
  • Cybercrime
  • Types of attacks
  • Prevention
  • Detection
  • Response
Write a Comment
User Comments (0)
About PowerShow.com