+ All Categories
Home > Documents > Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

Date post: 29-Dec-2014
Category:
Upload: u5easdrctd
View: 6,235 times
Download: 31 times
Share this document with a friend
Description:
Business Driven Information Systems discusses various business initiatives first and how technology supports those initiatives second. The premise for this unique approach is that business initiatives should drive technology choices. Every discussion first addresses the business needs and then addresses the technology that supports those needs. This text provides the foundation that will enable students to achieve excellence in business, whether they major in operations management, manufacturing, sales, marketing, etc. BDIS is designed to give students the ability to understand how information technology can be a point of strength for an organization.ISBN: 0073195588Copyright year: 2008All works belong respectively to:Baltzan, Paige, and Amy Phillips. Business Driven Information Systems. Columbus: McGraw Hill, 2008.The publishing of these presentation slides are in no way intended to advertise the information was written by anyone but the original authors. The information is for supplemental use to the textbook written by these respected authors. I do not take credit for the information provided, and in no way mean to infringe on any copyrights imposed by The McGraw-Hill Companies.
66
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Business Driven Information Systems 2e Systems 2e
Transcript
Page 1: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved

CHAPTER 4

ETHICS AND

INFORMATION SECURITY

Business Driven Information Systems 2eBusiness Driven Information Systems 2e

Page 2: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-2

Chapter Four Overview

• SECTION 4.1 - ETHICS– Ethics– Information Ethics– Developing Information Management Policies– Ethics in the Workplace

• SECTION 4.2 - INFORMATION SECURITY– Protecting Intellectual Assets– The First Line of Defense - People– The Second Line of Defense - Technology

Page 3: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-3

Organizational Fundamentals – Ethics and Security

• Ethics and security are two fundamental building blocks that organizations must base their businesses on to be successful

• In recent years, such events as the Enron and Martha Stewart, along with 9/11 have shed new light on the meaning of ethics and security

Page 4: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved

ETHICS

SECTION 4.1

Page 5: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-5

LEARNING OUTCOMES

1. Explain the ethical issues surrounding information technology

2. Identify the differences between an ethical computer use policy and an acceptable computer use policy

3. Describe the relationship between an email privacy policy and an Internet use policy

Page 6: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-6

LEARNING OUTCOMES

4. Explain the effects of spam on an organization

5. Summarize the different monitoring technologies and explain the importance of an employee monitoring policy

Page 7: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-7

ETHICS

• Ethics – the principles and standards that guide our behavior toward other people

• Issues affected by technology advances– Intellectual property– Copyright– Fair use doctrine– Pirated software– Counterfeit software

Page 8: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-8

ETHICS

• Privacy is a major ethical issue– Privacy – the right to be left alone when you

want to be, to have control over your own personal possessions, and not to be observed without your consent

– Confidentiality – the assurance that messages and information are available only to those who are authorized to view them

Page 9: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-9

ETHICS

• One of the main ingredients in trust is privacy• Primary reasons privacy issues lost trust for

ebusiness

Page 10: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-10

INFORMATION ETHICS

• Individuals form the only ethical component of IT– Individuals copy, use , and distribute software– Search organizational databases for sensitive

and personal information– Individuals create and spread viruses– Individuals hack into computer systems to

steal information– Employees destroy and steal information

Page 11: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-11

Information Has No Ethics

• Acting ethically and legally are not always the same

Page 12: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-12

Information Has No Ethics

• Information does not care how it is used

• Information will not stop itself from sending spam, viruses, or highly-sensitive information

• Information cannot delete or preserve itself

Page 13: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-13

DEVELOPING INFORMATION MANAGEMENT POLICIES

• Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement

• Epolicies typically include:– Ethical computer use policy– Information privacy policy– Acceptable use policy– email privacy policy– Internet use policy– Anti-spam policy

Page 14: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-14

Ethical Computer Use Policy

• Ethical computer use policy – contains general principles to guide computer user behavior

• The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules

Page 15: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-15

Ethical Computer Use Policy

1. Information is a valuable corporate asset2. The CIO is steward of corporate information3. The CIO is responsible for information

access4. The CIO is responsible for preventing

information destruction5. The CIO is responsible for information

management practices and policies6. The CIO must execute the information

management policies

Page 16: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-16

Information Privacy Policy

• The unethical use of information typically occurs “unintentionally” when it is used for new purposes

• Information privacy policy - contains general principles regarding information privacy

Page 17: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-17

Information Privacy Policy

• Information privacy policy guidelines1. Adoption and implementation of a privacy

policy

2. Notice and disclosure

3. Choice and consent

4. Information security

5. Information quality and access

Page 18: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-18

Acceptable Use Policy

• Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet

• An AUP usually contains a nonrepudiation clause

Page 19: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-19

Acceptable Use Policy

1. Will not violate any laws

2. Will not break the security

3. Will not post commercial messages

4. Will not perform nonrepudiation

5. Will not send spam

6. Will not send mail bombs

Page 20: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-20

Email Privacy Policy

• Organizations can mitigate the risks of email and instant messaging communication tools by implementing and adhering to an email privacy policy

• email privacy policy – details the extent to which email messages may be read by others

Page 21: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-21

Email Privacy Policy

Page 22: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-22

Email Privacy Policy

1. Should compliment ethical computer use policy

2. Defines who are legitimate email users3. Identifies backup procedures4. Explains legitimate grounds for reading user

email5. Informs email control6. Explains ramifications of leaving 7. Asks employees to be careful when posting

organizational information

Page 23: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-23

Internet Use Policy

• Internet use policy – contains general principles to guide the proper use of the Internet1. Describes available Internet services

2. Defines the purpose and restriction of Internet access

3. Complements the ethical computer use policy

4. Describes user responsibilities

5. States the ramification for violations

Page 24: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-24

Anti-Spam Policy

• Spam – unsolicited email

• Spam accounts for 40% to 60% of most organizations’ email and cost U.S. businesses over $14 billion in 2005

• Anti-spam policy – simply states that email users will not send unsolicited emails (or spam)

Page 25: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-25

ETHICS IN THE WORKPLACE

• Workplace monitoring is a concern for many employees

• Organizations can be held financially responsible for their employees’ actions

• The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees, however, some people feel that monitoring employees is unethical

Page 26: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-26

Monitoring Technologies

• Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed

• Common monitoring technologies include:– Key logger or key trapper software– Hardware key logger– Cookie– Adware– Spyware– Web log– Clickstream

Page 27: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-27

Employee Monitoring Policies

• Employee monitoring policies – explicitly state how, when, and where the company monitors its employees1. Be specific

2. Enforce the policy

3. Enforce the policy the same for all employees

4. Communicate rights to monitor all employees

5. State when monitoring will be performed

6. State what will be monitored

7. Describe types of information collected

8. State consequences for violating policies

9. State provisions for policy updates

10. Specify scope and manner of monitoring

11. Obtain written signature acknowledging policies

Page 28: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-28

OPENING CASE QUESTIONSSarbanes-Oxley

1. Define the relationship between ethics and the Sarbanes-Oxley Act

2. Why is records management an area of concern for the entire organization and not just the IT department?

3. Identify two policies an organization can implement to achieve Sarbanes-Oxley compliance?

Page 29: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-29

OPENING CASE QUESTIONSSarbanes-Oxley

4. What ethical dilemmas are being solved by implementing Sarbanes-Oxley?

5. What is the biggest roadblock for organizations that are attempting to achieve Sarbanes-Oxley compliance?

Page 30: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved

INFORMATION

SECURITY

SECTION 4.2

Page 31: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-31

LEARNING OUTCOMES

6. Describe the relationship between information security policies and an information security plan

7. Summarize the five steps to creating an information security plan

8. Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response

9. Describe the relationships and differences between hackers and viruses

Page 32: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-32

Downtime

Page 33: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-33

Downtime

• How Much Will Downtime Cost Your Business?

Page 34: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-34

PROTECTING INTELLECTUAL ASSETS

• Organizational information is intellectual capital - it must be protected

• Information security – the protection of information from accidental or intentional misuse by persons inside or outside an organization

• Ebusiness automatically creates tremendous information security risks for organizations

Page 35: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-35

PROTECTING INTELLECTUAL ASSETS

Page 36: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-36

PROTECTING INTELLECTUAL ASSETS

Page 37: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-37

THE FIRST LINE OF DEFENSE - PEOPLE

• Organizations must enable employees, customers, and partners to access information electronically

• The biggest issue surrounding information security is not a technical issue, but a people issue

• 33% of security incidents originate within the organization– Insiders – legitimate users who purposely or accidentally

misuse their access to the environment and cause some kind of business-affecting incident

Page 38: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-38

THE FIRST LINE OF DEFENSE - PEOPLE

• The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan– Information security policies – Information security plan

Page 39: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-39

THE FIRST LINE OF DEFENSE - PEOPLE

• Hackers frequently use “social engineering” to obtain password

– Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker

Page 40: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-40

THE FIRST LINE OF DEFENSE - PEOPLE

• Five steps to creating an information security plan:

1. Develop the information security policies

2. Communicate the information security policies

3. Identify critical information assets and risks

4. Test and reevaluate risks

5. Obtain stakeholder support

Page 41: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-41

THE SECOND LINE OF DEFENSE - TECHNOLOGY

• There are three primary information technology security areas

1. Authentication and authorization

2. Prevention and resistance

3. Detection and response

Page 42: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-42

Authentication and Authorization

• Authentication – a method for confirming users’ identities

• Authorization – the process of giving someone permission to do or have something

• The most secure type of authentication involves:1. Something the user knows 2. Something the user has 3. Something that is part of the user

Page 43: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-43

Something the User Knows Such As a User ID and Password

• This is the most common way to identify individual users and typically contains a user ID and a password

• This is also the most ineffective form of authentication

• Over 50 percent of help-desk calls are password related

Page 44: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-44

Something the User Knows Such As a User ID and Password

• Identity theft – the forging of someone’s identity for the purpose of fraud

• Phishing – a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent email

Page 45: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-45

• Smart cards and tokens are more effective than a user ID and a password

– Tokens – small electronic devices that change user passwords automatically

– Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

Something the User Knows Such As a User ID and Password

Page 46: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-46

Something That Is Part Of The User Such As a Fingerprint or Voice Signature

• This is by far the best and most effective way to manage authentication

– Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting

• Unfortunately, this method can be costly and intrusive

Page 47: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-47

Prevention and Resistance

• Downtime can cost an organization anywhere from $100 to $1 million per hour

• Technologies available to help prevent and build resistance to attacks include:

1. Content filtering

2. Encryption

3. Firewalls

Page 48: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-48

Content Filtering

• Content filtering - prevents emails containing sensitive information from transmitting and stops spam and viruses from spreading

• Corporate losses caused by Spam

Page 49: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-49

Encryption

• If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it

– Encryption – Public key encryption (PKE)

Page 50: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-50

Encryption

Page 51: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-51

Firewalls

• One of the most common defenses for preventing a security breach is a firewall

• Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network

Page 52: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-52

Firewalls

• Sample firewall architecture connecting systems located in Chicago, New York, and Boston

Page 53: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-53

Detection and Response

• If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage

• Antivirus software is the most common type of detection and response technology

Page 54: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-54

Detection and Response

• Hacker - people very knowledgeable about computers who use their knowledge to invade other people’s computers

– White-hat hacker– Black-hat hacker– Hactivist– Script kiddies or script bunnies– Cracker– Cyberterrorist

Page 55: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-55

Detection and Response

• Virus - software written with malicious intent to cause annoyance or damage

– Worm– Denial-of-service attack (DoS)– Distributed denial-of-service attack (DDoS)– Trojan-horse virus– Backdoor program– Polymorphic virus and worm

Page 56: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-56

Detection and Response

• Security threats to ebusiness include:– Elevation of privilege– Hoaxes– Malicious code– Spoofing– Spyware– Sniffer– Packet tampering

Page 57: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-57

OPENING CASE QUESTIONSSarbanes-Oxley

6. What information security dilemmas are being solved by implementing Sarbanes-Oxley?

7. How can Sarbanes-Oxley help protect a company’s information security?

8. What impact does implementing Sarbanes-Oxley have on information security in a small business?

9. What is the biggest information security roadblock for organizations attempting to achieve Sarbanes-Oxley compliance?

Page 58: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-58

CLOSING CASE ONEBanks Banking on Security

1. What reason would a bank have for not wanting to adopt an online-transfer delay policy?

2. What are the two primary lines of security defense and why are they important to financial institutions?

3. Explain the differences between the types of security offered by the banks in the case

Page 59: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-59

CLOSING CASE ONEBanks Banking on Security

4. What additional types of security, not mentioned in the case above, would you recommend a bank implement?

5. Identify three policies a bank should implement to help it improve information security

6. Describe monitoring policies along with the best way for a bank to implement monitoring technologies

Page 60: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-60

CLOSING CASE TWOHacker Hunters

1. What types of technology could big retailers use to prevent identity thieves from purchasing merchandise?

2. What can organizations do to protect themselves from hackers looking to steal account data?

3. Authorities frequently tap online service providers to track down hackers. Do you think it is ethical for authorities to tap an online service provider and read people’s email? Why or why not?

Page 61: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-61

CLOSING CASE TWOHacker Hunters

4. Do you think it was ethical for authorities to use one of the high-ranking officials to trap other gang members? Why or why not?

5. In a team, research the Internet and find the best ways to protect yourself from identity theft

Page 62: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-62

CLOSING CASE THREEExecutive Dilemmas in the Information Age

1. Explain why understanding technology, especially in the areas of security and ethics, is important for a CEO. How do CEO’s actions affect the organizational culture?

2. Identify why executives in nontechnological industries need to worry about technology and its potential business ramifications

Page 63: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-63

CLOSING CASE THREEExecutive Dilemmas in the Information Age

3. Describe why continuously learning about technology allows an executive to better analyze threats and opportunities

4. Identify three things that a CTO, CPO, or CSO could do to prevent the above issues

Page 64: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-64

BUSINESS DRIVEN BEST SELLERS

• The Smartest Guys in the Room, by Bethany McLean and Peter Elkind

Page 65: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-65

BUSINESS DRIVEN BEST SELLERS

• Career Warfare, by David D’Alessandro

Page 66: Business Driven Information Systems, Chapter 4 by Baltzan & Phillips

4-66

BUSINESS DRIVEN BEST SELLERS

• Leadership Sopranos Style: Lessons from a Fictional Mob Boss, by Deborrah Himsel


Recommended