ITM 309 Fall 2010 Exam Two Review Outline – November 3, 2010
Ethics and Information Security – Chapter 4 1． Business Ethics Ethics – the principles and standards that guide our behavior toward other people Issues affected by technology advances： 1) Intellectual property- Intangible creative work that is embodied in physical form 2) Copyright- The legal protection afforded an expression of an idea, such as a song, video game, and some types of proprietary documents 3) Fair use doctrine- In certain situations, it is legal to use copyrighted material 4) Pirated software- The unauthorized use, duplication, distribution, or sale of copyrighted software 5) Counterfeit software- Software that is manufactured to look like the real thing and sold as such Privacy is a major ethical issue 1) Privacy – the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent 2) Confidentiality – the assurance that messages and information are available only to those who are authorized to view them
BW: Ethics 101 for Interns
Ethics in the Workplace: 1) Workplace monitoring is a concern for many employees 2) Organizations can be held financially responsible for their employees’ actions 3) The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees, however, some people feel that monitoring employees is unethical IT and Ethics (Individuals form the only ethical component of Information Technology): 1) Individuals copy, use , and distribute software 2) Search organizational databases for sensitive and personal information 3) Individuals create and spread viruses 4) Individuals hack into computer systems to steal information 5) Employees destroy and steal information
Security Management Planning and Lines of Defense
Information Security – the protection of information from accidental or intentional misuse by persons inside or outside an organization The First Line of Defense- People: Organizations must enable employees, customers, and partners to access information electronically. The biggest issue surrounding information security is not a technical issue, but a people issue 33% of security incidents originate within the organization. Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident.
Page 2 of 15 The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan – Information security policies – identify the rules required to maintain information security – Information security plan – details how an organization will implement the information security policies Five steps to create an information security plan: 1) Develop the information security policies – Simple yet effective types of information security policies include: • • • – – – – – – Requiring users to log off of their systems before leaving for lunches or meetings Never sharing passwords, and changing personal passwords every 60 days. Ask your students what other types of information security policies they have encountered
2) Communicate the information security policies
Train all employees and establish clear expectations for following the policies. For example – a formal reprimand can be expected if a computer is left unsecured. Require the use of user IDs, passwords, and antivirus software on all systems. Ensure that systems that contain links to external networks have firewalls and IDS software. Continually perform security reviews, audits, background checks, and security assessment Gain the approval and support of the information security policies by the Board of Directors and all stakeholders
3) Identify critical information assets and risks
4) Test and...