Lecture11

Data Security

Manager’s View

• Issues regarding information security and ethics regarding information systems are critical to all managers in modern organisations.

• Information systems represent critical organisational assets.

• Ethical responsibility for private information is important to managers.

Viewing IS Security

Control loss of assets

ensure the integrity and reliability of data

improve the efficiency/ effectiveness of Information Systems applications

Risks, Threats, and Vulnerabilities

• Risk: a potential monetary loss to the firm.

• Threat: people, actions, events, and other situations that can trigger losses.

• Vulnerabilities: flaws, problems, and other conditions that make a system open to threats.

Assessing Risks

• Identify what risks are acceptable and what risks are not.

• Estimate amount of loss and probability the loss will occur.

– If loss occurs, how will the firm respond?

– What would be the cost of the response?

Controls

Counter measures to threats.

Physical controls

Electronic controls

Software controls

Management controls

Common Threats

• Natural Disasters

• Employ Errors

• Computer Crime, Fraud, and Abuse

Natural Disasters

Disaster prevention plan

Use of backup power supplies

Special building material

Location

Drainage systems

Structural modifications to avoid damage

Natural Disasters

Disaster recovery plan • Planning how to restore

operations quickly

• Developing contingency plans

Disaster containment plan

• Sprinkler systems• Water tight ceilings

Computer Crime, Fraud and Abuse

• About 75% of firms reported financial losses from computer crimes; 90% of computer crime goes unreported.

• Industrial Espionage -

The theft of organisational data by competitors

Hacking -

Unauthorised entry by a person into a computer system or network

Data Diddling -

The use of a computer system by employees to forge documents or change data in records for personal gain

Computer Viruses

a hidden program which insert itself into the computer system and forces the system to clone it.

Can be

– Benign

– Malicious • destroys its original host

when it has copied itself

• spare capacity of the computer is used up by proliferation

Time Bombs

activated by a particular date

Logic Bomb

activated by the execution of a specific logical condition

Worms

similar to virus but, resides on separate soft ware

Trojan Horses

Computer Viruses

Can be infected by :

•E-mail

•any network connection- download a program - access web site

•from diskettes

Computer Crime, Fraud and Abuse (Cont.)

• Hardware Theft and Vandalism:

– Over 208,000 notebook computers were stolen in 1995.

• Software Piracy: reproducing a program that violates copyright protection.

– Illegal use jeopardises organisations.– Piracy can cause you to lose your

job.

•Copy right laws

Privacy Violations

Capacity of individuals or organisations to control information about themselves.

– limiting the types and amounts of data that can be collected about individuals and organisations.

– individuals or organisations have the ability to access, examine, and correct the data stored about them

– that the disclosure, use, or dissemination of those data are restricted

Privacy Violations

Violations of electronic mail privacy and electronic data interchange.

Data protection legislation

Controls

Good computer hygiene

Anti-Virus programs

-Prevent a virus-laden file from being down loaded from a network

-Prevent the virus program being inserting it self in the system

-Detect a virus program so you can take emergency action

-Controlling the damage virus programs can do once they have been detected

Protecting Information Systems

• Small business measures:– Alarms and regular use of

keyboard locks.– Replacement value insurance.– Password protection. – Storage of software disks in a

locked cabinet.– Tie-down cables for desktop

computers.– Train employees.

Securing Communications Systems

• Encryption:

the process of encoding data

• Firewalls:

typically a system used to enforce an access control policy between two networks.

• E-mail Gateways:

monitors all inbound and outbound traffic

Develop/practice a disaster recovery plan with a “hot” site and a “cold” site.

Describes how a firm can resume operations after a disaster

Ethics

• Ethical and Contractual Behaviour: a good part of computer ethics is behaving legally and contractually - not copying software you have no right to copy.

• Privacy, Access, and Accuracy Issues: It is not illegal to read the email of others, but it is unethical.

Privacy Issues

• What information on individuals and other firms should an organisation keep?

• What rights should these individuals and firms have about the use of the data that your organisation keeps?

• If your organisation is bought by another, what rights should the purchaser have about the data that it maintains?

Privacy Issues (Cont.)

• What is your firm’s responsibility for ensuring the data on people it keeps is accurate?

• What rights do people have to review the data kept about themselves?

• Who in an organisation has the right to review the records of others?

Property Issues

• Using shareware software without sending a check to the developer is unethical.

• Protecting the rights of others by not copying software--piracy increases the legal cost to others who purchase the software.

• Property rights over intellectual property such as copyrights.

The Widespread Impact of Information Systems and

Management Responsibility

• IS allow increased efficiency and effectiveness--this can lead to workforce reductions.

• Responsibilities to employees as stakeholders in the organisation.

• Managers should develop and deploy information systems in a socially responsible way.

Summary

• Information systems pose numerous security and ethical problems for managers.

• Assess the risks and understand the controls to apply to reduce the threats to IS.

• Understand that ethical problems with IS have been the subject of legislation and court action, and that managers have a social responsibility to safeguard information and its use.

R. Behar, “Who’s Reading Your Email?”, Fortune, February 3, 1997, , p58, p64.

Check out CNET.COM (on line magazine). K Ferrell, “Net Crime: Don’t be a Victim”, February 6, 1996.

A Gordon, “Study: Computer Crimes Grow, Losses Top $100 million, “ UDA Today, March 7, 1997 (on line version).

M J Zuckerman, “Cybercrime against Business Frequent, Costly”, USA Today, January 13, 1997 (online version).

Vance McCarthy, “Web Security: How Much Is Enough?”, January, 1997.