Академический Документы
Профессиональный Документы
Культура Документы
Contents
1Introduction
o 1.1Security Program
o 1.2Security Controls
o 1.3The Elements of Security
2Core Information Security Principles
o 2.1Confidentiality
o 2.2Integrity
o 2.3Availability
3Information Security Management Governance
o 3.1Security Governance
o 3.2Security Policies, Procedures, Standards, Guidelines, and Baselines
3.2.1Policies
3.2.2Standards
3.2.3Procedures
3.2.4Baselines
3.2.5Guidelines
3.2.6Putting It All Together
o 3.3Organizational Security Models
3.3.1COSO
3.3.2ITIL
3.3.3COBIT 4.X
3.3.4ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799)
3.3.4.1BS 7799
3.3.4.2ISO 17799
3.3.4.3ISO 27000 Series
4Organizational Behavior
o 4.1Organizational Structure Evolution
o 4.2Best Practices
4.2.1Job Rotation
4.2.2Separation of Duties
4.2.3Least Privilege (Need to Know)
4.2.4Mandatory Vacations
4.2.5Job Position Sensitivity
o 4.3Security Roles and Responsibilities
4.3.1Levels of Responsibilities
4.3.2Classification of Roles and their Responsibilities
o 4.4Reporting Model
o 4.5Enterprise-wide Security Oversight
4.5.1Defining the Goals
4.5.2Security Planning
4.5.3Personnel Security
5Security Awareness, Training, and Education
o 5.1Conducting A Formal Security Awareness Training
o 5.2Awareness Activities and Methods
6Information Risk Management
o 6.1Risk Management Concepts
o 6.2Risk Handling Strategies
o 6.3Risk Assessment/Analysis
6.3.1Identifying The Risk Elements
6.3.2A Quantitative Approach to Risk Analysis
6.3.3A Qualitative Approach to Risk Analysis
6.3.4Selecting and Implementing a Countermeasure
7Information Classification
o 7.1Introduction
o 7.2Classification Types
o 7.3Guidelines for Information Classification
o 7.4Criteria for Information Classification
o 7.5Data Classification Procedures
o 7.6Classification Controls
8Ethics
o 8.1Basic Concepts
o 8.2Professional Code of Ethics
8.2.1Computer Ethics Institute
8.2.2Internet Architecture Board
8.2.3The (ISC)2Code of Ethics
o 8.3Example Topics in Computer Ethics
8.3.1Computers in the Workplace
8.3.2Computer Crime
8.3.3Privacy and Anonymity
8.3.4Intellectual Property
8.3.5Professional Responsibility
8.3.6Globalization
o 8.4Common Computer Ethics Fallacies
o 8.5Hacking and Hacktivism
8.5.1The Hacker Ethics
9References
Introduction[edit]
Information security means protecting information (data) and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction.
Information Security management is a process of defining the security controls in order to protect the
information assets.
Security Program[edit]
The first action of a management program to implement information security (iss) is to have a
security program in place. Though some argue the first act would be to gain some real "proof of
concept" "explainable thru display on the monitor screen" security knowledge. Start with maybe
understanding where OS passwords are stored within the code inside a file within a directory. If you
don't understand Operating Systems at the root directory level maybe you should seek out advice
from somebody who does before even beginning to implement security program management and
objectives.
Security Program Objectives
Top-Down Approach
o The initiation, support, and direction comes from the top management and work their way
through middle management and then to staff members.
o Treated as the best approach but seems to based on the I get paid more therefor I must
know more about everything type of mentality.
o Ensures that the senior management who are ultimately responsible for protecting the
company assets is driving the program.
Bottom-Up Approach
o The lower-end team comes up with a security control or a program without proper
management support and direction.
o It is oft considered less effective and doomed to fail for the same flaw in thinking as above; I
get paid more therefor I must know more about everything.
Since advancement is directly tied to how well you can convince others, who often fall outside of
your of job duties and department, as to your higher value to the company as stated by your own
effective written communication this leads to amazing resume writers and take no blame style of
email responses that seems to definitely lead to the eventual failure of company's standards and
actual knowledge. It is often covered up by relationships which form at the power levels within any
group of people and those who are considered so-called experts having no real idea what is really
involved under the hood of the reports/applications they use and no proof presented in emails written
when self declared claims of their expertise is made or blame is to be put on another.
Security Controls[edit]
Security Controls can be classified into three categories
Administrative Controls which include
It is a software, hardware, or procedural weakness that may provide an attacker the open door
he is looking for to enter a computer or network and have unauthorized access to resources
within the environment.
Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
E.g.: a service running on a server, unpatched applications or operating system software,
unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.
Threat
Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding
business impact.
Reducing vulnerability and/or threat reduces the risk.
E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one
to access the network in an unauthorized method.
Exposure
Example: If a company has antivirus software but does not keep the virus signatures up-to-date,
this is vulnerability. The company is vulnerable to virus attacks.
The threat is that a virus will show up in the environment and disrupt productivity.
The likelihood of a virus showing up in the environment and causing damage is the risk.
If a virus infiltrates the company's environment, then vulnerability has been exploited and the
company is exposed to loss.
The countermeasures in this situation are to update the signatures and install the antivirus
software on all computers
Alternative Description:
A threat agent causes the realisation of a threat by exploiting a vulnerability. The measurement of
the extent that this exploitation causes damage is the exposure. The organisational loss created
within the exposure is the impact. Risk is the probability that a threat event will generate loss and be
realised within the organisation.
Example:
Confidentiality[edit]
Ensures that the necessary level of secrecy is enforced at each junction of data processing and
prevents unauthorized disclosure. This level of confidentiality should prevail while data resides
on systems and devices within the network, as it is transmitted and once it reaches its
destination.
Threat sources
o Network Monitoring
o Shoulder Surfing- monitoring key strokes or screen
o Stealing password files
o Social Engineering- one person posing as the actual
Countermeasures
o Encrypting data as it is stored and transmitted.
o By using network padding
o Implementing strict access control mechanisms and data classification
o Training personnel on proper procedures.
Integrity[edit]
Integrity of data is protected when the assurance of accuracy and reliability of information and
system is provided, and unauthorized modification is prevented.
Threat sources
o Viruses
o Logic Bombs
o Backdoors
Countermeasures
o Strict Access Control
o Intrusion Detection
o Hashing
Availability[edit]
Availability ensures reliability and timely access to data and resources to authorized individuals.
Threat sources
o Device or software failure.
o Environmental issues like heat, cold, humidity, static electricity, and contaminants can also
affect system availability.
o Denial-of-service (DoS) attacks
Countermeasures
o Maintaining backups to replace the failed system
o IDS to monitor the network traffic and host system activities
o Use of certain firewall and router configurations
Regulatory: This type of policy ensures that the organization is following standards set by
specific industry regulations. This policy type is very detailed and specific to a type of industry.
This is used in financial institutions, health care facilities, public utilities, and other government-
regulated industries. E.g.: TRAI.
Advisory: This type of policy strongly advises employees regarding which types of behaviors and
activities should and should not take place within the organization. It also outlines possible
ramifications if employees do not comply with the established behaviors and activities. This
policy type can be used, for example, to describe how to handle medical information, handle
financial transactions, or process confidential information.
Informative: This type of policy informs employees of certain topics. It is not an enforceable
policy, but rather one to teach individuals about specific issues relevant to the company. It could
explain how the company interacts with partners, the company's goals and mission, and a
general reporting structure in different situations.
Types of Security Policies
Organizational
o Management establishes how a security program will be set up, lays out the program's
goals, assigns responsibilities, shows the strategic and tactical value of security, and
outlines how enforcement should be carried out.
o Provides scope and direction for all future security activities within the organization.
o This policy must address relative laws, regulations, and liability issues and how they are to
be satisfied.
o It also describes the amount of risk senior management is willing to accept.
o Characteristics
Business objectives should drive the policy's creation, implementation, and
enforcement. The policy should not dictate business objectives.
It should be an easily understood document that is used as a reference point for all
employees and management.
It should be developed and used to integrate security into all business functions and
processes.
It should be derived from and support all legislation and regulation applicable to the
company.
It should be reviewed and modified as a company changes, such as through adoption of
a new business model, merger with another company, or change of ownership.
Each iteration of the policy should be dated and under version control.
The units and individuals who are governed by the policy must have access to the
applicable portions and not be expected to have to read all policy material to find
direction and answers
Issue-specific
o Addresses specific security issues that management feels need more detailed explanation
and attention to make sure a comprehensive structure is built and all employees understand
how they are to comply with these security issues
o E.g.: An e-mail policy might state that management can read any employee's e-mail
messages that reside on the mail server, but not when they reside on the user's workstation
System-specific
o Presents the management's decisions that are specific to the actual computers, networks,
applications, and data.
o This type of policy may provide an approved software list, which contains a list of
applications that may be installed on individual workstations.
o E.g.: This policy may describe how databases are to be used and protected, how computers
are to be locked down, and how firewalls, IDSs, and scanners are to be employed.
Standards[edit]
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
E.g.: we can write procedures on how to install operating systems, configure security
mechanisms, implement access control lists, set up new user accounts, assign computer
privileges, audit activities, destroy material, report incidents, and much more.
Procedures are considered the lowest level in the policy chain because they are closest to the
computers and users (compared to policies) and provide detailed steps for configuration and
installation issues.
Procedures spell out how the policy, standards, and guidelines will actually be implemented in
an operating environment.
If a policy states that all individuals who access confidential information must be properly
authenticated, the supporting procedures will explain the steps for this to happen by defining the
access criteria for authorization, how access control mechanisms are implemented and
configured, and how access activities are audited
Baselines[edit]
A baseline can refer to a point in time that is used as a comparison for future changes. Once
risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed
upon, after which all further comparisons and development are measured against it.
A baseline results in a consistent reference point.
Baselines are also used to define the minimum level of protection that is required.
In security, specific baselines can be defined per system type, which indicates the necessary
settings and the level of protection that is being provided. For example, a company may stipulate
that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline.
Guidelines[edit]
Guidelines are recommended actions and operational guides to users, IT staff, operations staff,
and others when a specific standard does not apply.
Guidelines can deal with the methodologies of technology, personnel, or physical security.
Putting It All Together[edit]
A policy might state that access to confidential data must be audited. A supporting guideline
could further explain that audits should contain sufficient information to allow for reconciliation
with prior reviews. Supporting procedures would outline the necessary steps to configure,
implement, and maintain this type of auditing.
policies are strategical(long term) while standards, guidelines and procedures are
tactical(medium term).
Organizational Security Models[edit]
Some of the best practices that facilitate the implementation of security controls include Control
Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information
Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability
Evaluation (OCTAVE).
COSO[edit]
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-
sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent
financial reporting and to make recommendations to reduce its incidence. COSO has established a
common definition of internal controls, standards, and criteria against which companies and
organizations can assess their control systems.
Key concepts of the COSO framework
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It’s not merely policy manuals and forms, but people at
every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance,
to an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but
overlapping categories.
The COSO framework defines internal control as a process, effected by an entity's board of
directors, management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
Control Environment: The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for all other components of internal
control, providing discipline and structure. Control environment factors include the integrity,
ethical values, management's operating style, delegation of authority systems, as well as the
processes for managing and developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal sources that
must be assessed. A precondition to risk assessment is establishment of objectives and thus
risk assessment is the identification and analysis of relevant risks to achievement of assigned
objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure
management directives are carried out. They help ensure that necessary actions are taken to
address risks to achievement of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of activities as diverse as
approvals, authorizations, verifications, reconciliations, reviews of operating performance,
security of assets and Separation of duties/segregation of duties.
Information and communication: Information systems play a key role in internal control
systems as they produce reports, including operational, financial and compliance-related
information, that make it possible to run and control the business. In a broader sense, effective
communication must ensure information flows down, across and up the organization. Effective
communication should also be ensured with external parties, such as customers, suppliers,
regulators and shareholders.
Monitoring: Internal control systems need to be monitored—a process that assesses the quality
of the system's performance over time. This is accomplished through ongoing monitoring
activities or separate evaluations. Internal control deficiencies detected through these monitoring
activities should be reported upstream and corrective actions should be taken to ensure
continuous improvement of the system.
ITIL[edit]
The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for
managing information technology (IT) infrastructure, development, and operations.
ITIL is published in a series of books, each of which cover an IT management topic
Overview and Benefits
ITIL provides a systematic and professional approach to the management of IT service provision.
Adopting its guidance offers users a huge range of benefits that include:
reduced costs;
improved IT services through the use of proven best practice processes;
improved customer satisfaction through a more professional approach to service delivery;
standards and guidance;
improved productivity;
improved use of skills and experience; and
improved delivery of third party services through the specification of ITIL or ISO 20000 as the
standard for service delivery in services procurements.
ITIL v3
The ITIL v3 which was published in May 2007, comprises 5 key volumes:
1. . Service Strategy
2. . Service Design
3. . Service Transition
4. . Service Operation
5. . Continual Service Improvement
COBIT 4.X[edit]
The Control Objectives for Information and related Technology (COBIT 4.X) is a set of best practices
(framework) for information technology (IT) management created by the Information Systems Audit
and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides
managers, auditors, and IT users with a set of generally accepted measures, indicators, processes
and best practices to assist them in maximizing the benefits derived through the use of information
technology and developing appropriate IT governance and control in a company.
Overview
COBIT has 34 high level processes that cover 210 control objectives categorized in four
domains:
o Planning and Organization
o Acquisition and Implementation
o Delivery and Support
o Monitoring
COBIT provides benefits to managers, IT users, and auditors
o Managers benefit from COBIT because it provides them with a foundation upon which IT
related decisions and investments can be based. Decision making is more effective because
COBIT aids management in defining a strategic IT plan, defining the information
architecture, acquiring the necessary IT hardware and software to execute an IT strategy,
ensuring continuous service, and monitoring the performance of the IT system.
o IT users benefit from COBIT because of the assurance provided to them by COBIT's defined
controls, security, and process governance.
o COBIT benefits auditors because it helps them identify IT control issues within a company's
IT infrastructure. It also helps them corroborate their audit findings.
COBIT structure
Plan and Organize: The Planning and Organization domain covers the use of information &
technology and how best it can be used in a company to help achieve the company's goals and
objectives. It also highlights the organizational and infrastructural form IT is to take in order to
achieve the optimal results and to generate the most benefits from the use of IT.
Acquire and Implement: The Acquire and Implement domain covers identifying IT requirements,
acquiring the technology, and implementing it within the company's current business processes.
This domain also addresses the development of a maintenance plan that a company should
adopt in order to prolong the life of an IT system and its components.
Delivery and Support: The Delivery and Support domain focuses on the delivery aspects of the
information technology. It covers areas such as the execution of the applications within the IT
system and its results, as well as, the support processes that enable the effective and efficient
execution of these IT systems. These support processes include security issues and training.
Monitor and Evaluate: The Monitoring and Evaluation domain deals with a company's strategy in
assessing the needs of the company and whether or not the current IT system still meets the
objectives for which it was designed and the controls necessary to comply with regulatory
requirements. Monitoring also covers the issue of an independent assessment of the
effectiveness of IT system in its ability to meet business objectives and the company's control
processes by internal and external auditors.
ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799)[edit]
Tracking the history of the ISO/IEC 27000-series of standards is somewhat of a challenge. This
section provides the history of the ISO standard for information security management that began
with BS 7799 and later resulted in ISO 17799 and eventually the ISO 27000 "family of standards" for
Information Security Management Systems (ISMS). Like the other control and governance models,
the ISO 27000 series provides a set of guidelines and best practices for information security
management. The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27
(Sub Committee 27), an international body that meets in person twice a year. The International
Standards Organization (ISO) also develops standards for quality control, environmental protection,
product usability, manufacturing, etc.
BS 7799[edit]
The BS 7799 is basically divided into 3 Parts
BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards
Institute (BSI) in 1995.
o It was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of
practice for information security management." in 2000.
o ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC
27002 in July 2007.
BS 7799 Part 2 of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled
"Information Security Management Systems - Specification with guidance for use." It is focused
on how to implement an Information security management system (ISMS)
o The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality
assurance model), aligning it with quality standards such as ISO 9000.
o BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with
ISO/IEC 27001.
ISO 17799[edit]
Organizational Behavior[edit]
Organizational Structure Evolution[edit]
Today's Security Organizational Structure
Best Practices[edit]
Job Rotation[edit]
Job Rotation is an approach to management development where an individual is moved through a
schedule of assignments designed to give him or her a breath of exposure to the entire operation.
Job rotation is also practiced to allow qualified employees to gain more insights into the processes of
a company and to increase job satisfaction through job variation.
Separation of Duties[edit]
Separation of duties (SoD) is the concept of having more than one person required to complete a
task. It is alternatively called segregation of duties or, in the political realm, separation of powers.
***WARNING*** WARNING about SOD possible shortcomings ****** This approach can lead to a
high level of difficulty when trying to determine what the underlying causes of errors or failures in
large scale entity's production automation as no person will be able to view the information flow
process from the "big picture" and how an automated program starts an application that is not
creating the correct output data but not clearly failing to an error message alert running on a Virtual
Server client that transports the data file that is created to an outside client and etc. etc. etc.
Especially as each separated department individual will just glance at their application software used
to manage their specified section on their monitor screen and seeing no obvious errors assume the
unknown error causing complete system or process failure problem is not within their section and go
back to the practice of effective communicating while writing all the great accomplishments they
delivered that furthered the entity's stated goals to have available for their next review with
management because that's what HR told them to do. (Not that this behavior is faulty or wrong in
any sense and it is actually doing what the entity's incentives are geared to encourage not only for
advancement but to keep a job as well.)
Without those few and far between expert level techs who can have (or get) the administration rights
to view all aspects of any given production process it will be nearly impossible to determine the
underlying cause and can lead to outrageous decisions as to what the problem must of been. (For
example: deciding to quit using all virtual servers and go back to multiple actual server machines
with each connected to it's on monitor all because no error handling was encoded in the in-house
written .net program.) (Or nobody realizing the automated software machine was running into RAM
issues because every automated job was set to auto start at exactly 6:00 and MS Windows has a
built in limit of a maximum of 10 network connections at one time even at the enterprise level and so
forth.) ***These SOD positions are of no interest to those high level technical experts who seek to be
constantly challenged.***
Overview
SoD in basic terms that is no single individuals should have controls over two or more phases of
a transaction or operation, so that a deliberate fraud is more difficult to occur because it requires
collusion of two or more individuals or parties.
With the concept of SoD, business critical duties can be categorized into four types of functions,
authorization, custody, record keeping and reconciliation. In a perfect system, no one person
should handle more than one type of function.
In information systems, segregation of duties helps reduce the potential damage from the
actions of one person. IS or end-user department should be organized in a way to achieve
adequate separation of duties
Control Mechanisms to enforce SoD
There are several control mechanisms that can help to enforce the segregation of duties:
Audit trails enable IT managers or Auditors to recreate the actual transaction flow from the point
of origination to its existence on an updated file. Good audit trails should be enabled to provide
information on who initiated the transaction, the time of day and date of entry, the type of entry,
what fields of information it contained, and what files it updated.
Reconciliation of applications and an independent verification process is ultimately the
responsibility of users, which can be used to increase the level of confidence that an application
ran successfully.
Exception reports are handled at supervisory level, backed up by evidence noting that
exceptions are handled properly and in timely fashion. A signature of the person who prepares
the report is normally required.
Manual or automated system or application transaction logs should be maintained, which record
all processed system commands or application transactions.
Supervisory review should be performed through observation and inquiry and the trust built with
directory one-level up managers.
To compensate repeated mistakes or intentional failures by following a prescribed procedure,
independent reviews are recommended. Such reviews can help detect errors and irregularities
but are usually expensive can raise questions as to how much can an outside independent
review once a quarter know about your processes compared to people within and what level of
trust can be built with those independent reviewers.
Least Privilege (Need to Know)[edit]
Introduction
The principle of least privilege, also known as the principle of minimal privilege or just least privilege,
requires that in a particular abstraction layer of a computing environment every module (such as a
process, a user or a program on the basis of the layer we are considering) must be able to access
only such information and resources that are necessary to its legitimate purpose.
Note: This principle is a useful security tool, but it has never been successful at enforcing high
assurance security on a system.
Benefits
Better system stability. When code is limited in the scope of changes it can make to a system, it
is easier to test its possible actions and interactions with other applications. In practice for
example, applications running with restricted rights will not have access to perform operations
that could crash a machine, or adversely affect other applications running on the same system.
Better system security. When code is limited in the system-wide actions it may perform,
vulnerabilities in one application cannot be used to exploit the rest of the machine. For example,
Microsoft states “Running in standard user mode gives customers increased protection against
inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits,
spyware, and undetectable viruses.” [1]
Ease of deployment. In general, the fewer privileges an application requires the easier it is to
deploy within a larger environment. This usually results from the first two benefits, applications
that install device drivers or require elevated security privileges typically have addition steps
involved in their deployment, for example on Windows a solution with no device drivers can be
run directly with no installation, while device drivers must be installed separately using the
Windows installer service in order to grant the driver elevated privileges
Mandatory Vacations[edit]
Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges
of employees. This often results in easy detection of abuse, fraud, or negligence.
Job Position Sensitivity[edit]
Security Roles and Responsibilities[edit]
Levels of Responsibilities[edit]
Senior management and other levels of management understand the vision of the company, the
business goals, and the objectives.
Functional management, whose members understand how their individual departments work,
what roles individuals play within the company, and how security affects their department
directly.
Operational managers and staff. These layers are closer to the actual operations of the
company. They know detailed information about the technical and procedural requirements, the
systems, and how the systems are used. The employees at these layers understand how
security mechanisms integrate into systems, how to configure them, and how they affect daily
productivity.
Classification of Roles and their Responsibilities[edit]
Data Owner
The data owner (information owner) is usually a member of management, in charge of a specific
business unit, and is ultimately responsible for the protection and use of a specific subset of
information.
The data owner decides upon the classification of the data that he is responsible for and alters
that classification if the business needs arise.
This person is also responsible for ensuring that the necessary security controls are in place,
ensuring that proper access rights are being used, defining security requirements per
classification and backup requirements, approving any disclosure activities, and defining user
access criteria.
The data owner approves access requests or may choose to delegate this function to business
unit managers. And it is the data owner who will deal with security violations pertaining to the
data he is responsible for protecting.
The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-
day maintenance of the data protection mechanisms to the data custodian.
Data Custodian
The data custodian (information custodian) is responsible for maintaining and protecting the
data.
This role is usually filled by the IT department, and the duties include performing regular
backups of the data, periodically validating the integrity of the data, restoring data from backup
media, retaining records of activity, and fulfilling the requirements specified in the company's
security policy, standards, and guidelines that pertain to information security and data protection.
System Owner
The system owner is responsible for one or more systems, each of which may hold and process
data owned by different data owners.
A system owner is responsible for integrating security considerations into application and system
purchasing decisions and development projects.
The system owner is responsible for ensuring that adequate security is being provided by the
necessary controls, password management, remote access controls, operating system
configurations, and so on.
This role needs to ensure that the systems are properly assessed for vulnerabilities and must
report any to the incident response team and data owner.
Security Administrator
A security administrator's tasks are many, and include creating new system user accounts,
implementing new security software, testing security patches and components, and issuing new
passwords.
The security administrator role needs to make sure that access rights that are given to users
support the policies and data owner directives.
Security Analyst
This role works at a higher, more strategic level than the previously described roles and helps to
develop policies, standards, and guidelines and set various baselines.
Whereas the previous roles are "in the weeds" and focusing on their pieces and parts of the
security program, a security analyst helps define the security program elements and follows
through to ensure that the elements are being carried out and practiced properly. This person
works more at a design level than at an implementation level.
Application Owner
An application owner, usually the business unit managers, are responsible for dictating who can
and cannot access their applications, like the accounting software, software for testing and
development etc.
Supervisor
This role, also called user manager, is ultimately responsible for all user activity and any assets
created and owned by these users like ensuring that all his employees understand their
responsibilities with respect to security, distributing initial passwords, making sure that the
employees' account information is up-to-date, and informing the security administrator when an
employee is fired, suspended, or transferred.
Change Control Analyst
The change control analyst is responsible for approving or rejecting requests to make changes
to the network, systems, or software.
This role needs to make sure that the change will not introduce any vulnerability, that it has been
properly tested, and that it is properly rolled out.
The change control analyst needs to understand how various changes can affect security,
interoperability, performance, and productivity.
Data Analyst
The data analyst is responsible for ensuring that data is stored in a way that makes the most
sense to the company and the individuals who need to access and work with it.
The data analyst role may be responsible for architecting a new system that will hold company
information or advising in the purchase of a product that will do this.
The data analyst works with the data owners to help ensure that the structures that are set up
coincide with and support the company's business objectives.
Process Owner
Security should be considered and treated like just another business process. The process
owner is responsible for properly defining, improving upon, and monitoring these processes.
A process owner is not necessarily tied to one business unit or application. Complex processes
involve a lot of variables that can span across different departments, technologies, and data
types.
Solution Provider
This role is called upon when a business has a problem or requires that a process be improved
upon.
A solution provider works with the business unit managers, data owners, and senior
management to develop and deploy a solution to reduce the company's pain points.
User
The user is any individual who routinely uses the data for work-related tasks.
The user must have the necessary level of access to the data to perform the duties within their
position and is responsible for following operational security procedures to ensure the data's
confidentiality, integrity, and availability to others.
Product Line Manager
Responsible for explaining business requirements to vendors and wading through their rhetoric
to see if the product is right for the company
Responsible for ensuring compliance to license agreements
Responsible for translating business requirements into objectives and specifications for the
developer of a product or solution
Decides if his company really needs to upgrade their current systems
This role must understand business drivers, business processes, and the technology that is
required to support them.
The product line manager evaluates different products in the market, works with vendors,
understands different options a company can take, and advises management and business units
on the proper solutions that are needed to meet their goals.
Responsibilities of the Information Security Officer
Vision Statement
Mission Statement
Security Planning[edit]
Strategic Planning
Tactical Planning
Operational and Project Planning
Personnel Security[edit]
There are many facets of personnel responsibilities that fall under management's umbrella and
several of these facets have a direct correlation to the overall security of the environment such as
Skills should be tested and evaluated, and the caliber and character of the individual should be
examined.
Nondisclosure agreements need to be developed and signed by new employees to protect the
company and its sensitive information.
Any conflicts of interests need to be addressed, and there should be different agreements and
precautions taken with temporary and contract employees.
References should be checked, military records should be reviewed, education should be
verified, and if necessary, a drug test should be administered.
Many times, important personal behaviors can be concealed, and that is why hiring practices
should include scenario questions, personality tests, and observations of the individual, instead
of just looking at a person's work history.
Employee Controls
A management structure must be in place to make sure that everyone has someone to report to
and that the responsibility for another person's actions is spread equally and intelligently.
Consequences for noncompliance or unacceptable behavior must be communicated before an
event takes place.
Proper supervisory skills need to be acquired and used to ensure that operations go smoothly
and any out-of-the-ordinary activities can be taken care of before they get out of control.
Rotation of duties should be employed in order keep control of each department in a healthy and
productive state. No one person should stay in one position for a long period of time because
they may end up having too much control over a segment of the business thus resulting in a
fraud, data modification, and misuse of resources.
Employees in sensitive areas should be forced to take their vacation, which is known as a
mandatory vacation policy, giving the scope for the other individual in his place who can usually
detect any fraudulent errors or activities.
Two variations of separation of duties and control are split knowledge and dual control.
o In both cases, two or more individuals are authorized and required to perform a duty or task.
o In the case of split knowledge, no one person knows or has all the details to perform a task.
o In the case of dual control, two individuals are again authorized to perform a task, but both
must be available and active in their participation to complete the task or mission.
Termination
Companies should have a specific set of procedures to follow with each and every termination.
For security to be successful and effective, senior management on down to the rest of the staff
needs to be fully aware of the importance of enterprise and information security.
All employees should understand the underlying significance of security and the specific security
related requirements expected out of them.
The controls and procedures of a security program should reflect the nature of the data being
processed.
The security program should be developed in a fashion that makes sense for the different
cultures and environments.
The security program should communicate the what, how, and why of security to its employees.
Security-awareness training should be comprehensive, tailored for specific groups, and
organization-wide with a goal that each employee understands the importance of security to the
company as a whole and to each individual.
Expected responsibilities and acceptable behaviours need to be clarified, and noncompliance
repercussions, which could range from a warning to dismissal, need to be explained before
being invoked.
Different Types of Security Awareness Trainings
There are usually at least three separate audiences for a security-awareness program:
management, staff, and technical employees.
Each type of awareness training needs to be geared toward the individual audience to ensure
that each group understands its particular responsibilities, liabilities, and expectations.
Members of management would benefit the most from a short, focused security awareness
orientation that discusses corporate assets and financial gains and losses pertaining to security.
Mid-management would benefit from a more detailed explanation of the policies, procedures,
standards, and guidelines and how they map to the individual departments for which they are
responsible.
Middle managers should be taught why their support for their specific departments is critical and
what their level of responsibility is for ensuring that employees practice safe computing activities.
They should also be shown how the consequences of noncompliance by individuals who report
to them can affect the company as a whole and how they, as managers, may have to answer for
such indiscretions.
The technical departments must receive a different presentation that aligns more to their daily
tasks. They should receive a more in-depth training to discuss technical configurations, incident
handling, and indications of different types of security compromises so they can be properly
recognized.
Employees should not try to combat an attacker or address fraudulent activities by themselves
instead they should be told to report these issues to upper management, and upper
management should determine how to handle the situation.
The presentation given to staff members needs to demonstrate why security is important to the
company and to them individually. The better they understand how insecure activities can
negatively affect them, the more willing they will be to participate in preventing such activities.
It is usually best to have each employee sign a document indicating that they have heard and
understand all the security topics discussed and understand the ramifications of noncompliance.
Security training should happen periodically and continually.
Evaluating The Program
Security-awareness training is a type of control, and just like any other control it should be monitored
and evaluated for its effectiveness.
After the employees attend awareness training, a company may give them questionnaires and
surveys to gauge their retention level and to get their feedback about the training, to evaluate
the program's effectiveness.
A good indication of the effectiveness of the program can be captured by comparing the number
of reports of security incidents that were made before and after the training.
For online training, capture individuals' names and what training modules have or have not been
completed within a specific time period. This can then be integrated into their job performance
documentation.
Security-awareness training must repeat the most important messages in different formats, be
kept up-to-date, be entertaining, positive, and humorous, be simple to understand, and—most
important—be supported by senior management.
Specialized Training Programs
Physical damage- Fire, water, vandalism, power loss, and natural disasters
Human interaction- Accidental or intentional action or inaction that can disrupt productivity
Equipment malfunction- Failure of systems and peripheral devices
Inside and outside attacks- Hacking, cracking, and attacking
Misuse of data- Sharing trade secrets, fraud, espionage, and theft
Loss of data- Intentional or unintentional loss of information through destructive means
Application error- Computation errors, input errors, and buffer overflows
Social Status- Loss of Customer base and reputation
The IRM policy provides the infrastructure for the organization's risk management processes
and procedures.
Characteristics of an IRM policy
o It should address all issues of information security, from personnel screening and the insider
threat to physical security and firewalls.
o It should provide direction on how the IRM team relates information on company risks to
senior management and how to properly execute management's decisions on risk mitigation
tasks.
o The IRM policy should be a subset of the organization's overall risk management policy and
should be mapped to the organizational security policies.
The IRM policy should address the following items:
o Define the objectives of IRM team
o Level of risk the company will accept and what is considered an acceptable risk
o Formal processes of risk identification
o Connection between the IRM policy and the organization's strategic planning processes
o Responsibilities that fall under IRM and the roles that are to fulfill them
o Mapping of risk to internal controls
o Approach for changing staff behaviors and resource allocation in response to risk analysis
o Mapping of risks to performance targets and budgets
o Key indicators to monitor the effectiveness of controls
Risk Management Practices
A risk management team should have the ability and follow the best practices, some of them which
include
Residual Risk: Where there is always some risk left over to deal with.
Total Risk: Where there are no risk measure and the risk is 100%. These type of risk is
acceptable when the cost/benefit analysis results indicate that this is the best course of action
The Relation:
o Threats*Vulnerability*Asset Value = Total Risk
o Threats*Vulnerability*Asset Value* Control Gap= Residual Risk
Ways to deal with Risk
There are four basic ways of dealing with risks:
Transfer it: If a company's total or residual risk is too high and it purchases an insurance then it
is transfer of risk to the insurance company
Reject it: If a company is in denial about its risk or ignore it, it is rejecting the risk
Reduce it: If a company implements countermeasures, it is reducing the risk
Accept it: If a company understands the risk and decides not to implement any kind of
countermeasures it is accepting the risk. And this is actually what all computer systems boil
down to. There is no way to mitigate the risk if the system is going to connect to the internet.
Having only one user without any networking with others computer systems is the closet you can
ever get to not having any risks.
Once given console access (sitting at the actual hardware device be it computer, server, router)
there is no security that can keep a skilled person from getting into that system. Not one. This is the
"beginning of knowledge" of computer system security. And increasing knowledge increases
sorrow.
These two things you must accept as they are the facts. If you can't handle these two absolute facts
like an adult maybe you should go do something else. Try becoming an actor maybe, or poet, but do
not continue with believing you have any computer security knowledge if you can't get into this
mindset. It's OK not everyone can handle dealing with the truth, it's hard, uncomfortable and it
literally hurts (that feeling of pain is called cognitive indifference.)
Risk Assessment/Analysis[edit]
Risk analysis is a method of identifying vulnerabilities and threat and assessing the possible damage
to determine where to implement security safeguards
Why Risk Analysis?
To ensure that security is cost effective, relevant, timely, and responsive to threat.
To provide a cost/benefit comparison, this compares the annualized cost of safeguards to the
potential cost of loss.
Help integrate the security program objectives with the company's business objectives and
requirements
To provide an economic balance between the impact of the threat and the cost of the
countermeasure.
The Risk Analysis Activities
Kinds of assets
o Tangible: measurable - computers, facilities, supplies
o Intangible: immeasurable, difficult to assess - reputation, intellectual property.
Factors to be considered during assessing the value of information and assets.
o Cost to acquire or develop the assets
o Cost to maintain and protect the assets
o Value of the asset to owners and users
o Value of the asset to adversaries
o Value of intellectual property that went into developing the information
o Price others are willing to pay for the asset
o Cost to replace the asset if lost
o Operational and production activities that are affected if the asset is unavailable
o Liability issues if the asset is compromised
o Usefulness and role of the asset in the organization
Need for determining the value of assets
o To perform effective cost/benefit analyses
o To select specific countermeasures and safeguards
o To determine the level of insurance coverage to purchase
o To understand what exactly is at risk
o To conform to due care and comply with legal and regulatory requirements
Identify the Vulnerabilities and Threats
There are many types of threat agents that can take advantage of several types of vulnerabilities,
resulting in a variety of specific threats
Threat
Can Exploit This Vulnerability Resulting in This Threat
Agent
Quantitative analysis uses risk calculations that attempt to predict the level of monetary losses
and percentage of chance for each type of threat.
Quantitative risk analysis also provides concrete probability percentages when determining the
likelihood of threats.
Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact
damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is
quantified and entered into equations to determine total and residual risks.
Purely quantitative risk analysis is not possible, because the method attempts to quantify
qualitative items, and there are always uncertainties in quantitative values
Sample Steps for a Quantitative Risk Analysis
Step 1: Assign Value to Assets- For each asset, answer the following questions to determine its
value
o What is the value of this asset to the company?
o How much does it cost to maintain?
o How much does it make in profits for the company?
o How much would it be worth to the competition?
o How much would it cost to re-create or recover?
o How much did it cost to acquire or develop?
o How much liability are you under pertaining to the protection of this asset?
Step 2: Estimate Potential Loss per Threat- To estimate potential losses posed by threats,
answer the following questions:
o What physical damage could the threat cause and how much would that cost?
o How much loss of productivity could the threat cause and how much would that cost?
o What is the value lost if confidential information is disclosed?
o What is the cost of recovering from this threat?
o What is the value lost if critical devices were to fail?
o What is the single loss expectancy (SLE) for each asset, and each threat?
Step 3: Perform a Threat Analysis- Take the following steps to perform a threat analysis
o Gather information about the likelihood of each threat taking place from people in each
department, past records, and official security resources that provide this type of data.
o Calculate the annualized rate of occurrence (ARO), which is how many times the threat can
take place in a 12-month period.
Step 4: Derive the Overall Loss Potential per Threat-To derive the overall loss potential per
threat, do the following:
o Combine potential loss and probability.
o Calculate the annualized loss expectancy (ALE) per threat by using the information
calculated in the first three steps.
o Choose remedial measures to counteract each threat.
o Carry out cost/benefit analysis on the identified countermeasures.
Step 5: Reduce, Transfer, or Accept the Risk- For each risk, you can choose whether to reduce,
transfer, or accept the risk:
o Risk reduction methods
Install security controls and components.
Improve procedures.
Alter environment.
Provide early detection methods to catch the threat as it's happening and reduce the
possible damage it can cause.
Produce a contingency plan of how business can continue if a specific threat takes
place, reducing further damages of the threat.
Erect barriers to the threat.
Carry out security-awareness training.
o Risk transfer- Buy insurance to transfer some of the risk, for example.
o Risk acceptance- Live with the risks and spend no more money toward protection.
Quantitative Risk Analysis Metrics
Single loss expectancy (SLE) - The amount of loss due to a single occurrence of a threat.
Annualized loss expectancy (ALE) - The estimated loss per annum.
Exposure factor (EF) - Represents the percentage of loss a realized threat could have on a
certain asset.
Annualized rate of occurrence (ARO) – It is the value that represents the estimated frequency of
a specific threat taking place within a one-year timeframe. It can range from 0.0 to 1.0.
The Relation
o Asset value * exposure factor (EF) = SLE
Example: If a data warehouse has the asset value of $150,000, and if it is estimated that
if a fire were to occur, 25 percent of the warehouse would be damaged, then SLE
=0.25*$150000=$37,500.
o SLE * Annualized rate of occurrence (ARO) = ALE. If ARO is 0.1 (indicating once in ten
years), then the ALE =$37,500* 0.1 = $3750. This tells the company that if it wants to put in
controls or safeguards to protect the asset from this threat, it can sensibly spend $3750 or
less per year to provide the necessary level of protection.
Results of a Quantitative Risk Analysis
The following is a short list of what generally is expected from the results of a risk analysis
Calculations are more complex. Can management understand how these values were derived?
Without automated tools, this process is extremely laborious.
Big need to gather detailed information about environment.
Standards are not available. Each vendor has its own way of interpreting the processes and
their results.
A Qualitative Approach to Risk Analysis[edit]
In Qualitative approach, we walk through different scenarios of risk possibilities and rank the
seriousness of the threats and the validity of the different possible countermeasures.
The Qualitative analysis techniques include judgment, best practices, intuition, and experience.
Qualitative Risk Analysis Techniques
o Delphi -A group decision method used to ensure that each member gives an honest opinion
of what he or she thinks the result to a particular threat will be. This method is used to obtain
an agreement on cost, loss values, and probabilities of occurrence without individuals
having to agree verbally.
o Brainstorming
o Storyboarding
o Focus groups
o Surveys
o Questionnaires
o Checklists
o One-on-One meetings
o Interviews.
The risk analysis team will determine the best technique for the threats that need to be assessed
and the culture of the company and individuals involved with the analysis.
The team that is performing the risk analysis gathers personnel who have experience and
education on the threats being evaluated. When this group is presented with a scenario that
describes threats and loss potential, each member responds with their gut feeling and
experience on the likelihood of the threat and the extent of damage that may result.
Severity of Probability of Potential Effectiveness of Effectiveness
Personnel
Threat Threat Loss Firewall of IDS
IT manager 4 2 4 4 3
DBA 4 4 4 3 4
Application
2 3 3 4 2
programmer
System
3 4 3 4 2
operator
Operational
5 4 4 4 4
manager
Qualitative Pros
A security countermeasure should be cost effective and should be decided based on some
cost/benefit analysis.
A commonly used cost/benefit calculation for a given safe guard is:
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of
safeguard) = value of safeguard to the company
Functionality and Effectiveness of Countermeasures
The following shows some of the characteristics to be considered before committing for a safeguard
mechanism
Characteristic Description
Independence of safeguard and The safeguard can be used to protect different assets, and
the asset it is protecting different assets can be protected by different safeguards.
Clear distinction between user A user should have fewer permissions when it comes to
and administrator configuring or disabling the protection mechanism.
Minimizes dependence on other The safeguard should be flexible and not have strict requirements
components about the environment into which it will be installed.
Easily usable, acceptable, and If the safeguards provide barriers to productivity or add extra
tolerated by personnel steps to simple tasks, users will not tolerate it.
Must produce output in usable Important information should be presented in a format easy for
and understandable format humans to understand and use for trend analysis.
Does not introduce other The safeguard should not provide any covert channels or back
compromises doors.
System and user performance System and user performance should not be greatly affected.
Determination of Likelihood
Determination of Impact
Determination of Risk
Reporting Findings
Countermeasure Selection
Information Valuation
Information Classification[edit]
Introduction[edit]
After identifying the information to be protected, it is necessary to classify the information and
organize it according to its sensitivity to loss, disclosure or unavailability.
The primary purpose of data classification is to indicate the protection level of confidentiality,
Integrity and Availability required for each type of dataset.
Data classification helps to ensure that the data is protected in the most cost-effective manner.
Each classification should have separate handling requirements and procedures pertaining to
how that data is accessed, used, and destroyed.
Classification Types[edit]
Organization
Classification Definition Examples That Would
Use This
• For use within the company only. • Trade secrets • Health Commercial
Confidential
• Data that is exempt from care information • business /
disclosure under the Freedom of Programming code • Military
Information Act or other laws and Information that keeps a
regulations. • Unauthorized company competitive
disclosure could seriously affect a
company.
Sensitive but
• Minor secret. • If disclosed, it • Medical data •
unclassified Military
could cause serious damage. Answers to test scores
(SBU)
• Blueprints of new
• If disclosed, it could cause grave wartime weapons • Spy
Top secret Military
damage to national security. satellite information •
Espionage data
Strict and granular access control for all levels of sensitive data and programs
Encryption of data while stored and while in transmission
Auditing and monitoring (determine what level of auditing is required and how long logs are to be
retained)
Separation of duties (determine whether two or more people need to be involved in accessing
sensitive information to protect against fraudulent activities; if so, define and document
procedures)
Periodic reviews (review classification levels, and the data and programs that adhere to them, to
ensure that they are still in alignment with business needs; data or applications may also need to
be reclassified or declassified, depending upon the situation)
Backup and recovery procedures (define and document)
Change control procedures (define and document)
File and file system access permissions (define and document)
Ethics[edit]
Ethics is the field of study concerned with questions of value, that is,judgments about what type of
human behavior is “good” or “bad” in any given situation. Ethics are the standards, values, morals,
principles, etc.,on which to base one's decisions or actions; often, there is no clear “right” or “wrong”
answer.
Basic Concepts[edit]
Computer Ethics
The term "computer ethics" is open to interpretations both broad and narrow.
On the narrow side, computer ethics might be understood as the efforts of professional
philosophers to apply traditional ethical theories like utilitarianism, Kantianism, or virtue ethics to
issues regarding the use of computer technology.
On the broad side, it can be understood as a standards of professional practice, codes of
conduct, aspects of computer law, public policy, corporate ethics—even certain topics in the
sociology and psychology of computing
Professional Code of Ethics[edit]
Certified professionals, including those holding the CISSP, are held morally,and sometimes legally,
to a higher standard of ethical behavior. In promoting proper computing behavior within the industry
and the confines of our corporate boundaries, professionals should incorporate ethics into their
organizational policies and awareness programs.
Several organizations have addressed the issue of ethical behavior through ethics guidelines. These
include organizations such as
Safety of the commonwealth, duty to our principals, and to each other requires that we adhere,
and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this code is a condition of certification.
Code of Ethics Canons:
Although computers occasionally need repair, they don't require sleep, they don't get tired, they
don't go home ill or take time off for rest and relaxation. At the same time, computers are often
far more efficient than humans in performing many tasks. Therefore, economic incentives to
replace humans with computerized devices are very high.
In the industrialized world many workers already have been replaced by computerized devices
and even professionals like medical doctors, lawyers, teachers, accountants and psychologists
are finding that computers can perform many of their traditional professional duties quite
effectively.
The employment outlook, however, is not all bad. In the short run, computer-generated
unemployment will be an important social problem; but in the long run, information technology
will create many more jobs than it eliminates.
Even when a job is not eliminated by computers, it can be radically altered by "de-skilling" the
workers and turning them into passive observers and button pushers.
Hopefully as the knowledge spreads showing there is no reason for the scarcity driven
economics (i.e. man made gold by radiating form of mercury patented USA 1942 and similar
accomplishments for diamonds, oil, etc) the world can move away from the dehumanizing
practices of the past and let the automated computer systems do the work the plebs, peasants,
slaves, and working poor have performed for way too long. But we must always stay vigilant for
the abuses of power that stem from the "equal rights for all but entitlements for me" human flaw
anyone of us can succumb to which brings such terrible destruction upon societies. And since
we are all inherently lazy (would you usually walk to the most farthest away source of water
when thirsty as opposed to the closest potable source) we can be assured it will be difficult to
keep.
Health and Safety at Workplace
Another workplace issue concerns health and safety. According to Forester and Morrison, when
information technology is introduced into a workplace, it is important to consider likely impacts
upon health and job satisfaction of workers who will use it. It is possible, for example, that such
workers will feel stressed trying to keep up with high-speed computerized devices—or they may
be injured by repeating the same physical movement over and over—or their health may be
threatened by radiation emanating from computer monitors. These are just a few of the social
and ethical issues that arise when information technology is introduced into the workplace.
Computer Crime[edit]
Security Aspects behind the Crime
In this era of computer "viruses" and international spying by "hackers" who are thousands of miles
away, it is clear that computer security is a topic of concern in the field of Computer Ethics. The
problem is not so much the physical security of the hardware (protecting it from theft, fire, flood,
etc.), but rather "logical security", which according to Spafford, Heaphy and Ferbrache are divide into
five aspects:
viruses, which cannot run on their own, but rather are inserted into other computer programs;
worms which can move from machine to machine across networks, and may have parts of
themselves running on different machines;
Trojan horses which appear to be one sort of program, but actually are doing damage behind
the scenes;
logic bombs which check for particular conditions and then execute when those conditions arise;
and
bacteria or rabbits which multiply rapidly and fill up the computer's memory.
Trusted Persons/Security clearance Persons vs Hackers/Whackers
Computer crimes, such as embezzlement, financial fraud within exchanges, interest rate
manipulations or planting of logic bombs, are normally committed by trusted personnel who have
permission to use the computer system and/or access to classified information. Computer
security, therefore, must also be concerned with the actions of trusted computer users and those
with confidential security clearances.
The higher the trusted level/security clearance access or the higher level within an organization's
hierarchy the larger the risk of more extreme damage in terms of costs and security while having the
opposite effect in terms of the likelihood for getting caught in the criminal act decrease exponentially.
And even more concerning is the chance of actually having criminally charges brought against the
once "most trusted" but now criminal falls virtually to zero at the very top levels as those criminals
will settle before charges get filed for a fraction of the amount stolen with no damage coming to their
reputation whatsoever thus allowing them to maintain that "most trusted" status. This is clearly the
most worrisome not just for those within an organization but for all people within a nation or union of
nations bound by financial/economic trade agreements since they are based on trust and could lead
to large scale wars between those nations. Is there an all inclusive-systems risk more frightening
than this?
The ease and efficiency with which computers and computer networks can be used to gather,
store, search, compare, retrieve and share personal information make computer technology
especially threatening to anyone who wishes to keep various kinds of "sensitive" information
(e.g., medical records) out of the public domain or out of the hands of those who are perceived
as potential threats.
Factors exposing the Privacy
Some of the factors that increases the concern of Privacy are
Some people, like Richard Stallman who started the Free Software Foundation, believe that
software hoarding should not be allowed at all. He claims that all programs distributed to the
public should be free, and all programs distributed to the public should be available for copying,
studying and modifying by anyone who wishes to do so.
Some argue that software companies or programmers would not invest weeks and months of
work and significant funds in the development of software if they could not get the investment
back in the form of license fees or sales. Although the Free Open Source Software that is
created and maintained for free by thousands worldwide seems to have clearly disproved these
claims over the last 20 years.
The Scenario
Today's software industry is a multibillion dollar part of the economy; and software companies
claim to lose billions of dollars per year through illegal copying ("software piracy").
Many people think that software should be ownable, but "casual copying" of personally owned
programs for one's friends should also be permitted.
The software industry claims that millions of dollars in sales are lost because of such copying.
Ownership is a complex matter, since there are several different aspects of software that can be
owned and three different types of ownership: copyrights, trade secrets, and patents. One can
own the following aspects of a program:
o The "source code" which is written by the programmer(s) in a high-level computer language
like Java or C++.
o The "object code", which is a machine-language translation of the source code.
o The "algorithm", which is the sequence of machine commands that the source code and
object code represent.
o The "look and feel" of a program, which is the way the program appears on the screen and
interfaces with users.
A very controversial issue today is owning a patent on a computer algorithm.
o A patent provides an exclusive monopoly on the use of the patented item, so the owner of
an algorithm can deny others use of the mathematical formulas that are part of the
algorithm.
o Mathematicians and scientists are outraged, claiming that algorithm patents effectively
remove parts of mathematics from the public domain, and thereby threaten to cripple
science.
The Challenge
Running a preliminary "patent search" to make sure that your "new" program does not violate
anyone's software patent is a costly and time-consuming process and the level of confidence
that can be achieved with this search outside of a courtroom is literally nil. As a result, only very
large companies with big budgets can afford to run such a search or afford the costly court
battles. This effectively eliminates many small software companies, stifling competition and
decreasing the variety and quality of programs available to the society.
Professional Responsibility[edit]
Computer professionals have specialized knowledge and often have positions with authority and
respect in the community. Along with such power to change the world comes the duty to exercise
that power responsibly. Computer professionals find themselves in a variety of professional
relationships with other people including:
employer—employee
client—professional
professional—professional
society—professional
These relationships involve a diversity of interests, and sometimes these interests can come into
conflict with each other. Responsible computer professionals, therefore, will be aware of possible
conflicts of interest and try to avoid them and strive to remember everyone involved is human and to
have empathy. A good way to think at all times is by asking oneself, is that how I would want to be
treated if I was in their position?
Professional organizations like the Association for Computing Machinery (ACM) and the Institute of
Electrical and Electronic Engineers (IEEE), also have established codes of ethics, curriculum
guidelines and accreditation requirements to help computer professionals understand and manage
ethical responsibilities.
Globalization[edit]
Computer ethics today is rapidly evolving into a broader and even more important field, which might
reasonably be called "global information ethics".
For the first time in the history of the earth, ethics and values are debated and transformed in a
context that is not limited to a particular geographic region, or constrained by a specific religion or
culture. This may very well be one of the most important social developments in history but some of
the issues like Global Laws, Global Cyberbusiness, Global Education, Information Rich and
Information Poor etc. are a growing concern for the networked world.
The belief that information-sharing is a powerful positive good, and that it is an ethical duty of
hackers to share their expertise by writing open-source code and facilitating access to
information and to computing resources wherever possible.
The belief that system-cracking for fun and exploration is ethically OK as long as the cracker
commits no theft, vandalism, or breach of confidentiality.