SECURITY & ETHICAL ISSUES

ISSUES & CONCERNS

Information systems are all encompassing They contain enormous amounts of organizational assets ( they process all kinds of data) H-ware & S-ware are valuable assets in themselves Contain vital information Contain sensitive personal & private information which should not be viewed by unauthorized personnel

4/29/2012

WHAT TO SECURE?
Control the loss of assets Ensure integrity & reliability of data Improve efficiency / effectiveness of the data

To ensure all these, the manager must make sure that all risks are identified and appropriate security controls applied

4/29/2012

DANGERS
Natural disasters Thieves Industrial spies Disgruntled employees Computer viruses Accidents Poorly trained & nave employees

4/29/2012

RISK
Could be total or partial monetary loss due to loss of information Manager needs to understand & calculate the cost of securing a system against the money lost if it is harmed Compute the loss that could occur with the probability of the occurrence Basic question is how will the organization respond to a specific loss. ( is how valuable is the asset ) Potential loss due to loss of data or an inaccurate system, which produces incorrect reports.

4/29/2012

Physical controls

COMMON CONTROLS

Locks on doors, keyboards etc. Also ways to control natural threats from heat, dust fire etc

Electronic controls
Heat, motion, humidity sensors, log-on ID, passwords, hand/ voice/ retina print controls

Software controls
Programming code to prevent errors, controls on login beyond working hours, monitor who logs on and when

Management controls
Enforced backups, necessary employee training

Some of these may be simple, implemented by the manager, but others may requires specialists
4/29/2012 6

NATURAL DISASTERS
Floods, water damage, earthquakes, tornadoes, hurricanes, wind & storm damage Disaster prevention
Backup power supplies, special building materials & locations, drainage systems or special construction

Disaster containment
Contingency plans in place, in case something happens Hot site recovery firms provide computer facility for others which can be used almost immediately

4/29/2012

EMPLOYEE ERRORS
Accidental formatting of hard disk instead of floppy Incorrect data entry, (price, or salary etc) which might be connected to many files & programs, compounding the error Logical errors, like rounding off of whole numbers, on spreadsheets resulting in major losses COMPUTER CRIMES LIKE FRAUD, FORGERY & THEFT CAN HAPPEN FROM WITHIN THE ORGANIZATION OR FROM OUTSIDE
4/29/2012 8

INDUSTRIAL ESPIONAGE
Using scanners or phone taps to get faxes of important documents Dial-in access can be misused by spies Laptops or notebooks could be physically stolen to capture the data they contain

4/29/2012

HACKING
Unauthorized entry into computer systems Infecting the system by sending virus, stealing data, damaging it or vandalizing it

4/29/2012

10

A virus is a hidden program that inserts itself into your computer system and forces the system to clone it. It can travel over the network to all other computers connected to it. Some viruses disguise themselves as utility programs May result in modifying data, erasing files, formatting disks Infection can come through email, or through any website Some viruses may lie dormant and start reproducing at a particular time Best way to counter them is to use more than one anti-virus program, and regularly upgrade them
4/29/2012 11

COMPUTER VIRUSES

H-WARE, S-WARE THEFT

Any loss of hardware means loss of data on the hware as well. This could be many times more than the cost of the h-ware that was stolen Software piracy is rampant in many countries. Also many individuals indulge in it by copying programs from office for home use, without registering

4/29/2012

12

PRIVACY VIOLATIONS
Privacy is the capacity of individuals or organizations to control information about themselves. Privacy rights imply the types and amount of data that may be collected about individuals or organizations is limited; that individuals & organizations have the ability to access, examine & correct the data stored about them, and that disclosure, use or dissemination of those data is limited Privacy also includes e-mail messages EDI is also an issue, as it contains important financial information Hard copies should be shredded & disks demagnetized & shredded Automatic screen blanking to ensure that no one passing by can view a screen of a computer left running
4/29/2012 13

SECURING INFO SYSTEM FACILITIES

systems on higher floors Install pumps for water backup at another site Buy insurance Special construction Store info off-site fire extinguishers, smoke detectors Surge protectors Humidifiers UPS Orderly shut downs
4/29/2012

Dedicated power lines for major computer systems Waterproof covers Air filters /conditioners Window bars & proper locks Alarm systems, CC TVs Security guards Bond employees Screen job applicants Develop procedures for disgruntled employees Use ID, Passwords
14

COMMUNICATION SYSTEMS
Line conditioning /shielding Error detection & correction methods Redundant lines & backup transmission lines Archived files Firewalls Auditing software Insurance Log of h-ware & line failures User ID, passwords Modem dial-back
Access of logs of users & terminals including invalid access logs Lockout after hours Encryption of transmitted passwords Encrypted data transmission Restrict access to other file directories & files Terminals in secure areas Train comm. Employees Enforce info sys compatibility standards
15

4/29/2012

SECURING INFORMATION SYSTEMS

Make or buy
Compare costs Compare functions Compare installation & implementation Check maintenance & up-gradation - How and when, and how secure is it What if vendor goes out of business What if vendor bought by a competitor

4/29/2012

16

TESTING & EVALUATING S-WARE

Appropriateness
How suitable to company's requirements

Stability
Compatible with all possible platforms,

Security features
Automatic backups, encryption, decryption, password protection

Access & update security

Restrict access & control fraudulent change in codes

Input /output controls

Data validation, GIGO - reduces input of inaccurate data or re-entry Outputs should reach the right person & not unauthorized ones

Process controls
Faulty logic or other incorrect formulae Cured by exception reports, end of file checks, sequence checks
4/29/2012 17

ETHICAL / PRIVACY ISSUES

Ethics is the moral quality of a course of action, mostly illegal behavior
Copying copyrighted software

Privacy deals with how personal data is used

Reading others email Selling data to others Using data for purposes other than actually meant for

4/29/2012

18

Thank you

4/29/2012

19

Practice Questions
Q1. List and explain the common threats to computer systems Q2. Explain how client / server information systems can help managers Q3. Give out some recommendation for managing password Q4. What is Virus and Hacking. Q5. List the common threats and controls for information technology
4/29/2012 20