Fundamental Tenets of Ethics:
· Responsibility means that you accept the consequences of your decisions and actions.
· Accountability means a determination of who is responsible for actions that were taken.
· Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems.
Protecting Privacy:
· Privacy Codes and Policies. An organization’s guidelines with respect to protecting the privacy of customers, clients, and employees.
· Opt-out model of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.
· Opt-in model of informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it. (Preferred by privacy advocates.)
· International Aspects of Privacy. Privacy issues that international organizations and governments face when information spans countries and jurisdictions.
Factors Increasing the Threats to Information Security:
n International organized crime turning to cybercrime
n Downstream liability
n Increased employee use of unmanaged devices
n Lack of management support
Key Information Security Terms:
A threat to an information resource is any danger to which a system may be exposed.
The exposure of an information resources is the harm, loss or damage that can result if a threat compromises that resource.
A system’s vulnerability is the possibility that the system will suffer harm by a threat.
Risk is the likelihood that a threat will occur.
Information system controls are the procedures, devices, or software aimed at preventing a compromise to the system.
Unintentional Acts:
n Human errors
n Deviations in quality of service by service providers (e.g., utilities)
n Environmental hazards (e.g., dirt, dust, humidity)
Human Errors:
n Tailgating
n Shoulder surfing
n Carelessness with laptops and portable computing devices
n Opening questionable e-mails
n Careless Internet surfing
n Poor password selection and use
Deliberate Acts:
· Compromises to intellectual property
· Intellectual property. Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws.
· Trade secret. Intellectual work, such as a business plan, that is a company secret and is not based on public information.
· Patent. Document that grants the holder exclusive rights on an invention or process for 20 years.
· Copyright. Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.
· Piracy. Copying a software program without making payment to the owner.
· Virus is a segment of computer code that performs malicious actions by attaching to another computer program.
· Worm is a segment of computer code that performs malicious actions and will spread by itself without requiring another computer program.
· Trojan horse is a computer program that hides in another computer program and reveals its designated behavior only when it is activated.
· Logic bomb is a segment of computer code that is embedded inside an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.
Risk Mitigation Strategies:
· Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
· Risk limitation. Limit the risk by implementing controls that minimize the impact of threat.
· Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.
Controls:
· Physical controls. Physical protection of computer facilities and resources.
· Access controls. Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
· Communications (network) controls. To protect the movement of data across networks and include border security controls, authentication and authorization.
· Application controls protect specific applications.
Communication or Network Controls:
· Firewalls. System that enforces access-control policy between two networks.
· Anti-malware systems (also called antivirus software) are software packages that attempt to identify and eliminate viruses, worms, and other malicious software. The logos show three well-known anti-malware companies. Clicking on the link will take you to each company’s homepage, respectively.
· Whitelisting is a process in which a company identifies the software that it will allow to run and does not try to recognize malware.
· Blacklisting is a process in which a company allows all software to run unless it is on the blacklist.
· Intrusion Detection Systems are designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall.
· Encryption. Process of converting an original message into a form that cannot be read by anyone except the intended receiver.