Friday, March 26, 2010

Chapter 4 - Ethics and Information Security

1. Explain the ethical issues surrounding information technology.
The violation of intellectual property is an increasing issue due to advances in technology. Advances in technology have enabled people to copy many forms of media. File sharing software such as utorrent make it possible to share intellectual property without the owners permission and without paying. In Australia file sharing is illegal, however, it is very difficult to enforce ethical principles and standards upon the use of technology despite the fact they are enshrined in the law.
Privacy is also an increasing moral dilemma. Advances in technology allow information to easily be gathered by anyone. Under the Privacy Act 1988 in Australia all people have the right to have some information remain outside the public domain. Facebook, for example, violated the privacy of its users through its beacon program which used data about its users to produce advertisements without asking users to participate or allowing them to opt-out of the service.

2. Describe the relationship between an ‘email privacy policy’ and an ‘Internet use policy’.


An email privacy policy outlines how a business' email system may be used. It states what activities are permitted, details what information will be recorded and who may access it, and provides the monitoring and auditing process for this information. Whilst an internet contains general principles to guide the proper use of the internet such as defining the purpose of internet access and its restrictions and the ramifications for violating the policy. An internet use policy is much broader as it regulates the use of the internet rather than just email which is a use of the internet. The internet use policy may
therefore contain the email use policy because it is a function which uses the internet.

3. Summarise the five steps to creating an information security plan
  1. Develop the information security policies - Identify who is responsible and accountable for designing and implementing the organisation's information security policies. Policies include requiring users to log on and off their systems and never sharing passwords. The chief security officer (CSO) is responsible for designing the policy.
  2. Communicate the information security policies - Train all employees on the policies and establish clear expectations for adherence.
  3. Identify Critical Information Assets and Risks - Require the use of user IDs, passwords and anti-virus software. Ensure any systems that contain links to external networks have the appropriate technical protection. e.g. firewalls and intrusion detection software.
  4. Test and re-evaluate risks - Continually perform security reviews, audits, background checks and security assessments.
  5. Obtain stakeholder support - gain the approval and support of the information security policies from the board of directors and stakeholders.

4. What do the terms; authentication and authorization mean, how do they differ, provide some examples of each term.

Authentication: A method for confirming users' identities.

Authorisation: the process of giving someone permission to do or have something.

Authentication identifies who the user is. It is the first step of the process as it enables the process of authorisation. Authorisation differs as it is the process of determining (once the user has been identified) the access privileges of that user. In a business the process may determine what files a user can access or their amount of storage space.
There are three groups of authentication and authorisation techniques that are used:

2. something the user has e.g. smart card







3. something that is part of the user e.g. fingerprint

5. What the Five main types of Security Risks, suggest one method to prevent the severity of risk?


Human Error - an employee may not be proficient or by accident may make a mistake that damages the business.
This can be prevented or limited by creating or modifying training procedures to produce adequate employees.



Natural Disasters - destructive events on a large scale such as a bushfire, tsunami or an explosion.
It is impossible to predict natural disasters so companies attempt to limit their damage by creating a disaster recovery plan. This can involve preparation such as creating an offsite data storage.



Technical Failure - Includes failure of the hardware such as a hard drive crashing and software failures created by viruses, trojan horses and spam.
Hardware failure can be prevented by employing IT professionals to service hardware regularly. Software failures can be prevented by installing firewalls and anti-virus which updated regularly.



Deliberate Acts - Deliberate acts by people which damage the information systems of a business. May include actions such as employees and former employees destroying data or cyber criminals who hack systems to steal information and sell to competitors.
Deliberate acts can be prevented by enforcing harsh penalties for damage and strong passwords.



Management Failure - failure of the information technology system caused by poor management such as a lack of procedure, documentation or training.
Management failure can be prevented by developing a security plan, obtaining skilled staff through training, recruitment or outsourcing, and purchasing a corporate security package.

No comments:

Post a Comment