Post on 12-Jan-2016
What is Ethics?
• Ethics – Set of beliefs about right and wrong behavior
• Ethical behavior– Conforms to generally accepted social norms
• Doing what is ethical can be difficult
Information Technology for Managers 1
Improving Corporate Ethics
• Unethical behavior has led to serious negative consequences that have had a global impact– Failure of major corporations like Enron and
WorldCom due to accounting scandals– Collapse of many financial institutions due to unwise
and unethical decision making
• Organizations today recognize the need to take action to ensure that their employees operate in an ethical manner when using technology
Information Technology for Managers 2
Appointing a Corporate Ethics Officer
• Corporate ethics – Includes ethical conduct, legal compliance, and
corporate social responsibility
• Corporate ethics officer – Senior-level manager – Provides vision and direction in the area of business
conduct
• Corporation will place a higher emphasis on ethics policies following a major scandal within the organization
Information Technology for Managers 3
Ethical Standards Set by Board of Directors
• Board of directors– Responsible for supervising the management team– Expected to conduct themselves according to the
highest standards of personal and professional integrity
– Set the standard for company-wide ethical conduct and ensure compliance with laws and regulations
Information Technology for Managers 4
Establishing a Corporate Code of Ethics
• Code of ethics– Highlights an organization’s key ethical issues – Identifies the overarching values and principles that
are important to the organization
• Formal, written statements about: – Purpose of the organization– Values– Principles that guide its employees’ actions
• Develop with employee participation
• Fully endorsed by the organization’s leadership
Information Technology for Managers 5
Establishing a Corporate Code of Ethics (continued)
Information Technology for Managers 6
Requiring Employees to Take Ethics Training
• Company’s code of ethics must be promoted and continually communicated within the organization– From top to bottom
• Comprehensive ethics education program– Small workshop formats
• Existence of formal training programs – Can reduce a company’s liability in the event of legal
action
Information Technology for Managers 7
Including Ethical Criteria in Employee Appraisals
• Employees evaluated on their demonstration of qualities and characteristics highlighted in the corporate code of ethics– Considered along with more traditional criteria used
in performance appraisals
Information Technology for Managers 8
Privacy
• Balance the needs of those who use the information against the rights and desires of the people whose information may be used
• Various states have passed laws that require disclosure of any breach of security to any resident whose data is believed to have been compromised
Information Technology for Managers 9
Privacy (continued)
Information Technology for Managers 10
Right to Privacy
• Historical perspective on the right to privacy
• Protected by a number of amendments in the Bill of Rights
Information Technology for Managers 11
Treating Customer Data Responsibly
• Code of Fair Information Practices and the 1980 Organization for Economic Cooperation and Development (OECD) privacy guidelines– Five widely accepted core principles
• European adequacy standard for privacy protection– United States does not meet these standards
• Organizations should appoint an executive – Chief Privacy Officer, or CPO– Define, implement, and oversee data privacy policies
Information Technology for Managers 12
Treating Customer Data Responsibly (continued)
• Establish an effective data privacy program– Conduct a thorough assessment– Define a comprehensive data privacy program– Assign a high-level executive– Develop a data breach response plan– Track ongoing changes to regulatory and legal
requirements
Information Technology for Managers 13
Workplace Monitoring
• IT usage policy – Establishes boundaries of acceptable behavior– Enables management to take action against violators– Organizations monitor workers to ensure compliance
Information Technology for Managers 14
Workplace Monitoring (continued)
Information Technology for Managers 15
Workplace Monitoring (continued)
• Fourth Amendment of the Constitution – Protects citizens from unreasonable searches by the
government – Often used to protect the privacy of government
employees– Cannot be used to control how a private employer
treats its employees– Public sector employees have far greater privacy
rights than those in private industry– State privacy statutes tend to favor employers over
employees
Information Technology for Managers 16
A Manager Takes Inappropriate Action: City of Ontario, California
• Contracted with Arch Wireless to provide wireless text-messaging Services
• Jeff Quon, a member of the Ontario Police Department (OPD) SWAT team– Received alphanumeric pager– Sent sexually explicit messages to two other workers
in the police department and to his wife
• General computer usage, Internet, and e-mail policy– Not specific to pagers
Information Technology for Managers 17
A Manager Takes Inappropriate Action: City of Ontario, California (continued)
• Ontario Police Department was unable to access the message directly– Requested that Arch Wireless provide the transcripts
• Stored Communications Act (SCA)– Attempt to address a number of potential privacy
issues not addressed by the Fourth Amendment
• U.S. Court of Appeals for the Ninth Circuit – Ruled that Arch Wireless was an electronic
communications service and had violated the SCA when it provided transcripts of Quon’s messages to the OPD
Information Technology for Managers 18
Cybercrime and Computer Security
• Cybercrime – Criminal activity in which a computer or a computer
network is used as a tool to commit a crime or is the target of criminal activity
• Electronic fraud – Class of cybercrime – Involves the use of computer hardware, software, or
networks to misrepresent facts for the purpose of causing someone to do or refrain from doing something that causes loss
Information Technology for Managers 19
Types of Attacks
• Attack on a networked computer from an outside source– One of the most frequent types of attack
• Viruses– Piece of programming code– Usually disguised as something innocuous– Cause some unexpected and undesirable event– Often attached to a file– Do not spread themselves from computer to computer– Macro viruses
Information Technology for Managers 20
Types of Attacks (continued)
• Worms – Harmful computer programs that reside in the active
memory of the computer– Can propagate over a network without human
intervention– May install malware (malicious software) on a
computer
Information Technology for Managers 21
Types of Attacks (continued)
• Distributed Denial-of-Service Attack (DDOS)– Malicious hacker takes over computers connected to
the Internet – Causes them to flood a target site with demands for
data and other small tasks– Zombie
• Compromised computer
– Botnet • Group of zombie computers running software that is
being remotely controlled without the knowledge or consent of the owners
Information Technology for Managers 22
Information Technology for Managers 23
Types of Attacks (continued)
• DDOS (continued)– Spoofing
• Zombies are often programmed to put false return addresses on the packets they send out
– Egress filtering • Ensure that spoofed packets do not leave their
corporate network
Information Technology for Managers 24
Perpetrators
Information Technology for Managers 25
Defensive Measures
• Risk assessment– Organization’s review of potential threats to its
computers and networks– Identify which investments of time and resources will
best protect the organization from its most likely and serious threats
– Reasonable assurance• Managers must use their judgment to ensure that the
cost of control does not exceed the system’s benefits or the risks involved
Information Technology for Managers 26
Information Technology for Managers 27
Establishing a Security Policy
• Security policy – Defines an organization’s security requirements – Defines controls and sanctions needed to meet
those requirements
• National Institute of Standards and Technology (NIST)– Computer Security Division
• Automated system rules should mirror an organization’s written policies
Information Technology for Managers 28
Establishing a Security Policy (continued)
• E-mail attachments – Critical security issue
• Virtual private network (VPN) – Uses the Internet to relay communications– Maintains privacy through security procedures and
tunneling protocols
Information Technology for Managers 29
Educating Employees, Contractors, and Part-Time Workers
• Must be educated about the importance of security– Discuss recent security incidents
• Protect an organization’s information systems and data by:– Guarding their passwords– Applying strict access controls– Reporting all unusual activity to the organization’s IT
security group
Information Technology for Managers 30
Prevention
• Installing a corporate firewall– Established through the use of software, hardware,
or a combination of both– Can lead to complacency
• Intrusion prevention systems– Prevent an attack by blocking viruses, malformed
packets, and other threats from getting into the company network
Information Technology for Managers 31
Prevention (continued)
• Installing antivirus software on personal computers– Virus signature
• Specific sequence of bytes
– United States Computer Emergency Response Team (US-CERT)
• Most of the virus and worm attacks that the team analyzes use already known programs
• Crucial that antivirus software be updated continually with the latest virus detection information
Information Technology for Managers 32
Prevention (continued)
• Implementing safeguards against attacks by malicious insiders– IT staff must delete the computer accounts, login
IDs, and passwords of departing employees– Create roles and user accounts so that users have
the authority to perform their responsibilities and no more
Information Technology for Managers 33
Prevention (continued)
• Addressing the most critical Internet security threats– Overwhelming majority of successful computer
attacks are made possible by taking advantage of well-known vulnerabilities
– SANS (System Administration, Networking, and Security) Institute and US-CERT regularly update a summary of the most frequent, high-impact vulnerabilities
Information Technology for Managers 34
Prevention (continued)
• Conducting periodic IT security audits– Evaluate whether an organization has a well-
considered security policy in place and if it is being followed
– Test system safeguards– Federal Computer Security Report Card
Information Technology for Managers 35
Prevention (continued)
Information Technology for Managers 36
Detection
• Intrusion detection system – Software and/or hardware – Monitors system and network resources and
activities and notifies network security personnel when it identifies possible intrusions
– Different approaches to intrusion detection • Knowledge-based approaches
• Behavior-based approaches
Information Technology for Managers 37
Response
• Primary goal – Regain control and limit damage
• Not to attempt to monitor or catch an intruder
• Incident notification– Define who to notify and who not to notify
• Protecting evidence and activity logs– Document all details of a security incident
• Incident containment– Act quickly to contain an attack
Information Technology for Managers 38
Response (continued)
• Eradication– Collect and log all possible criminal evidence from
the system– Verify that all necessary backups are current– Create a forensic disk image of each compromised
system– Keep a log of all actions taken
Information Technology for Managers 39
Response (continued)
• Incident follow-up– Determine how the organization’s security was
compromised– Develop an estimate of the monetary damage– Determine amount of effort that should be put into
capturing the perpetrator
Information Technology for Managers 40
Information Technology for Managers 41
Summary
• Ethics – Set of beliefs about right and wrong behavior– Treat customer data responsibly
• Information technology usage policy
• Laws governing employee privacy and monitoring
• Cybercrime– Types of attacks– Prevention– Detection– Response
Information Technology for Managers 42