1 / 38

MIS 301 Information Systems in Organizations

MIS 301 Information Systems in Organizations. Dave Salisbury salisbury@udayton.edu (email) http://www.davesalisbury.com/ (web site). Talking Points. Security, Ethics and Privacy Ethical Issues Information Systems Defense and Control Corporate Individual Law & Order.

liz
Télécharger la présentation

MIS 301 Information Systems in Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIS 301Information Systems in Organizations Dave Salisbury salisbury@udayton.edu (email) http://www.davesalisbury.com/ (web site)

  2. Talking Points • Security, Ethics and Privacy • Ethical Issues • Information Systems Defense and Control • Corporate • Individual • Law & Order

  3. Security & Ethical Challenges • Privacy • Accuracy • Property • Access • Computer Crime • Human Impacts

  4. Security Issues • Physical Security • Making sure the hardware is safe and not tampered with • Logical Security • Making sure that software and data are not manipulated, stolen or tampered with

  5. Physical Security Issues Access methods Security Codes Theft of equipment Fire Natural Disaster Man-made disaster Electrical failure Logical Security Issues Viruses Denial of Service Email as virus transmission Disaster Recovery & Backups Phishing & Pharming Identity Theft Tampering with data Security Issues

  6. Ethical Principles Proportionality Informed Consent Justice Minimized Risk Standard of Conduct Act with integrity Protect information privacy & confidentiality Do not misrepresent or withhold information Do not misuse resources Do not exploit weakness of systems Advance general health & welfare Ethical Considerations

  7. Privacy Internet privacy Corporate email Matching Accuracy Credit card accounts Student Records Property Intellectual property Software piracy Identity Theft Access Who can see it? Who should see it? Ethical Issues

  8. Privacy Issues • IT makes it technically and economically feasible to collect, store, integrate, interchange, and retrieve data and information quickly and easily. • Benefit – increases efficiency and effectiveness • But, may also have a negative effect on individual’s right to privacy • Accessing private e-mail and computer records & sharing information about individuals gained from their visits to websites and newsgroups

  9. Privacy Issues • Always knowing where a person is via mobile and paging services • Computer Matching • Computer profiling and matching personal data to that profile • Mistakes can be a major problem • Protect your privacy by • Encrypting your messages • Post to newsgroups through anonymous re-mailers • Ask your ISP not to sell your information to mailing list providers and other marketers • Decline to reveal personal data and interests online

  10. Laws to Defend Individual Privacy • Attempt to enforce the privacy of computer-based files and communications • Electronic Communications Privacy Act • Computer Fraud and Abuse Act • The Health Insurance Portability and Accountability Act (HIPAA)

  11. Computer Libel and Censorship(The opposite side of the privacy debate) • Right to know (freedom of information) • Right to express opinions (freedom of speech) • Right to publish those opinions (freedom of the press) • Spamming • Flaming • Anonymity of domain ownership

  12. Human Impacts • Employee Monitoring (especially online) • Deskilling (robotic welders) • Intellectual Property Protection (Napster or KaZaA or Morpheus) • Human Control (Airbus Fly-by-Wire) • Outsourcing & Offshoring

  13. Other Challenges • Employment • New jobs have been created and productivity has increased, yet there has been a significant reduction in some types of jobs as a result of IT. • Working Conditions • IT has eliminated many monotonous, obnoxious tasks, but has created others • Individuality • Computer-based systems criticized as impersonal systems that dehumanize and depersonalize activities • Excessive regimentation

  14. Computer Monitoring • Concerns for workplace privacy • Monitors individuals, not just work • Is done continually. May be seen as violating workers’ privacy & personal freedom • Workers may not know that they are being monitored or how the information is being used • May increase workers’ stress level • May rob workers of the dignity of their work

  15. Health Issues • Job stress • Muscle damage • Eye strain • Radiation exposure • Accidents • Ergonomics (human factors engineering)

  16. Societal Solutions • Beneficial effects on society • Solve human and social problems • Medical diagnosis • Computer-assisted instruction • Governmental program planning • Environmental quality control • Law enforcement • Crime control • Job placement

  17. Security Management Policies • Minimize errors, fraud, and losses in the business systems that interconnect businesses with their customers, suppliers, and other stakeholders • Aligned with organizational goals. • Enterprisewide. • Continuous. • Proactive. • Validated. • Formal. • Authority • Responsibility • Accountability.

  18. Corporate Security Plan

  19. Risk Management

  20. IT Security Trends • Increasing the reliability of systems • Self-healing computers • Intelligent systems for early intrusion detection • Intelligent systems in auditing and fraud detection • Artificial intelligence in biometrics • Expert systems for diagnosis, prognosis, and disaster planning • Smart cards

  21. Defense strategy objectives • Prevention and deterrence • Detection • Limitation of damage • Recovery • Correction • Awareness and compliance

  22. Computer Crime • Malicious access • Viruses • Theft • Money • Service • Data • Identity

  23. Input controls Input masks Control totals Processing controls Hardware Software Output controls Distribution Access Storage controls Passwords Backups Information System Controls

  24. Information System Controls • Facility controls • Networks • Encryption • Firewalls • Equipment & Access • Possessed object (key or key card) • Biometrics (retina scans, hand scanner)

  25. Procedures Standards Documentation Authorization Disaster recovery Backups Equipment Failure controls Electrical Fire Water Software Software variety Windows monoculture Other varieties (e.g. Linux) might enhance “genetic” diversity Information System Controls

  26. Internetworked Security Defenses • Encryption • Passwords, messages, files, and other data is transmitted in scrambled form • Mathematical algorithms to encode data • Public and private keys • Firewalls • Serves as a “gatekeeper” system that protects a company’s intranets and other computer networks from intrusion • Provides a filter and safe transfer point • Screens all network traffic for proper passwords or other security codes

  27. Security Layers

  28. Internetworked Security Defenses • Denial of Service Defenses • These assaults depend on three layers of networked computer systems • Victim’s website • Victim’s ISP • Sites of “zombie” or slave computers • Defensive measures and security precautions must be taken at all three levels

  29. E-mail Monitoring • “Spot checks just aren’t good enough anymore. The tide is turning toward systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security.” • Widespread monitoring of email • Magic Lantern • Carnivore

  30. Viruses • Programs written with malicious intent • General Types • Trojan-horse • File • Logic or Time Bomb • Worm • Defense may be accomplished through • Centralized distribution and updating of antivirus software • Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies

  31. Security codes Multilevel password system Log onto the computer system Gain access into the system Access individual files Backup Duplicate files of data or programs File retention measures Sometimes several generations of files are kept for control purposes Security Measures

  32. Biometric Security • Measure physical traits that make each individual unique • Voice • Fingerprints • Hand geometry • Signature dynamics • Keystroke analysis • Retina scanning • Face recognition and Genetic pattern analysis

  33. More Security Measures • Computer Failure Controls • Preventive maintenance of hardware & management of software updates • Backup computer system • Carefully scheduled hardware or software changes • Highly trained data center personnel • Fault tolerant systems • Computer systems that have redundant processors, peripherals, and software • Disaster recovery plan • Which employees will participate and their duties • What hardware, software, and facilities will be used • Priority of applications that will be processed

  34. Business Continuity • The purpose of a business continuity plan is to keep the business running after a disaster occurs. • Recovery planning is part of asset protection. • Planning should focus on recovery from a total loss of all capabilities. • Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. • All critical applications must be identified and their recovery procedures addressed. • The plan should be written so that it will be effective in case of disaster.

  35. System Controls and Audits • Information System Controls • Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities • Designed to monitor and maintain the quality and security of input, processing, and storage activities • Auditing Business Systems • Review and evaluate whether proper and adequate security measures and management policies have been developed and implemented • Testing the integrity of an application’s audit trail • Has legal implications (i.e. Sarbanes-Oxley)

  36. Auditing • Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task. • There are two types of auditors: • An internal auditor is usually a corporate employee who is not a member of the ISD. • An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit. • There are two types of audits. • The operational audit determines whether the ISD is working properly. • The compliance audit determines whether controls have been implemented properly and are adequate.

  37. Install and regularly use antivirus and spy-ware cleaning software, and keep it up to date Don’t store credit card information online with merchants (or at least only with trusted ones) Don’t be predictable with passwords Keep OS, apps and browsers up to date with most recent patches Send sensitive information only to secure sites Make sure the website you’re accessing is correct (check the underlying URL) – avoid phishing attempts Don’t open email attachments, or click on URLs in email unless you’ve verified the source Install firewalls (this is particularly important with fast internet connections) Personal Security Management Examples

  38. Law & Order • Irony of a private person being accessible by so many • It’s always been doable; just not this easily (see examples throughout the episode) • Worms • Privacy and the law • Who’s morally responsible for how information is used? • If your software or service is used by somebody as a means to kill another, who’s responsible?

More Related