This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Session 3
Ethics, Privacy and Information Security 1 Session 3 Learning Objectives
Examine IT ethical issues, practice ethical analysis and consider identity theft Describe the control layers used to categorize operational practices Relate IT threats and risks to mitigation (i.e. controls)
Copyright I. SplettstoesserHogeterp, 2009 2 A framework for ethical issues (Table 3.1, p. 65)
Privacy Accuracy Property Accessibility TIP: DEFINE AND PROVIDE EXAMPLES OF THE FOUR CATEGORIES OF ETHICAL ISSUES.
Copyright I. SplettstoesserHogeterp, 2009 3 Privacy mega-horrors:
Payment processor (Heartland Payment Systems) breach disclosed January 2009; More than 100 million credit and debit cards could be affected (itbusiness.ca, Vijayan, Jan 22/09) Method: multiple planted software Compare to TJX (2007, 46 million cards) Jan 2009: Monster's database hacked Copyright I. SplettstoesserHogeterp, 2009 4 Accuracy problem results in loot:
Three extra zeros on a bank loan resulted in receiving $10 million (not $10,000) in New Zealand The applicants took $2.6 million and ran (May 2009, Toronto Star, Lilley) Have you ever experienced a bank error? Copyright I. SplettstoesserHogeterp, 2009 5 Phishing for cash (property):
Fake bank emails or web sites, even a fake Canada Revenue Agency refund phish! (itbusiness.ca, Jan 20, 2009, Jackson) Confidential data can also be sold from stolen laptops or USB keys, i.e. data theft
Copyright I. SplettstoesserHogeterp, 2009 6 Accessibility successes and failures:
Facebook materials ordered disclosed for automobile accident lawsuit (Mar 14, 2009, Toronto Star, Tyler) Ryerson student data available online unencrypted (Feb 24, 2009, Metro, Cdn Press) Computer `junkie' warned a school about a potential bombing (March 21, 2009, Toronto Star, Chung)
Copyright I. SplettstoesserHogeterp, 2009 7 Privacy in Canada: PIPEDA (Personal
Information Protection and Electronic Documents Act, 2004) 9. Individual access Ten basic principles: 10. Challenging 1. Accountability compliance 2. Identifying purposes 3. Consent Class Activity: List five 4. Limiting collection privacy problems to share 5. Limiting use, with the class. Relate disclosure and each to one of these ten retention principles. 6. Accuracy 7. Safeguards WHERE IS YOUR INFORMATION KEPT? 8. Openness
Copyright I. SplettstoesserHogeterp, 2009 8 CANADA: Treasury Board: Management of Information Technology Security Standard
Provides standards for federal deputy ministers and department heads The IT departments will be responsible for implementing the procedures and processes to meet the standards If systems are broken into, affects confidence of Canadians
Copyright I. SplettstoesserHogeterp, 2009 9 Six Step Approach to solve an ethical dilemma (Source: Auditing and Other
Assurance Services, 10th ed., p. 35) 1. Obtain the relevant facts 2. Identify the ethical issues from the facts 3. Determine who is affected by the outcome and how 4. Identify reasonable alternative actions 5. Identify consequences of each alternative 6. Decide on appropriate action
Copyright I. SplettstoesserHogeterp, 2009 10 Security Co Database Question
Problem: Last week, you purchased a used computer from a friend who is a recently retired security company officer. Upon using the computer, you found several large files that seem to contain data about the activities and profiles of hundreds of people in your city. Activity: Use the ethical framework to decide what you should do. TIP: DESCRIBE EACH STEP OF THE ETHICAL FRAMEWORK AND BE ABLE TO APPLY IT TO A CASE.
Guidelines such as these Codify requirements for employees Provide a standard set of procedures Help protect organizations from litigation Can be used as a measurement tool if disciplinary action is required
Copyright I. SplettstoesserHogeterp, 2009 12 Case Click Fraud, p. 103 POD 4 will present this case Copyright I. SplettstoesserHogeterp, 2009 13 Break Copyright I. SplettstoesserHogeterp, 2009 14 Categories of Controls
Security is only one aspect of operational control Controls come in "layers" 1. Control Environment 2.General Controls 3. Application Controls
Copyright I. SplettstoesserHogeterp, 2009 15 Control Environment
Encompasses management attitudes towards controls, as evidenced by management actions, as well as by stated policies that address This is part of the organizational culture
Copyright I. SplettstoesserHogeterp, 2009 16 Ethical issues Quality of supervision Figure 3.2 (p.86) and general controls
What are examples of controls that we can see on this figure? Copyright I. SplettstoesserHogeterp, 2009 17 Access controls help to prevent identify theft Using confidential information such as passwords, drivers licences or medical records to assume someone else's identity The thief applies for credit cards, mortgages or passports Controls include: physical security, access security, and encryption Do you know of examples of identity theft?
18 Copyright I. SplettstoesserHogeterp, 2009 Technology Guide 3 Protecting your identity If you have not read Tech Guide 3, do so now What is your risk level? Do you need to undertake the actions described in this Guide? Copyright I. SplettstoesserHogeterp, 2009 19 Password controls are needed for all categories of controls Control Environment: Policies that enforce the proper management of user codes and passwords General Control: A security system that requires a user id and password to `log on' Application Control: Separate passwords for sensitive functions, e.g. employee raises or write off of customer accounts TIP: BE ABLE TO DESCRIBE EACH CATEGORY OF CONTROL AND PROVIDE AN EXAMPLE THAT CARRIES THROUGH EACH CONTROL LEVEL.
Copyright I. SplettstoesserHogeterp, 2009 20 Application Controls Controls that apply to individual functional areas (applications), e.g. payroll The text uses the categories: input, processing, output. It is more common to use the categories: accuracy, completeness, authorization, audit trail (documentation) for each of input, processing and output Copyright I. SplettstoesserHogeterp, 2009 21 Application Controls Examples
Input: Edits that check for reasonable data ranges Processing: Automatically check that each line of an invoice adds to the total Output: Supervisor reviews payroll journal for unusual amounts before cheques are printed. Copyright I. SplettstoesserHogeterp, 2009 22 Case -- Blorney
POD 5 will discuss this case Copyright I. SplettstoesserHogeterp, 2009 23 Figure 3.1 (p. 73) Security threats
Which of these risks have you encountered? Let's turn to our text and review these risks Copyright I. SplettstoesserHogeterp, 2009 24 Matching threats/risks to controls
Let's take a look at some of the security threats described in Figure 3.1 Match a control to the risk: what type of control is it and how does it prevent or deter the risk? Copyright I. SplettstoesserHogeterp, 2009 25 Business continuity planning (BCP)
BCP what is its purpose? Have continuous availability? Be able to recover in the event of a hardware or software failure? Ensure that critical systems are available and operating?
26 Copyright I. SplettstoesserHogeterp, 2009 A real information systems disaster
Bay Street, 10th floor mainframe computer centre was located just above the 9th floor microcomputer bullpen 9th floor was gutted by fire 300 people transferred the backup tapes to vehicles on the ground that acted as a temporary processing centre Copyright I. SplettstoesserHogeterp, 2009 27 Framework for recovery planning
1. Management commitment 2. Ranking of business processes 3. Identify minimum resources required 4. Prepare a Data centre and a User plan 5. Test the plan (and keep it current)
Copyright I. SplettstoesserHogeterp, 2009 28 Case Don't pay that ransom (p. 83) POD 6 will discuss this case Copyright I. SplettstoesserHogeterp, 2009 29 Prepare for Session 4: For Next Class: July 1 statutory holiday Waiting for confirmation of make up class time, date and location Read Chapter 4 and Technology Guide 4 PODs PODs 7,8 and 9 are presenting next week, see me before you leave today No changes permitted to PODs once you are signed up 30 ...
View Full Document
This note was uploaded on 08/19/2009 for the course ADMS 2511 taught by Professor Jiu during the Spring '09 term at York University.
- Spring '09