Information Systems: Ethics,
Privacy and Information Security
Ethics:
A
branch of philosophy that deals with what is considered to be right and
wrong.
A Code of Ethics is a collection of principles
that are intended to guide decision making
by members of an organization
Responsibility means that you accept the consequences of your decisions and
actions.
Accountability means a determination of who is responsible for actions that
were taken.
Liability is
a legal concept meaning that individuals have the right to recover the damages
done to them by other individuals, organizations, or systems.
Privacy Issues involve collecting, storing and disseminating information
about individuals.
Accuracy Issues involve the authenticity, fidelity and accuracy of
information that is collected and processed.
Property Issues involve
the ownership and value of information.
Accessibility Issues revolve around who should have
access to information and whether they should have to pay for this access.
Data aggregators are companies that collect public
data (e.g., real estate records, telephone numbers) and nonpublic
data (e.g., social security numbers, financial data, police records,
motor vehicle records) and integrate them to produce digital dossiers.
Digital dossier is an electronic description of you
and your habits.
Profiling is
the process of creating a digital dossier.
Personal Information in Databases Information about individuals is
being kept in many databases: banks, utilities co., govt. agencies, etc.; the
most visible locations are credit-reporting agencies.
Social Networking Sites often include electronic
discussions such as chat rooms. These sites appear on
the Internet, within corporate intranets, and on blogs.
A blog is an informal, personal journal
that is frequently updated and intended for general public reading.
The
logos represent popular social networking sites.
Privacy Codes and Policies: An organization’s guidelines
with respect to protecting the privacy of customers, clients, and employees.
Opt-out model of
informed consent permits the company to collect personal information until the
customer specifically requests that the data not be collected.
Opt-in model of
informed consent means that organizations are prohibited from collecting any
personal information unless the customer specifically authorizes it.
International Aspects of Privacy: Privacy issues that international
organizations and governments face when information spans countries and
jurisdictions.
*
Organizations and individuals are now exposed to untrusted networks.
An untrusted network, in general, is any network
external to your organization.
The
Internet, by definition, is an untrusted network.
*
Government legislation: Gramm-Leach-Bliley Act
Health
Insurance Portability and Accountability Act (HIPAA)
*
Examples: thumb drives (flash drives), iPods, etc.
Downstream liability occurs when Company A’s systems are
attacked and
taken
over by the perpetrator. Company A’s systems are then used to attack
Company
B. Company A could be sued successfully by Company B, if Company A
cannot
prove that it exercised due diligence in securing its systems.
Due diligence means
that a company takes all necessary security precautions,
as
judged by commonly accepted best practices.
Unmanaged devices are those outside the control of
the IT department.
Examples
include devices in hotel business centers, customer computers,
computers
in restaurants such as McDonalds, Paneras, Starbucks.
Lack of management support takes many forms: insufficient
funding, technological obsolescence, and lack of attention.
A threat to an information resource is
any danger to which a system may be exposed.
The exposure of information resources is
the harm, loss or damage that can result if a threat compromises that resource.
A
system’s vulnerability is the possibility that the
system will suffer harm by a threat.
Risk is the likelihood that a threat
will occur.
Information system controls are the procedures, devices, or
software aimed at preventing a compromise to the system.
Espionage
or trespass: Competitive
intelligence consists of legal
information-gathering techniques.
Industrial espionage crosses the legal boundary.
The
two images show dumpster divers. Many dumpster divers wear
protective clothing and use snorkels, as it is not a good idea to receive cuts
from items in the dumpster, and the air is foul.
