Download Lecture 8 - Faculty Web Pages

Opening Case:
The Privacy Commissioner
of Canada’s Work
McGraw-Hill-Ryerson
©2015 The McGraw-Hill Companies, All Rights Reserved
Chapter Ten Overview
• SECTION 10.1 – INFORMATION ETHICS AND PRIVACY
– Introduction
– Information Ethics
– Information Privacy
– Developing Information Management Policies
• SECTION 10.2 – INFORMATION SECURITY
– Introduction
– Protecting Information
– Protecting Data
– People: The First Line of Defence
– The Second Line of Defence: Technology
Copyright © 2015 McGraw-Hill Ryerson Limited
10-2
Learning Outcomes
1.
Explain what information ethics is and its importance in the
workplace.
2.
Describe what information privacy is and the differences in
privacy legislation around the world.
3.
Identify the differences between various information ethics
and privacy policies in the workplace.
4.
Describe information security, and explain why people are
the first line of defence for protecting information.
5.
Describe how information technologies can be used to
enhance information security.
Copyright © 2015 McGraw-Hill Ryerson Limited
10-3
INFORMATION
ETHICS AND
PRIVACY
McGraw-Hill-Ryerson
©2015 The McGraw-Hill Companies, All Rights Reserved
Introduction
Learning
Outcome
10.1
• Ethics
– The principles and standards that guide our
behaviour towards other people
• Privacy is a major ethical issue
– Privacy is the right to be left alone when
you want to be, to have control over your
own personal possessions, and not to be
observed without your consent
– Confidentiality is the assurance that
messages and information are available only
to those who are authorized to view them
Copyright © 2015 McGraw-Hill Ryerson Limited
10-5
Technology-Related Ethical Issues & Concepts
Learning
Outcome
Intellectual Property
Intangible creative work that is embodied in
physical form
Copyright
The legal protection afforded an expression
of an idea, such as a song, video game, and
some types of proprietary documents
Fair Dealing
The principle by which, in certain situations,
it is legal to use copyrighted material
Pirated Software
Copyrighted software that is used,
duplicated, or sold without authorization by
the copyright holder
10.1
Counterfeit Software Software that is manufactured to look like
the real thing and sold as such
Figure 10.1
Copyright © 2015 McGraw-Hill Ryerson Limited
10-6
Trust Supports Business
Learning
Outcome
10.1
Trust between companies, partners, and suppliers is the
support structure of business, in particular, e-business
Primary Reasons Privacy Issues Reduce Trust for E-Business
1.
There is a loss of personal privacy.
2.
Internet users are more inclined to purchase a product on a website
that has a privacy policy.
3.
Effective privacy would convert more Internet users to Internet
buyers.
From Figure 10.2
Copyright © 2015 McGraw-Hill Ryerson Limited
10-7
Information Ethics
Learning
Outcome
Ethics
10.1
• The principles and
standards that guide our
behaviour towards other
people
Acting Ethically and Legally Are
Not Always the Same
Information Ethics
• The ethical and moral issues
arising from the
development and use of
information technologies,
as well as the creation,
duplication, processing and
distribution of information
itself.
Copyright © 2015 McGraw-Hill Ryerson Limited
Figure 10.4
10-8
Information Has No Ethics
Learning
Outcome
10.1
Examples of Ethically Questionable or Unacceptable Use of
Information Systems
Individuals copy, use and distribute software.
Employees search organizational databases for sensitive corporate
and personal information.
Organizations collect, buy, and use information without checking
validity or accuracy of the information.
Individuals create and spread viruses that cause trouble for those
using and maintaining information systems.
Individuals hack into computers to steal proprietary information.
Employees destroy or steal proprietary organizational information
such as schematics, sketches, customer lists and reports.
From Figure 10.3
Copyright © 2015 McGraw-Hill Ryerson Limited
10-9
Information & Ethical Concerns
Learning
Outcome
10.1
• Information Ethics in the Workplace
– Replacing people with computers, one set of boring jobs with
a new set of boring jobs
• Systems & Respect for Human Dignity
– “Dehumanizing” jobs, making jobs overly regimented &
inflexible, disrespecting human intelligence
– Health & safety concerns from poorly designed interfaces
• Tracking People’s Activities
– Monitoring Web browsing and social media use at work
– Cyberstalking—tracking individuals through social media for
malicious or criminal reasons
– Spyware—unauthorized tracking of browsing
Copyright © 2015 McGraw-Hill Ryerson Limited
10-10
Employee Monitoring
Learning
Outcome
Effects of Employee Monitoring
10.1
Employee absenteeism reached its highest point in several years in
2009.
Studies indicate that electronic monitoring results in lower job
satisfaction, in part, because people begin to believe the quantity of
their work is more important than the quality.
Electronic monitoring also induces what psychologists call
“psychological reactance”: the tendency to rebel against constraint.
From Figure 10.5
Copyright © 2015 McGraw-Hill Ryerson Limited
10-11
Protecting Digital Content
Learning
Outcome
10.1
Canada’s Copyright Modernization Act
received royal assent on June 29, 2012. Key
changes include:
• Legalizing format shifting
• Legalizing time shifting
• Allowing back up copies of content to be
made against loss or damage
• Allowing “mash ups” (create blend of
copies) if not for re-sale
• Enacting a system where copyright
holders can inform ISPs of possible
privacy by their customers
Copyright © 2015 McGraw-Hill Ryerson Limited
10-12
Protecting Digital Content
Learning
Outcome
10.1
Additional changes from Canada’s Copyright
Modernization Act include:
• Protecting search engines and ISPs from
copyright violations of their users
• Differentiating commercial and individual
copyright violations in terms of penalties
• Expanding the meaning of fair dealing to
include purposes of parody, satire and
education
• Criminalizing cracking a digital lock placed on a
device, disc, or file
Copyright © 2015 McGraw-Hill Ryerson Limited
10-13
Information Privacy
Learning
Outcome
10.2
Information privacy deals with how personal
information is collected and stored on computer
systems; it also covers how the information is shared.
• Personal Information
– Data or information that can be directly related to an
identified person
– Regardless of data format and content
• Breaches of Information Privacy
– Not about preventing collection of information to
complete business transactions
– Breaches occur with inappropriate disclosure or
unauthorized access
• Protecting Personal Data
– Just as steps are taken to protect physical assets,
personal information must be proactively protected
Copyright © 2015 McGraw-Hill Ryerson Limited
10-14
Information Privacy in Europe
Learning
Outcome
10.2
• Strong Privacy Laws
– Directives indicate the required results but allow EU
members to determine their own methods
• Citizens are granted the following rights:
– To know the source of the personal data processing
and the purpose of such processing
– To access and/or rectify inaccuracies in one’s
personal data
– To disallow the use of personal data with the
proviso that personal data can only be transferred
outside the borders to countries offering the same
level of protection
– Based on eight key principles that have also been
adopted in Canada
Copyright © 2015 McGraw-Hill Ryerson Limited
10-15
Information Privacy in the US
Learning
Outcome
10.2
• Less Centralized approach than in Canada or Europe
– No single encompassing law
– Access to public information is culturally acceptable
• Exceptions:
– California legislates an individual’s inalienable right to privacy
and 2003 Online Privacy & Protection Act ensures websites post
privacy policies
– COPPA, US Federal law established in 1998, governs collection of
personal information from children under 13
– HIPAA, 1996, governs protects personal health care information
Copyright © 2015 McGraw-Hill Ryerson Limited
10-16
Information Privacy Canada
Learning
Outcome
10.2
• Federal Legislation
– PIPEDA (Personal Information Protection and Electronic Documents
Act) follows the European model. It governs all organizations in Canada.
It is concerned about protecting personal information of all Canadians.
– The Privacy Act protects personal information collected and used by
the Federal Government
– The Bank Act is an example of a federal law with specific privacy
protections, in this case, financial data held by financial institutions.
• Provincial Legislation
– Each province has its own ‘public-sector’ legislation
– Almost all provinces have the equivalent of PIPEDA to govern those
enterprises operating only within provincial boundaries
Copyright © 2015 McGraw-Hill Ryerson Limited
10-17
Ten Guiding Principles of PIPEDA for
Organizations
Learning
Outcome
1. Accountability An organization is responsible for personal information
under its control and shall designate an individual or
individuals who are accountable for the organization’s
compliance with the following principles.
10.2
2. Identifying
Purpose
The purposes for which personal information is collected
shall be identified by the organization at or before the
time the information is collected.
3. Consent
The knowledge and consent of the individual are
required for collection, use, or disclosure of personal
information, except when inappropriate.
4. Limiting
Collection
The collection of personal information shall be limited to
that which is necessary for the purposes identified by the
organization. Information shall be collected by fair and
lawful means.
Figure 10.6
Copyright © 2015 McGraw-Hill Ryerson Limited
10-18
Ten Guiding Principles of PIPEDA for
Organizations
Learning
Outcome
10.2
5. Limiting Use, Personal information shall not be used or disclosed for
purposes other than those for which it was collected,
disclosure,
and retention except with the consent of the individual or as required by
the law. Personal information shall be retained only as long
as necessary for fulfillment of those purposes.
6. Accuracy
Personal information shall be as accurate, complete, and
up to date as is necessary for the purposes for which it is to
be used.
7. Safeguards
Personal information shall be protected by security
safeguards appropriate to the sensitivity of the
information.
Figure 10.6
Copyright © 2015 McGraw-Hill Ryerson Limited
10-19
Ten Guiding Principles of PIPEDA for
Organizations
Learning
Outcome
8. Openness
The collection of personal information shall be limited to
that which is necessary for the purposes identified by the
organization. Information shall be collected by fair and
lawful means.
9. Individual
Access
Upon request, an individual shall be informed of the
existence, use, and disclosure of his or her personal
information and shall be given access to that information.
An individual shall be able to challenge the accuracy and
completeness of the information and have it amended as
appropriate.
10. Challenging
Compliance
An individual shall be able to address a challenge
concerning compliance with the above principles to the
designated individual or individuals for the organization’s
compliance.
10.2
Figure 10.6
Copyright © 2015 McGraw-Hill Ryerson Limited
10-20
Developing Information Management Policies
Learning
Outcome
10.3
E-Policies are guidelines and procedures that encourage
ethical use of computers and the Internet in business.
Overview of E-Policies
Figure 10.7
Copyright © 2015 McGraw-Hill Ryerson Limited
10-21
Ethical Computer Use and
Information Privacy E-Policies
Learning
Outcome
10.3
• Ethical Computer Use Policy
– Established as an essential step in creating an ethical corporate
culture
– Ensures that employees know how to behave, communicates
expectations and penalties
– Control should be by informed consent through corporate
training or other forms of education and direction
• Information Privacy Policy
– Contains general principles regarding information privacy
– Processes and penalties should prevent unauthorized access to
information for malicious or fraudulent reasons but also
accidental, non-malicious access that may have equally serious
repercussions
Copyright © 2015 McGraw-Hill Ryerson Limited
10-22
Acceptable Use and Internet Use E-Policies
Learning
Outcome
10.3
• Acceptable Use Policy
– Requires the user to agree to follow it to be provided access to
corporate email, information systems, and the Internet
– Nonrepudiation occurs when a user denies their action.
Acceptable Use Policies often have nonrepudiation clauses
– Also included are stipulations for lawful use, respect of others in
the community and outside
• Internet Use Policy
–
–
–
–
Describes the Internet services available to the user
Defines the purpose of Web access and any restrictions to it
Describes guidelines for protecting the user and the company
States penalties if the policy is violated
Copyright © 2015 McGraw-Hill Ryerson Limited
10-23
Email Privacy
Learning
Outcome
10.3
• Email Privacy Policy
– Details the extent to which email may be read by others
– Defines legitimate email uses and responsibly manages
accounts after employee has left the company
– Explains backup procedures to employees
– Discourages junk mail or SPAM
– Prohibits disruptive email behaviour
– Describes legitimate grounds for reading employee mail
– Limits the organization’s responsibility for mail leaving
the organization
– Some companies include a specific Anti-Spam policy to
restrict the sending of unsolicited mail
Copyright © 2015 McGraw-Hill Ryerson Limited
10-24
Managing Email Privacy
Learning
Outcome
10.3
Email Is Stored on Multiple Computers
Figure 10.8
Copyright © 2015 McGraw-Hill Ryerson Limited
10-25
Social Media Policy
Learning
Outcome
10.3
• Social Media is public communication not
controlled by a company, but concerning it, that
can be beneficial or risky
– Social Media Policy outlines guidelines or
principles that should govern employee online
communications about the company
– Should include blog and personal blog policies
– Cover employee social network and personal social
network policies including Facebook, Twitter,
LinkedIn and You Tube
– Control communications detailing brand activity and
organizational proprietary information of any kind
Copyright © 2015 McGraw-Hill Ryerson Limited
10-26
Workplace Monitoring Policy
Learning
Outcome
10.3
• Is a risk management obligation
– Ensures that actions and activities harmful to the
organization are discovered and terminated or deterred
– Is virtually unregulated, employees should act as though
they are being observed
– Workplace MIS monitoring tracks computer activity by
number of keystrokes, error rate, transactions
processed etc.
– Employee Monitoring Policy provides transparency and
informs employees when, how, why and where the
company is watching
– Should provide specific details as appropriate, indicate
consequences of violating the policy and enforce the
policy evenly
Copyright © 2015 McGraw-Hill Ryerson Limited
10-27
Internet Monitoring Technologies
Learning
Outcome
10.3
Key logger or key
trapper, software
A program that records every keystroke and
mouse click a user makes.
Hardware key logger
A device that captures keystrokes from keyboard
to motherboard.
Cookie
A small file deposited in the user’s hard drive to
record browsing information.
Adware
Software attached to a download that generates
ads on a user’s machine.
Spyware(sneakware or
stealthware)
An unauthorized app hidden within legitimate
software to record browsing behaviour.
Web log
Browser data stored on a web server.
Clickstream
Records user browsing sessions including what
websites, how long, what was viewed/purchased
Figure 10.9
Copyright © 2015 McGraw-Hill Ryerson Limited
10-28
OPENING CASE QUESTIONS
The Privacy Commissioner of Canada’s Work
1.
Why is protecting personal information in the best interests
of both Canadians and the Government of Canada?
2.
What policies has the Government of Canada implemented
to protect citizen information privacy?
3.
What lessons can be learned from the opening case study
that will help other organizations better protect the personal
information they collect?
4.
How does the recent trend of governments allowing public
access to data raise awareness of the need for governments
to embrace privacy planning as part of normal, everyday
business practice?
Copyright © 2015 McGraw-Hill Ryerson Limited
10-29
Data Warehousing
McGraw-Hill-Ryerson
©2015 The McGraw-Hill Companies, All Rights Reserved
Sources of Unplanned Downtime
Learning
Outcome
10.4
Figure 10.10
Copyright © 2015 McGraw-Hill Ryerson Limited
10-31
The Cost of Downtime
Learning
Outcome
10.4
Figure 10.11
Copyright © 2015 McGraw-Hill Ryerson Limited
10-32
Protecting Information
Learning
Outcome
10.4
• Vulnerabilities to an organization can occur for
reasons that have nothing to do with IS decisions.
– Moving smoking outside opened a security door
– Loss of CDs sent through internal mail caused a
breach of customer information
– Poor hiring practices lead to negligent and
malicious employees
• Data and information are intangible. Difficult to
know what is not secure, stolen or re-directed.
• Solid security processes & practices are critical.
• Information security is a broad term
encompassing protection of information assets
from accidental or intentional misuse
Copyright © 2015 McGraw-Hill Ryerson Limited
10-33
Data Backup and Recovery
Learning
Outcome
10.4
Data Backup and Recovery, Disaster Recovery, and Business
Continuity Planning
Figure 10.12
Copyright © 2015 McGraw-Hill Ryerson Limited
10-34
Disaster Recovery
Learning
Outcome
10.4
• Disaster
– Natural: such as flood, fire, earthquake; Malicious: such as hackers;
Negligence: due to employee ignorance, fatigue, or human fallibility
• Fault Tolerance
– A system that has a back up component when it does collapse.
• Failover
– Provides a secondary system to take over the duties of one that
becomes unavailable.
• Disaster Recover Plan
– Detailed process regaining data and making the system
operationally available again
• Hot Site A fully equipped failover facility
• Cold Site A separate wired facility to which a company can move
Copyright © 2015 McGraw-Hill Ryerson Limited
10-35
Business Continuity Planning
Learning
Outcome
10.4
A Plan for the recovery and restoration of partly or completely
interrupted critical business functions within a pre-determined
time after a disaster or extended disruption.
1. Establish a committee that makes sure control is established
after a disaster.
2. Ensure a business impact analysis exists to identify the
organization’s goals and priorities.
3. Ensure plans, measures and arrangements are available for
the business to continue operating.
4. Establish quality assurance techniques to assess the plan’s
accuracy, relevance effectiveness and identify weak spots.
Copyright © 2015 McGraw-Hill Ryerson Limited
10-36
Disaster Recovery Cost Curve
Learning
Outcome
10.4
Figure 10.13
Copyright © 2015 McGraw-Hill Ryerson Limited
10-37
Securing Data
Learning
Outcome
10.4
• Prevent system intrusion
–
–
–
–
Network security management
Anti-SPAM
Content filtering
Upgrade encryption
• Apply patches which are sent out by
software companies to correct
anomalies in the applications that
otherwise could be exploited
• Train employees in safe computing
practices such as password protection
Copyright © 2015 McGraw-Hill Ryerson Limited
10-38
People: The First Line of Defence
Learning
Outcome
10.4
• Computer Security Survey reported 41.1% of
respondents had experienced a security incident
• Insiders
– Legitimate users who maliciously or accidentally
create a computer incident
– Most computer incidents are due to insiders
• Social Engineering
– Techniques to persuade people to do something
against policy or the law
– Used by hackers to get insiders to give access to the
system to them
– Employees need to be trained to resist these
techniques
Copyright © 2015 McGraw-Hill Ryerson Limited
10-39
Information Security Plan Objectives
Learning
Outcome
10.4
Figure 10.14
Copyright © 2015 McGraw-Hill Ryerson Limited
10-40
Information Security Plan Objectives
Learning
Outcome
10.4
Figure 10.15
Copyright © 2015 McGraw-Hill Ryerson Limited
10-41
Top 10 Questions Managers Should Ask
Regarding Information Security
Learning
Outcome
10.5
Figure 10.16
Copyright © 2015 McGraw-Hill Ryerson Limited
10-42
Authentication and Authorization
Learning
Outcome
10.5
• Authentication
– Method for confirming user identity
– Something a user knows (password), something a user has (smart
card, ID), something that is a part of a user (biometric)
– Biometrics IDs user through a unique physical attribute of user such
as a fingerprint or retinal scan
– Identity Theft is fraud that occurs when the perpetrator uses a
victim’s personal information to fraudulently acquire their assets
• Authorization
– Giving someone permission to do something
– Different degrees of data access
– Read, Read-Write, Read-Write-Copy privileges
Copyright © 2015 McGraw-Hill Ryerson Limited
10-43
Examples of Identity Theft
Learning
Outcome
10.5
Figure 10.17
Copyright © 2015 McGraw-Hill Ryerson Limited
10-44
Methods to Secure Data
Learning
Outcome
10.5
• Prevention & Resistance
– Intrusion Detection System (IDS) monitors incoming network
traffic and flags any communication, usually at the packet level,
that does not conform to the usual patterns
• Content Filtering
– An application that reviews the content of network incoming
and outgoing traffic to prevent transmission of confidential
information, SPAM, and viruses
• Encryption
– Systems that encode and decode messages
– Public Key Encryption (PKE) provides a public key for anyone
wishing to send a message to a recipient whose private key is
the only one that can decrypt the message
Copyright © 2015 McGraw-Hill Ryerson Limited
10-45
Public Key Encryption (PKE) System
Learning
Outcome
10.5
Figure 10.18
Copyright © 2015 McGraw-Hill Ryerson Limited
10-46
Methods to Secure Data
Learning
Outcome
10.5
• Firewalls
– Hardware or software that guards a
private network by analyzing data entering
and leaving it
– Detects machine-to-machine interaction
as well as human-sourced transmissions
• Detection and Response
– Based on the premise that prevention is
never 100%
– Provides corrective procedures for
unauthorized intrusion into the system
once an event happens
Copyright © 2015 McGraw-Hill Ryerson Limited
10-47
Public Key Encryption (PKE) System
Learning
Outcome
10.5
Sample Firewall Architecture Connecting Systems Located in
Toronto, New York and Munich
Figure 10.19
Copyright © 2015 McGraw-Hill Ryerson Limited
10-48
Types of Hackers
Learning
Outcome
10.5
Figure 10.20
Copyright © 2015 McGraw-Hill Ryerson Limited
10-49
Types of Malicious Software (Malware)
Learning
Outcome
10.5
Figure 10.21
Copyright © 2015 McGraw-Hill Ryerson Limited
10-50
Technology-Related Ethical Issues & Concepts
Learning
Outcome
Elevation of Privilege
A user misleads a system into granting
unauthorized rights.
Hoaxes
A real virus is transmitted in a message appearing
to be a harmless hoax virus.
Malicious Code
The broad term describing a variety of threats
including virus, worms and Trojans.
Sniffer
A program or device that can monitor data
travelling over a network.
Packet tampering
Consists of altering content of packets as they
travel over the Internet.
Pharming
Reroutes requests for legitimate websites to false
ones to collect user information.
10.5
From Figure 10.22
Copyright © 2015 McGraw-Hill Ryerson Limited
10-51
OPENING CASE QUESTIONS
The Privacy Commissioner of Canada’s Work
5.
In the example, how can the company’s embrace of privacy
mitigate future information security problems?
6.
What is the biggest information security roadblock facing
organizations attempting to achieve compliance with privacy
legislation?
Can technology alone guarantee that information is kept
secure? Why or why not?
7.
8.
Unfortunately, privacy and security breaches are a common
occurrence in organizations today. What recent privacy and
security breaches have been in the media lately? Do you
think things will get worse before they get better? How can
organizations better prepare themselves against future
privacy and security breaches?
Copyright © 2015 McGraw-Hill Ryerson Limited
10-52
CLOSING CASE ONE:
WestJet Accepts Blame for Spying on Air Canada
1.
Was WestJet’s access to Air Canada’s website information
ethical? Legal? Explain.
2.
How common in organizations is unauthorized access to
private competitor information?
3.
Does Air Canada have any responsibility in WestJet’s ability to
access Air Canada’s private information? Explain.
4.
What people measures could Air Canada implement to
prevent future unauthorized access to private information?
5.
What technology measures might Air Canada implement to
prevent future unauthorized access to private information?
Copyright © 2015 McGraw-Hill Ryerson Limited
10-53
CLOSING CASE TWO:
Information Ethics and Privacy Issues with Facebook
Make Headlines
1. Was Nationale Suisse justified in its online monitoring of
employees who called in sick? If companies want to
conduct such monitoring activities, what steps can they
take to lesson negative backlash from the public and their
employees? What steps can employees take?
2. Do you think the Privacy Commissioner went to far in her
demands? Is this a bit of “much ado about nothing”?
3. Will the changes that Facebook implements to address the
Commissioner’s concerns negatively affect the site in any
way? What do you think the average Facebook user thinks
of the new features?
Copyright © 2015 McGraw-Hill Ryerson Limited
10-54
CLOSING CASE TWO:
Information Ethics and Privacy Issues with Facebook
Make Headlines
4. Do you know of any other examples in the popular press
that showcase information ethics or privacy issues with the
use of social networking sites like Facebook?
5. Does the above case make you wish to change how you use
Facebook in any way?
Copyright © 2015 McGraw-Hill Ryerson Limited
10-55
CLOSING CASE THREE:
Thinking Like the Enemy
1.
How could an organization benefit from attending one of
the courses offered at the Intense School?
2.
What are the two primary lines of security defence, and
how can organizational employees use the information
taught by the Intense School when drafting an information
security plan?
3.
If your employer sent you to take a course at the Intense
School, what type of course would interest you and why?
4.
What ethical dilemmas are involved in having such a
course offered by a private company?
Copyright © 2015 McGraw-Hill Ryerson Limited
10-56