Information Systems: Ethics, Privacy and Information Security

Information Systems: Ethics, Privacy and Information Security

Ethics: A branch of philosophy that deals with what is considered to be right  and wrong.

A Code of Ethics is a collection of principles that are intended to guide decision making

by members of an organization

                                                               

Responsibility means that you accept the consequences of your decisions and actions.

Accountability means a determination of who is responsible for actions that were taken.

Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems.

Privacy Issues involve collecting, storing and disseminating information about individuals.

Accuracy Issues involve the authenticity, fidelity and accuracy of information that is collected and processed.

Property Issues involve the ownership and value of information.

Accessibility Issues revolve around who should have access to information and whether they should have to pay for this access.

Data aggregators are companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.

Digital dossier is an electronic description of you and your habits.

Profiling is the process of creating a digital dossier.

Personal Information in Databases Information about individuals is being kept in many databases: banks, utilities co., govt. agencies, etc.; the most visible locations are credit-reporting agencies.

Social Networking Sites often include electronic discussions such as chat rooms. These sites appear on the Internet, within corporate intranets, and on blogs.

A blog is an informal, personal journal that is frequently updated and intended for general public reading.

The logos represent popular social networking sites. 

Privacy Codes and Policies: An organization’s guidelines with respect to protecting the privacy of customers, clients, and employees.

Opt-out model of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.

Opt-in model of informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it. 

International Aspects of Privacy: Privacy issues that international organizations and governments face when information spans countries and jurisdictions.

* Organizations and individuals are now exposed to untrusted networks. 

   An untrusted network, in general, is any network external to your organization.

   The Internet, by definition, is an untrusted network.

* Government legislation:  Gramm-Leach-Bliley Act

  Health Insurance Portability and Accountability Act (HIPAA)

* Examples: thumb drives (flash drives), iPods, etc.

Downstream liability occurs when Company A’s systems are attacked and

taken over by the perpetrator.  Company A’s systems are then used to attack

Company B.  Company A could be sued successfully by Company B, if Company A

cannot prove that it exercised due diligence in securing its systems.

Due diligence means that a company takes all necessary security precautions,

as judged by commonly accepted best practices.

Unmanaged devices are those outside the control of the IT department. 

Examples include devices in hotel business centers, customer computers,

computers in restaurants such as McDonalds, Paneras, Starbucks.

Lack of management support takes many forms: insufficient funding, technological obsolescence, and lack of attention.

A threat to an information resource is any danger to which a system may be exposed.

The exposure of information resources is the harm, loss or damage that can result if a threat compromises that resource.

A system’s vulnerability is the possibility that the system will suffer harm by a threat.

Risk is the likelihood that a threat will occur.

Information system controls are the procedures, devices, or software aimed at preventing a compromise to the system.

Espionage or trespass: Competitive intelligence consists of legal information-gathering techniques. 

Industrial espionage crosses the legal boundary.

The two images show dumpster divers.  Many dumpster divers wear protective clothing and use snorkels, as it is not a good idea to receive cuts from items in the dumpster, and the air is foul.