Slide 1ETHICSSlide 3Slide 4INFORMATION ETHICSInformation Has No EthicsSlide 7DEVELOPING INFORMATION MANAGEMENT POLICIESEthical Computer Use PolicySlide 10Information Privacy PolicySlide 12Acceptable Use PolicySlide 14E-Mail Privacy PolicySlide 16Slide 17Internet Use PolicyAnti-Spam PolicyETHICS IN THE WORKPLACEMonitoring TechnologiesSlide 22Employee Monitoring PoliciesSlide 24PROTECTING INTELLECTUAL ASSETSSlide 26THE FIRST LINE OF DEFENSE - PEOPLESlide 28Slide 29Slide 30Slide 31THE SECOND LINE OF DEFENSE - TECHNOLOGYAuthentication and AuthorizationSomething the User Knows Such As a User ID and PasswordSlide 35Slide 36Slide 37Something That Is Part Of The User Such As a Fingerprint or Voice SignaturePrevention and ResistanceContent FilteringEncryptionSlide 42FirewallsSlide 44Detection and ResponseSlide 46Slide 47Slide 48McGraw-Hill/Irwin©2008 The McGraw-Hill Companies, All Rights ReservedETHICSSECTION 4.14-2ETHICS•Ethics – the principles and standards that guide our behavior toward other people•Issues affected by technology advances–Intellectual property–Copyright–Fair use doctrine–Pirated software–Counterfeit software4-3ETHICS•Privacy is a major ethical issue–Privacy – the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent–Confidentiality – the assurance that messages and information are available only to those who are authorized to view them4-4ETHICS•One of the main ingredients in trust is privacy•Primary reasons privacy issues lost trust for e-business4-5INFORMATION ETHICS•Individuals form the only ethical component of IT4-6Information Has No Ethics•Acting ethically and legally are not always the same4-7Information Has No Ethics•Information does not care how it is used•Information will not stop itself from sending spam, viruses, or highly-sensitive information•Information cannot delete or preserve itself4-8DEVELOPING INFORMATION MANAGEMENT POLICIES•Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement•ePolicies typically include:–Ethical computer use policy–Information privacy policy–Acceptable use policy–E-mail privacy policy–Internet use policy–Anti-spam policy4-9Ethical Computer Use Policy•Ethical computer use policy – contains general principles to guide computer user behavior•The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules4-10Ethical Computer Use Policy4-11Information Privacy Policy•The unethical use of information typically occurs “unintentionally” when it is used for new purposes–For example, social security numbers started as a way to identify government retirement benefits and are now used as a sort of universal personal ID•Information privacy policy - contains general principles regarding information privacy4-12Information Privacy Policy•Information privacy policy guidelines1. Adoption and implementation of a privacy policy2. Notice and disclosure3. Choice and consent4. Information security5. Information quality and access4-13Acceptable Use Policy•Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet•An AUP usually contains a nonrepudiation clause–Nonrepudiation – a contractual stipulation to ensure that e-business participants do not deny (repudiate) their online actions4-14Acceptable Use Policy4-15E-Mail Privacy Policy•Organizations can mitigate the risks of e-mail and instant messaging communication tools by implementing and adhering to an e-mail privacy policy•E-mail privacy policy – details the extent to which e-mail messages may be read by others4-16E-Mail Privacy Policy4-17E-Mail Privacy Policy4-18Internet Use Policy•Internet use policy – contains general principles to guide the proper use of the Internet4-19Anti-Spam Policy•Spam – unsolicited e-mail•Spam accounts for 40% to 60% of most organizations’ e-mail and cost U.S. businesses over $14 billion in 2005•Anti-spam policy – simply states that e-mail users will not send unsolicited e-mails (or spam)4-20ETHICS IN THE WORKPLACE•Workplace monitoring is a concern for many employees•Organizations can be held financially responsible for their employees’ actions•The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees, however, some people feel that monitoring employees is unethical4-21Monitoring Technologies4-22Monitoring Technologies•Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed•Common monitoring technologies include:–Key logger or key trapper software–Hardware key logger–Cookie–Adware–Spyware–Web log–Clickstream4-23Employee Monitoring Policies•Employee monitoring policies – explicitly state how, when, and where the company monitors its employeesMcGraw-Hill/Irwin©2008 The McGraw-Hill Companies, All Rights ReservedINFORMATION SECURITYSECTION 4.24-25PROTECTING INTELLECTUAL ASSETS4-26PROTECTING INTELLECTUAL ASSETS4-27THE FIRST LINE OF DEFENSE - PEOPLE•Organizations must enable employees, customers, and partners to access information electronically•The biggest issue surrounding information security is not a technical issue, but a people issue•33% of security incidents originate within the organization–Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident4-28THE FIRST LINE OF DEFENSE - PEOPLE•The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan–Information security policies – identify the rules required to maintain information security–Information security plan – details how an organization will implement the information security policies4-29THE FIRST LINE OF DEFENSE - PEOPLE•Hackers frequently use “social engineering” to obtain password–Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker4-30THE FIRST LINE OF DEFENSE - PEOPLE•Five steps to