Chapter 9 Using Information Ethically Managing and Using Information Systems A Strategic Approach by Keri Pearlson Carol Saunders Learning Objectives Understand how ethics should be framed in the context of business practices and the challenges surrounding these issues Define and describe the three normative theories of business ethics List and define PAPA and why it is important Identify the issues related to the ethical governance of information systems Understand security issues of organizations and how organizations are bolstering security Describe how security can be best enacted Define the Sarbanes Oxley Act and the COBIT framework Chapter 9 2 Real World Examples TJX Co discovered the largest security breach of its computer system in the history of retailing As many as 94 million customers were affected TJX had to decide between notifying their customers immediately or waiting the 45 days allowed by the jurisdictions If they waited their customers might be further compromised by the breach If they notified them immediately they might lose customer confidence and face punishment from Wall Street Chapter 9 3 NORMATIVE THEORIES OF BUSINESS ETHICS Introduction Managers must assess initiatives from an ethical view Most managers are not trained in ethics philosophy and moral reasoning Difficult to determine or discuss social norms Three theories of business ethics are examined to develop and apply to particular challenges that they face see Figure 9 1 Stockholder theory Stakeholder theory Social contract theory Chapter 9 5 Stockholder Theory Stockholders advance capital to corporate managers who act as agents in advancing their ends Managers are bound to the interests of the shareholders maximize shareholder value Manager s duties Bound to employ legal non fraudulent means Must take long view of shareholder interest Chapter 9 6 Stakeholder Theory Managers are entrusted with a responsibility fiduciary or other to all those who hold a stake in or a claim on the firm Stakeholders are Any group that vitally affects the corp survival and success Any group whose interests the corp vitally affects Management must enact and follow policies that balance the rights of all stakeholders without impinging upon the rights of any one particular stakeholder Chapter 9 7 Social Contract Theory Consider the needs of a society with no corporations or other complex business arrangements What conditions would have to be met for the members of a society to agree to allow a corporation to be formed Corporations are expected to create more value to society that it consumes Social contract 1 Social welfare corporations must produce greater benefits than their associated costs 2 Justice corporations must pursue profits legally without fraud or deception and avoid actions that harm society Chapter 9 8 Theory Definition Metrics Stockholder Maximize stockholder wealth in legal and nonfraudulent manners Will this action maximize stockholder value Can goals be accomplished without compromising company standards and without breaking laws Stakeholder Maximize benefits to all stakeholders while weighing costs to competing interests Does the proposed action maximize collective benefits to the company Does this action treat one of the corporate stakeholders unfairly Social contract Create value for society in a manner that is just and nondiscriminatory Does this action create a net benefit for society Does the proposed action discriminate against any group in particular and is its implementation socially just Figure 9 1 Three normative theories of business ethics Chapter 9 9 CONTROL OF INFORMATION Privacy Those who possess the best information and know how to use it win However keeping this information safe and secure is a high priority see Figure 9 2 Privacy the right to be left alone Managers must be aware of regulations that are in place regarding the authorized collection disclosure and use of personal information Safe harbor framework of 2000 Chapter 9 11 Area Critical Questions Privacy What information must a person reveal about one s self to others What information should others be able to access about you with or without your permission What safeguards exist for your protection Accuracy Who is responsible for the reliability and accuracy of information Who will be accountable for errors Property Who owns information Who owns the channels of distribution and how should they be regulated Accessibility What information does a person or an organization have a right to obtain under what conditions and with what safeguards Figure 9 2 Mason s areas of managerial concern Chapter 9 12 Accuracy Managers must establish controls to insure that information is accurate Data entry errors must be controlled and managed carefully Data must also be kept up to date Keeping data as long as it is necessary or legally mandated is a challenge Chapter 9 13 Property Mass quantities of data are now stored on clients Who owns this data and has rights to it is are questions that a manager must answer Who owns the images that are posted in cyberspace Managers must understand the legal rights and duties accorded to proper ownership Chapter 9 14 Accessibility Access to information systems and the data that they hold is paramount Users must be able to access this data from any location if it can be properly secured and does not violate any laws or regulations Major issue facing managers is how to create and maintain access to information for society at large This access needs to be controlled to those who have a right to see and use it identity theft Also adequate security measures must be in place on their partners end Chapter 9 15 PAPA and Managers Managers must work hard to implement controls over information highlighted by PAPA Limit access to data avoid identify theft and respect customer s privacy FTC requires more disclosure of how companies use customer data Gramm Leach Bliley Act 1999 Information privacy guidelines must come from above CEO CFO etc Chapter 9 16 Security and Controls PAPA principles work hand in hand with security and controls Executives reported that hardware software failures and major viruses had resulted in unexpected or unscheduled outages of their critical business systems Ernst Young Technologies have been devised to manage the security and control problems see Figure 9 3 RFID is being used to control access and manage assets Employees require proper training and education Chapter 9 17 IT GOVERNANCE AND