Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 229 views

    Ethics, Privacy and Information Security

    Uploaded by

    Siti Sajarotun Nur
    The document discusses ethics, privacy, and information security. It covers four categories of ethical issues: privacy, accuracy, property, and accessibility. It then discusses threats to information security such as unintentional acts, natural disasters, technical failures, management failures, and deliberate acts by employees. Finally, it discusses ways to protect information resources through risk analysis, mitigation strategies like risk acceptance, limitation, and transference, and implementing controls.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    Ethics, Privacy and Information Security

    Uploaded by

    Siti Sajarotun Nur
    229 views27 pages
    The document discusses ethics, privacy, and information security. It covers four categories of ethical issues: privacy, accuracy, property, and accessibility. It then discusses threats to information security such as unintentional acts, natural disasters, technical failures, management failures, and deliberate acts by employees. Finally, it discusses ways to protect information resources through risk analysis, mitigation strategies like risk acceptance, limitation, and transference, and implementing controls.

    Original Description:

    3.1 Ethical Issues 3.2 Threats to Information Security 3.3 Protecting Information Resources

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses ethics, privacy, and information security. It covers four categories of ethical issues: privacy, accuracy, property, and accessibility. It then discusses threats to information security such as unintentional acts, natural disasters, technical failures, management failures, and deliberate acts by employees. Finally, it discusses ways to protect information resources through risk analysis, mitigation strategies like risk acceptance, limitation, and transference, and implementing controls.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    229 views27 pages

    Ethics, Privacy and Information Security

    Uploaded by

    Siti Sajarotun Nur
    The document discusses ethics, privacy, and information security. It covers four categories of ethical issues: privacy, accuracy, property, and accessibility. It then discusses threats to information security such as unintentional acts, natural disasters, technical failures, management failures, and deliberate acts by employees. Finally, it discusses ways to protect information resources through risk analysis, mitigation strategies like risk acceptance, limitation, and transference, and implementing controls.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    of 27

    Chapter 3

    Ethics, Privacy and


    Information Security

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 1
    3.1 Ethical Issues

     Ethics. A branch of philosophy that deals


    with what is considered to be right and
    wrong.
     A Code of Ethics is a collection of principles
    that are intended to guide decision making by
    members of an organization.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 2
    The Four Categories of Ethical
    Issues
     Privacy Issues involves collecting, storing and
    disseminating information about individuals.
     Accuracy Issues involves the authenticity, fidelity
    and accuracy of information that is collected and
    processed.
     Property Issues involves the ownership and value
    of information.
     Accessibility Issues revolve around who should
    have access to information and whether they should
    have to pay for this access.
    Copyright 2007 John
    Wiley & Sons, Inc. Chapter 3 3
    Protecting Privacy

     Privacy. The right to be left alone and to be


    free of unreasonable personal intrusions.
     Two rules have been followed fairly closely
    in past court decision in many countries:
     The right of privacy is not absolutes. Privacy
    must be balanced against the needs of society
     The public’s right to know is superior to the
    individual’s right of privacy.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 4
    Protecting Privacy (Continued)

     Electronic Surveillance. The tracking of


    people‘s activities, online or offline, with the
    aid of computers.
     Personal Information in Databases.
    Information about individuals is being kept
    in many databases: banks, utilities co., govt.
    agencies, …etc.; the most visible locations
    are credit-reporting agencies.
    Copyright 2007 John
    Wiley & Sons, Inc. Chapter 3 5
    Protecting Privacy (Continued)

     Information on Internet Bulletin Boards


    and Newsgroups. Electronic discussions
    such as chat rooms and these other sites
    appear on the Internet, within corporate
    intranets, and on blogs.
     A blog (Weblog) is an informal, personal
    journal that is frequently updated and
    intended for general public reading.
    Copyright 2007 John
    Wiley & Sons, Inc. Chapter 3 6
    Protecting Privacy (Continued)

     Privacy Codes and Policies. An


    organization’s guidelines with respect to
    protecting the privacy of customers, clients,
    and employees.
     International Aspects of Privacy. Privacy
    issues that international organizations and
    governments face when information spans
    countries and jurisdictions.
    Copyright 2007 John
    Wiley & Sons, Inc. Chapter 3 7
    3.2 Threats to Information Security

     A threat to an information resource is any danger to which


    a system may be exposed.
     The exposure of an information resources is the harm, loss
    or damage that can result if a threat compromises that
    resource.
     A system’s vulnerability is the possibility that the system
    will suffer harm by a threat.
     Risk is the likelihood that a threat will occur.
     Information system controls are the procedures, devices,
    or software aimed at preventing a compromise to the system.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 8
    Categories of Threats to Information
    Systems

     Unintentional acts, those with no malicious


    intent, such as:
     Human errors
     Social engineering – being tricked by others
     Deviations in the quality of service – service is
    not delivered as expected

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 9
    Categories of Threats to Information
    Systems

     Natural disaster include earthquakes, severe


    storms, floods, power failures or strong
    fluctuations, fires (most common hazard),
    explosions, …etc.
     Technical failures can occur as the result of
    poor manufacturing or defective materials.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 10
    Categories of Threats to Information
    Systems

     Management failures involve a lack of


    funding for information security efforts.
     Deliberate acts by company’s employees:
     Trespass
     Information extortion
     Sabotage or vandalism
     Theft

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 11
    Compromises to Intellectual
    Property

     Intellectual property. Property created by


    individuals or corporations which is protected under
    trade secret, patent, and copyright laws.
     Trade secret. Intellectual work, such as a business
    plan, that is a company secret and is not based on
    public information.
     Patent. Document that grants the holder exclusive
    rights on an invention or process for 20 years.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 12
    Compromises to Intellectual
    Property (Continued)

     Copyright. Statutory grant that provides


    creators of intellectual property with
    ownership of the property for life of the
    creator plus 70 years.
     Piracy. Copying a software program without
    making payment to the owner.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 13
    Software Attacks

     Malicious software (malware) designed to


    damage, destroy, or deny service to the
    targeted systems.
     Most common types of software attacks are
    viruses, worms, Trojan horses, logic bombs,
    back doors, denial-of-service, alien software,
    phishing and pharming.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 14
    Software Attacks (Continued)

     Viruses. Segments of computer code that performs


    unintended actions ranging from merely annoying
    to destructive.
     Worms. Destructive programs that replicate
    themselves without requiring another program to
    provide a safe environment for replication.
     Trojan horses. Software progams that hide in other
    computer programs and reveal their designed
    behavior only when they are activated.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 15
    Software Attacks (Continued)

     Logic bombs. Designed to activate and perform a


    destructive action at a certain time.
     Back doors or trap doors. Typically a password,
    known only to the attacker, that allows access to the
    system without having to go through any security.
     Denial-of-service. An attacker sends so many
    information requests to a target system that the
    target cannot handle them successfully and can
    crash the entire system.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 16
    Alien Software

     Pestware. Clandestine software that uses up


    valuable system resources and can report on your
    Web surfing habits and other personal information.
     Adware. Designed to help popup advertisements
    appear on your screen.
     Spyware. Software that gathers user information
    through the user’s Internet connection without their
    knowledge (i.e. keylogger, password capture).

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 17
    Alien Software (Continued)

     Spamware. Designed to use your computer


    as a launch pad for spammers.
     Spam. Unsolicited e-mail, usually for
    purposes of advertising.
     Cookies. Small amount of information that
    Web sites store on your computer,
    temporarily or more-or-less permanently.
    Copyright 2007 John
    Wiley & Sons, Inc. Chapter 3 18
    Alien Software (Continued)

     Web bugs. Small, usually invisible, graphic images


    that are added to a Web page or e-mail.
     Phishing. Uses deception to fraudulently acquire
    sensitive personal information such as account
    numbers and passwords disguised as an official-
    looking e-mail.
     Pharming. Fraudulently acquires the Domain
    Name for a company’s Web site and when people
    type in the Web site url they are redirected to a fake
    Web site.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 19
    3.3 Protecting Information
    Resources

     Risk. The probability that a threat will impact an


    information resource.
     Risk management. To identify, control and
    minimize the impact of threats.
     Risk analysis. To assess the value of each asset
    being protected, estimate the probability it might be
    compromised, and compare the probable costs of it
    being compromised with the cost of protecting it.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 20
    Protecting Information Resources
    (Continued)

     Risk mitigation is when the organization


    takes concrete actions against risk. It has two
    functions:
     (1) implement controls to prevent identified
    threats from occurring, and
     (2) developing a means of recovery should the
    threat become a reality.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 21
    Risk Mitigation Strategies

     Risk Acceptance. Accept the potential risk,


    continue operating with no controls, and absorb any
    damages that occur.
     Risk limitation. Limit the risk by implementing
    controls that minimize the impact of threat.
     Risk transference. Transfer the risk by using other
    means to compensate for the loss, such as
    purchasing insurance.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 22
    Controls

     Controls evaluation. Identifies security


    deficiencies and calculates the costs of
    implementing adequate control measures.
     Physical controls. Physical protection of computer
    facilities and resources.
     Access controls. Restriction of unauthorized user
    access to computer resources; use biometrics and
    passwords controls for user identification.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 23
    Controls (Continued)

     Communications (networks) controls. To protect


    the movement of data across networks and include
    border security controls, authentication and
    authorization.
     Firewalls. System that enforces access-control policy
    between two networks.
     Anti-malware systems. Also called antivirus software,
    are software packages that attempt to identify and
    eliminate viruses, worms etc

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 24
    Controls (Continued)

     Whitelisting and blacklisting. Identify software


    that are allowed to run and not allowed to run
     Intrusion detection systems. They are designed
    to detect all types of malicious network traffic
    that cannot be detected by a forewall
     Encryption. Process of converting an original
    message into a form that cannot be read by
    anyone except the intended receiver.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 25
    Controls (Continued)

     All encryption systems use a key.


     Symmetric encryption. Sender and the recipient
    use the same key.
     Public-key encryption. Uses two different keys:
    a public key and a private key.
     Certificate authority. Asserts that each
    computer is identified accurately and provides
    the public keys to each computer.
    Copyright 2007 John
    Wiley & Sons, Inc. Chapter 3 26
    Controls (Continued)

     Virtual Private Networking. Uses the Internet


    to carry information within a company and
    among business partners but with increased
    security by uses of encryption, authentication
    and access control.
     Application controls. Controls that protect
    specific applications and include: input,
    processing and output controls.

    Copyright 2007 John


    Wiley & Sons, Inc. Chapter 3 27

    You might also like