CHAPTER 3
Ethics, Privacy and Information Security
1
Opening Case
How many years does it take to get privacy
"right"?
The Business Problem

The social networking site Facebook generates revenue by selling
information about its users.

Facebook provides access to user information to developers of
applications so that the developers can provide more software for its
users, continuing to expand the user base, thus continuing to increase its
revenues.

In addition to outsiders, Facebook has also routinely provided information
about you to other users.
2
Opening Case
Questions

How should default settings on social networking sites such as
Facebook be organized; in other words, what type of information
should be shared and how?

What type of processes should Facebook have in place to deal with
privacy concerns raised by users of the site?
3
Agenda
3.1 Ethical Issues
3.1.1 Ethics
3.1.1.1 Definition
3.1.1.2 Fundamentals tenets of ethics
3.1.2.3 Four categories of ethical issues
3.1.2 Privacy
3.1.2.1 Definition
3.1.2.2 Threats to privacy
3.1.2.3 Privacy codes and policies
Agenda continues to next slide
4
3.2 Threats to Information Security
3.2.1 Factors increasing threats
3.2.2 Categories of threats
3.3 Protecting Information Resources
3.3.1 Risk management
3.3.2 Controls
3.3.2.1 Physical controls
3.3.2.2 Access controls
3.3.2.3 Communications controls
3.3.2.4 Application controls
3.3.3 Business continuity planning, backup, and recovery
3.3.4 Information systems auditing
5
LEARNING OBJECTIVES
1.
Describe and provide examples of the major ethical
issues related to information technology, with a focus
on privacy. (3.1)
2.
Identify the many threats to information security. (3.2)
3.
Explain methods used to protect information systems,
including the role of planning for disaster recovery and
IT auditing. (3.3)
6
CHAPTER OVERVIEW
7
3.1 Ethical Issues
3.1.1 Ethics
3.1.1.1 Definition
3.1.1.2 Fundamentals tenets of ethics
3.1.2.3 Four categories of ethical issues
8
3.1.1.1 Definition

Ethics:A branch of philosophy that deals with what is
considered to be right and wrong.

A Code of Ethics is a collection of principles that are
intended to guide decision making by members of an
organization.
9
3.1.1.2 Fundamentals tenets of ethics

Responsibility means that you accept the
consequences of your decisions and actions.

Accountability means a determination of who is
responsible for actions that were taken.

Liability is a legal concept meaning that individuals
have the right to recover the damages done to them by
other individuals, organizations, or systems.
10
3.1.2.3 Four categories of ethical issues

Privacy Issues involve collecting, storing and
disseminating information about individuals.

Accuracy Issues involve the authenticity, fidelity and
accuracy of information that is collected and processed.

Property Issues involve the ownership and value of
information.

Accessibility Issues revolve around who should have
access to information and whether they should have to
pay for this access.
11
3.1.2 Privacy
3.1.2.1 Definition
3.1.2.2 Threats to privacy
3.1.2.3 Electronic surveillance
3.1.2.4 Personal information in databases
3.1.2.5 Information on Internet
3.1.2.6 Privacy codes and policies
12
3.1.2.1 Definition
Privacy: The right to be left alone and to be free of
unreasonable personal intrusions.
Information privacy: is the right to determine when,
and to what extent, information about yourself can be
gathered and/or communicated to others.
Court decisions have followed two rules.
1.
2.
The right of privacy is not absolute.Your privacy must be balanced
against the needs of society
The public’s right to know is superior to the individual’s right of
privacy
13
3.1.2.2 Threats to privacy
Data aggregators, digital dossiers, and profiling
 Electronic Surveillance
 Personal Information in Databases
 Information on Internet Bulletin Boards, Newsgroups,
and Social Networking Sites

14
Data aggregators, digital dossiers, and profiling

Data aggregators
are companies that collect public data (e.g., real estate records,
telephone numbers) and nonpublic data (e.g., social security numbers,
financial data, police records, motor vehicle records) and integrate
them to produce digital dossiers.

Digital dossier
an electronic description of you and your habits.

Profiling
the process of creating a digital dossier.
15
Electronic surveillance
The tracking of people‘s activities, online or offline, with
the aid of computers.

See the surveillance slideshow

See additional surveillance slides

Video: And you think you have privacy?
16
Personal Information in Databases.
Information about individuals is being kept in many
databases: banks, utilities co., govt. agencies, etc.
The most visible locations are credit-reporting agencies.
Equifax, TransUnion, and Experian are the three best known credit
reporting agencies.
17
Information on Internet



Internet Bulletin Boards
Newsgroups
Social Networking Sites
Anyone can post derogatory information about you anonymously.
(See this Washington Post article.) You can also hurt yourself, as
this article shows.
18
3.1.2.3 Privacy codes and policies
Privacy codes and policies are an organization’s
guidelines with respect to protecting the privacy of
customers, clients and employees.
 opt-out model
 opt-in model
Canada’s Privacy Legislation (PIPEDA)



Personal Information Protection and Electronic Documents Act
Became effective January 1, 2004.
Organizations are required to establish a privacy policy, as well as
procedures to ensure that the policy is adhered to.
19
3.2 Threats to Information Security
3.2.1 Factors increasing threats
3.2.2 Categories of threats
20
3.2.1 Factors increasing threats








Today’s interconnected, interdependent, wirelessly-networked
business environment
Government legislation
Smaller, faster, cheaper computers and storage devices
Decreasing skills necessary to be a computer hacker
International organized crime turning to cybercrime
Downstream liability
Increased employee use of unmanaged devices
Lack of management support
Wi-Fi at Starbucks
Wi-Fi at McDonalds
Hotel Business Centre
21
3.2.2 Categories of threats





Unintentional acts
Natural disasters
Technical failures
Management failures
Deliberate acts
Video example of a threat
22
23
Unintentional Acts



Human errors
Deviations in quality of service by service providers
(e.g., utilities)
Environmental hazards (e.g., dirt, dust, humidity)
24
Human Errors







Tailgating
Shoulder surfing
Carelessness with laptops and portable computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
Most dangerous employees:
remember, these employees
hold ALL the information
25
Social engineering is an attack where the attacker
uses social skills to trick a legitimate employee into
providing confidential company information such as
passwords.
Social data mining, also called buddy mining, occurs
When attackers seek to learn who knows whom in an
organization and how.

Video: 60 Minutes Interview with Kevin Mitnick, the “King of Social
Engineering”
26
Deliberate acts








Espionage or trespass
Information extortion
Sabotage or vandalism
Theft of equipment or information
Identity theft
Compromises to intellectual property
Software attacks
Supervisory control and data acquisition (SCADA) attacks
27

Theft of equipment or information
◦ For example, dumpster diving

Video: Identity theft
Instructions from the Office of the Privacy Commissioner of
Canada to reduce the risk of identify theft
www.privcom.gc.ca/id/business_e.asp .

28

Intellectual Property
◦ Trade Secrete
◦ Patent
◦ Copyright
Software Piracy
 Software attacks

◦ Virus
◦ Worm
 1988: first widespread worm, created by Robert T. Morris, Jr.
 (see the rapid spread of the Slammer worm)
◦ Trojan horse
◦ Logic Bomb
29

Software attacks (continued)
◦ Phishing attacks
 Phishing slideshow
 Phishing example
◦ Distributed denial-of-service attacks
 Video: Can you be Phished?

Alien Software
◦ Spyware (see video)
◦ Spamware
◦ Cookies (demo)

Supervisory control and data acquisition (SCADA) attacks
◦ Video of an experimental SCADA attack

Cyber-terrorism and cyber-warfare
30
3.3 Protecting Information Resources
3.3.1 Risk management
3.3.2 Controls
3.3.2.1 Physical controls
3.3.2.2 Access controls
3.3.2.3 Communications controls
3.3.2.4 Application controls
3.3.3 Business continuity planning, backup & recovery
3.3.4 Information systems auditing
31
3.3.1 Risk management

Risk management: to identify, control and minimize
the impact of threats.

Risk analysis: to assess the value of each asset being
protected, estimate the probability it might be
compromised, and compare the probable costs of it
being compromised with the cost of protecting it.
32
3.3.2 Controls
The purpose of controls is to safeguard assets,
optimize the use of the organization’s resources,
and prevent or detect errors or fraud. Information
systems security encompasses all of the types of controls.
Physical controls
 Access controls
 Communications controls
 Application controls

33
Where Defence Mechanisms (Controls) Are Located
34
3.3.2.1 Physical controls
Physical controls prevent unauthorized individuals
from gaining access to a company’s facilities.



Common physical controls include walls, doors, fencing, gates, locks,
badges, guards, and alarm systems.
More sophisticated physical controls include pressure sensors,
temperature sensors, and motion detectors.
One weakness of physical controls is that they can be inconvenient
to employees.
35
3.3.2.2 Access controls
Access controls restrict unauthorized individuals from
using information resources.



Access controls can be physical controls or logical controls.
Logical controls are implemented by software
Both types restrict unauthorized individuals from using
information resources.
36
3.3.2.3 Communications controls
Communications (network) controls secure the
movement of data across networks.

Consist of firewalls, anti-malware systems, whitelisting and
blacklisting, intrusion detection systems, encryption, virtual private
networking (VPN), secure socket layer (SSL), vulnerability
management systems, and employee monitoring systems.
37
3.3.2.4 Application controls
Application controls, as their name suggests, are
security countermeasures that protect specific
applications.

Application controls fall into three major categories: input controls,
processing controls, and output controls.
38
3.3.3 Business continuity planning, backup &
recovery
Hot Site
 Warm Site
 Cold Site

39
3.3.4 Information systems auditing

Information systems auditing. Independent or
unbiased observers task to ensure that information
systems work properly.
◦ Audit. Examination of information systems, their inputs, outputs and
processing.

Types of Auditors and Audits
◦ Internal. Performed by corporate internal auditors.
◦ External. Reviews internal audit as well as the inputs, processing and
outputs of information systems.
40
Closing Case
Information security at the international fund for
animal welfare (IFAW)



The world’s leading international animal welfare organization.
Has approximately 375 experienced campaigners, legal and political
experts working from 15 countries.
Targets everything from baby seal hunts in Canada to the illegal
trade in elephant tusks and rhinoceros horns in Africa.
The Business Problem
IFAW is a controversial force in conservation and has been a
Target by individuals, organizations, and even governments that
object to the organization’s activities.
41
Closing Case
Questions
Does the whitelisting process place more of a burden
on the IT group at IFAW? Why or why not? Support your
answer.


What are the risks involved in IFAW’s allowing users
from its partner organizations to access the IFAW
network?
42
Closing Case
The Results

Using the Check Point software, IFAW implemented very
restrictive controls on the software programs it allows to run on
its hardware.

One unexpected result was that IFAW was able to use the
whitelisting system to identify and segregate unknown malware that
was not recognized by IFAW’s anti-malware software.

One problem remained. Even though IFAW had success with its
various defences, the organization still had to manage computers
that it did not own.
43
Copyright
Copyright © 2010 John Wiley & Sons Canada, Ltd. All rights reserved.
Reproduction or translation of this work beyond that permitted by
Access Copyright (the Canadian copyright licensing agency) is unlawful.
Requests for further information should be addressed to the
Permissions Department, John Wiley & Sons Canada, Ltd. The purchaser
may make back-up copies for his or her own use only and not for
distribution or resale. The author and the publisher assume no
responsibility for errors, omissions, or damages caused by the use of
these files or programs or from the use of the information contained
herein.