Chapter3

Chapter3 Security and privacy problems occur every day  Improve security  Deterrence: fines and arrest for hacking: Canada, Russia and U.S. worked together to arrest those charged with 1.5 billion account Yahoo hack.  Adding new tools, such as improved surveillance: Turn your Apple phone into a surveillance camera using the At Home Camera app.  How to bypass a locked Apple phone (although apparently this breach has been fixed – try it if you own an Apple phone, makes stolen phones usable).—— serious security hazard, enabling equipment to be used if it has been stolen or lost: a cautionary note to be careful with your equipment. 3.1 Ethics in the corporate environment and raised by IS  Ethics is the set of principles of right and wrong that individuals use to make choices that guide their behaviour.  Ethical Framework  The utilitarian approach states that an ethical action is the one that provides the most good or does the least harm.  The rights approach maintains that an ethical action is the one that best protects and respects the moral rights of the affected parties. Moral rights can include the rights to make one's own choices about what kind of life to lead, to be told the truth, to be not injured, and to enjoy a degree of privacy.  The fairness approach posits that ethical actions treat all human beings equally, or, if unequally, then fairly, based on some defensible standard.  The common good approach highlights the interlocking relationships that underlie all societies.  A code of ethics is a collection of principles intended to guide decision making by members of the organization.  Fundamental tenets of ethics include responsibility, accountability, and liability:  Responsibility means that you accept the consequences of your decisions and actions.  Accountability means determining who is responsible for actions that were taken.  Liability is a legal concept that gives individuals the right to recover the damages done to them by other individuals, organizations, or systems. 1. A framework for IT ethical issues 1) Privacy issues involve collecting, storing, and disseminating information about individuals. 2) Accuracy issues involve the authenticity, fidelity, and correctness of information that is collected and processed. 3) Property issues involve the ownership and value of information . 4) Accessibility issues revolve around who should have access to information and whether they should pay a fee for this access.

——Data is everywhere – how much is private?  Data aggregators use the Internet and other sources to develop personal profiles (also called a digital dossier ). Refer to text, Section 3.2, p. 70. ( data aggregators, who collect data about individuals and businesses then sell the organized collected data for a fee)  Time Doctor lets you view employee computer activity. How much observation is intrusive? Video of “capabilities” of the software: how to use software that monitors employees ——It provides a graphic illustration of the fact that companies can take screenshots of what an employee is doing as well as searching the traffic detail. There is exact detail available of what the employee searched and which web sites were accessed. The employer can also see when an employee is working, 2. Four Step approach to solve an ethical dilemma (Table 3.1, p. 66) 1) Recognize an ethical issue (why or how it is an ethical issue and whether you can do anything about it.) 2) Get the facts (collect details about it (gather the facts)) 3) Evaluate alternative actions (usually more than one available course of action to respond to a situation) 4) Make a decision and test it (select the best course of action and implement it) 3. Compare this to the GVV (Giving voice to values )Approach (Table 3.1, p. 66)  It makes the assumption that you decide to act in an ethical way, and that you use this framework to help you. 1) Identify an ethical issue 2) Purpose and choice (i.e. yours) 3) Stakeholder analysis

4) Powerful response 5) Scripting and coaching ——Ethical dilemma practice (traditional framework)  Security Company Database:  Problem: Last week, you purchased a used computer from a friend who is a recently retired security company officer. Upon using the computer, you found several large files that seem to contain data about the activities and profiles of hundreds of people in your city.  Use the four steps for resolving an ethical issue to decide what you should do. 1. Recognizing the ethical issue: Confidential data has been located on a used personal computer. The machine was purchased from a friend, and was apparently used for work purposes by the friend. I should not have access to this data. 2. Get the facts: The data on this hard drive is now available for my use or misuse. Should the individuals listed on the hard drive be informed about the data? Should you tell your friend about it or his/her previous employer? Determine who is affected by the outcome and how: As a minimum the people affected are yourself (the purchaser), your friend (the vendor), the people whose names are listed on the hard drive, and the security company that was my friend’s previous employer. 3. Evaluate reasonable alternative actions: Is the simplest action to reformat the hard drive (i.e. eliminating the data)? Another possible option is to return the machine to the friend and let him/her remove the data. You could also call the newspaper and inform them about the data (not really a reasonable alternative), or sell the data and make some money – not a good idea either. Identify the consequences of each alternative: The last two alternatives above are not really that healthy – they could result in the loss of your friend or other problems. Technically, it can be difficult to erase data from a hard drive (as utilities are available to recover deleted files), so erasing the information yourself might not be productive. A key question is whether your friend would ultimately remember that the data is present on the hard drive – if not, it could never become an issue! 4. Make a decision and test it: The action taken depends upon your own perspective of the situation. It would be wise to consider the law when making your decision. My own decision would likely be to return the computer to my friend and ask him to take care of it. 3.2 Privacy and how IT affects privacy ——What could go wrong with a digital dossier?  Privacy issues (p. 70) involve collecting, storing and disseminating information about individuals  This video illustrates a bit of a privacy nightmare. How many privacy violations can you count in the video?  What about video camera recordings ？ 1. Privacy: privacy is the right to be left alone and to be free of unreasonable personal intrusions.  Information privacy is the right to determine when, and to what extent, information about you can be gathered and/or communicated to others.  Privacy rights apply to individuals, groups, and institutions.  Two rules fairly closely:  The right of privacy is not absolute. Privacy must be balanced against the needs of society.  The public's right to know supersedes the individual's right of privacy. 2) Digital dossier: is an electronic profile of you and your habits. 3) Profiling: The process of forming a digital dossier

4) Electronic surveillance is rapidly increasing, particularly with the emergence of new technologies. Electronic surveillance is conducted by employers, the government, and other institutions 1) Privacy: privacy is the right to be left alone and to be free of unreasonable personal intrusions. 2. Privacy policy guidelines: a sampler (Table 3.3, p. 76)  an organization’s privacy policy guideline provides guidance about how information should be collected. It also explains responsibilities about data accuracy and data confidentiality.  A specific policy for an organization will provide more detail, for example, listing those individuals who may have access to particular information, and who should provide permission if information is to be disclosed.  Codify requirements for employees  Provide a standard set of procedures  Help protect organizations from litigation  Can be used as a measurement tool if disciplinary action is required 3.3 Impact of legislation and privacy codes on privacy . 1. Two major pieces of federal legislation that affect individual privacy 1) Privacy in Canada: PIPEDA (Personal Information Protection and Electronic Documents Act, 2004)  The ten basic principles of PIPEDA  provide processes for an organization to handle information, protect it, and allow for an individual to assess its accuracy and correct the information where necessary.  promote consistent handling of information (whether in manual or automated form) by all organizations.  PIPEDA is privacy legislation intended to protect individuals.  It is federal legislation, based upon the privacy principles that are incorporated in the Canadian Standards Association (CSA) model.

 The Canadian Charter of Rights and Freedoms is intended to protect an individual’s right to privacy, whereas PIPEDA is limited to the privacy of personal information.  PIPEDA covers factual or subjective information about an individual person that would include all of these. In addition, it establishes a class of information called sensitive personal information which might include information such as religious beliefs, health conditions, or ethnic origin  Benefits of high quality information privacy are from a business perspective:  To protect the organization’s public image or brand images;  To maintain or enhance trust and promote continued consumer confidence in the organization and promote goodwill;  To achieve a competitive advantage in the marketplace by maintaining high quality, accurate customer information;  To meet legal requirements of industry associations or organizations (such as of e-payment and credit card processors);  To efficiently managing personal information, reducing administration or data handling costs and avoiding additional financial costs, such as the need to modify information systems to meet legal requirements. ——Annual privacy reports to Parliament by the Office of the Privacy Commissioner of Canada (OPC): 2) Anti-spam legislation  Canada’s anti-spam legislation (CASL, Bill C-28) came into effect July 1, 2014  Some asked me to opt-in and specify what type of emails I was prepared to receive (for example, about which technical topics or types of events that were coming up), while others only provided an option to opt-out if I no longer wanted to receive emails.  The organization must request consent before sending emails and must have a record of that consent – how will this affect spam? 3. Privacy Codes and Policies  Privacy policies or privacy codes are an organization's guidelines for protecting the privacy of its customers, clients, and employees.  The opt-out model of informed consent that permits a company to collect personal information until the customer specifically requests that the data not be collected of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.  Privacy advocates prefer the opt-in model of informed consent in which a business is prohibited from collecting any personal information unless the customer specifically authorizes it. of informed consent, which prohibits an organization from collecting any personal information unless the customer specifically authorizes it. 3.4 Threats and risks to information security and IS ——One of the jobs of management is to keep assets and systems secure and operating at organizations. To do this, organizations need to understand threats and risks to information systems so that they can be mitigated using controls. 1. CANADA’s Treasury Board: Management of Information Technology Security Standards The policy explains that security requires regular risk assessment, along with controls to prevent and mitigate risks.  Provides standards for federal deputy ministers and department heads  The IT departments will be responsible for implementing the procedures and processes to meet the standards