Information technology has a variety of ethical issues that surround it's use. Some of these issues include:
- Privacy: the interests of a person in protecting their life from unwanted intrusion and public scrutiny. Whilst no one person in Australia has a right to privacy, the unlawful interference with privacy is regulated by the Privacy Act 1988 (Cth).
- Confidentiality: the principle that regulates that certain information will be kept outside of the public domain.
- Intellectual property: collection of rights that protect creative and intellectual effort.
- Copyright: the exclusive right to do, or omit to do, certain acts with an intangible property, such as a song, video game, or certain proprietary documents.
- Pirated software: an unauthorised use, duplication, distribution or sale of copyrighted software.
- Counterfeit software: software that is manufactured to look authentic, and sold on this premise, even though it is not.
Question Two - Describe the relationship between an "email privacy policy" and an "Internet usage policy".
An "email privacy policy" establishes policies pertaining to the use of electronic communication within an organisation. It usually addressed how employees may use email and the Internet for non-employment purposes, what activities are permitted, what information will be recorded and who will have access to this information, and provides for the monitoring and auditing process that will consider the information gathered.
An "Internet usage policy" contains general principles to guide the proper use of the Internet. It usually addresses what services are available for use by employees, defines the organisation's position on the use of Internet, describe user responsibilities, and states the ramifications for the breach or violation of the policy.
Question Three - Summarise the five steps to creating an information security policy.
Step One: Develop the information security policies - identifies who is responsible and accountable for designing and implementing the organisation's information security policies.
Step Two: Communicate the information security policies - train all employees on the policies and establish clear expectations for the following of the policies.
Step Three: Identify critical information assets and risks - require the use of user ID, passwords and antivirus software on all computer systems, ensure that all networks are properly secured, and that the proper measures are implemented to deal with security threats.
Step Four: Test and re-evaluate risks - continually perform security reviews, audits, background checks and assessments.
Step Five: Obtain stakeholder support - Gain the approval and support from the board of directors and all stakeholders.
Question Four - What do the terms authentication and authorisation mean? How do they differ and provide some examples of each.
Authentication is the process of confirming users' identities. It is usually based upon something a user knows (e.g. a user ID and password), something a user has (e.g. a smart card or token), or something that is a part of the user (e.g. a fingerprint or voice signature).
Authorisation is the process of giving someone, who's identity has been authenticated, access information or permission to do or have something.
An example of these two working together would be logging onto a web-based email system, such as NineMSN's Hotmail. The process of authentication begins with the user entering their email address and password. Once both of these have been confirmed, the user is authorised to read emails in their inbox, send emails to other recipients, alter address book details etc.
Question Five - What are the five main types of security risks? Suggest one method to lessen the severity of a risk.
The five main types of security risks and related methods to lessen their severity are:
- Human Error: as humans are not infallible, they are prone to create accidental error. These errors are not malicious in nature, but can still have a detrimental effect on an organisation. To lessen the severity of this risks, organisation should ensure employees are properly trained in their field and are kept up to date with relevant practices.
- Natural Disasters: Natural disasters is our of the realm of control for organisations. Natural disasters include fire, earthquakes and destructive storming. The impact of this risk can be lessened through companies ensuring they have back up data located in alternative locations as so if they lose the primary location of operation, they do not lose all their data and records.
- Technical Failures: technical failures affect the technology an organisation implements, such as computers and other related hardware. Example of technical failure include malicious softwares, viruses and hoaxes. This risk can be minimised through to proper installation of anti-virus software, anti-spyware software, and the constant review of technology and its application.
- Deliberate Acts: deliberate acts is usually traced to the malicious intent and behaviour of employees and past employees. It involves events such as the hacking and exposing of sensitive data to the public. The risk can be minimised through ensuring passwords and encryption software is constantly altered so that employees may not have the chance to exploit a company's security once their employment has been terminated.
- Management Failure: this is essentially the failure of management to uphold its duty to their organisation. it is usually present as a lack of procedure in which managers fail to coordinate the efforts of their organisation. This issue can be avoided by ensuring managers are properly trained and competent in their duties.
No comments:
Post a Comment