IT Governance Professional Level PDF
Document Details
Uploaded by Deleted User
CA
MD. SOHEL BEPARY
Tags
Summary
This document is a summary of IT Governance for Professional Level, prepared by MD. SOHEL BEPARY. It covers various chapters on IT governance, policies, laws, security, and auditing.
Full Transcript
A Complete Summary of IT Governance as per references for Professional Level Prepared by: MD. SOHEL BEPARY Table of Contents CHAPTER # 01: INFORMATION TECHNOLOGY POLICIES AND LAWS.....................................
A Complete Summary of IT Governance as per references for Professional Level Prepared by: MD. SOHEL BEPARY Table of Contents CHAPTER # 01: INFORMATION TECHNOLOGY POLICIES AND LAWS.......................................... 1 A. National ICT Policy 2009...................................................................................................................... 1 B. Information and Communication Technology Act, 2006.................................................................. 4 DIGITAL SECURITY ACT 2018............................................................................................................... 7 C. Ethical and Social Issues in Information Systems.......................................................................... 12 CHAPTER # 02: DECISION SUPPORT SYSTEMS............................................................................... 20 A. Decision Support in Business............................................................................................................ 20 B. Artificial Intelligence Technologies in Business.............................................................................. 26 C. Understanding Blockchain Technology............................................................................................ 31 D. Understanding Fintech Technologies............................................................................................... 38 CHAPTER # 03: IT GOVERNANCE, ORGANISATION AND STRATEGY......................................... 42 A. IT Governance..................................................................................................................................... 42 B. IT Organisations and Strategy........................................................................................................... 43 CHAPTER # 04: INFORMATION SYSTEMS SECURITY..................................................................... 53 A. System Vulnerability and Abuse........................................................................................................ 53 B. Business Value of Security Control.................................................................................................. 55 C. Ethical Responsibilities of Business Professional.......................................................................... 56 D. Computer Crime.................................................................................................................................. 57 E. Privacy Issues...................................................................................................................................... 59 F. Current State of Cyber Law................................................................................................................ 60 G. Other Challenges................................................................................................................................ 61 H. Establishing a Framework for Security and Control....................................................................... 63 I. Technologies and Tools for Security.................................................................................................. 65 J. Information Security Management..................................................................................................... 68 K. Auditing Information Security Management Framework............................................................... 71 L. Cybersecurity........................................................................................................................................ 75 CHAPTER # 05: DEVELOPING BUSINESS/ IT SOLUTIONS............................................................. 79 A. Developing Business Systems.......................................................................................................... 79 B. Implementing Business Systems...................................................................................................... 87 CHAPTER # 06: INFORMATION SYSTEMS AUDITING...................................................................... 94 A. Management of the IS Audit Function.............................................................................................. 94 B. ISACA IS Audit and Assurance Standards and Guidelines.......................................................... 96 C. IS Controls............................................................................................................................................ 97 D. Performing an IS Audit..................................................................................................................... 103 E. Communicating Audit Results......................................................................................................... 115 CHAPTER # 01: INFORMATION TECHNOLOGY POLICIES AND LAWS A. National ICT Policy 2009 Structure and Conventions The policy document is structured as a hierarchical pyramid with a single vision, 10 broad objectives, 56 strategic themes and 306 action items. The vision and objectives are aligned with the general national goals while the strategic themes are areas within the broad objectives that can readily benefit from the use of ICTs. The action items are generally meant to be implemented either in the short term (18 months or less), medium term (5 years or less) or long term (10 years or less). However, some action items have been recommended for continuation throughout multiple terms where the scope of the activity gradually expands in the longer terms. Conventional notions of vision, objective, strategic theme, etc. tend to differ greatly from person to person and from discipline to discipline. Thus, for the purpose of this policy proposal, the following definitions have been adopted for a) Vision, b) Objective c) Strategic Theme, d) Action Item, and e) ICTs. B. Policy Ownership, Monitoring and Review The ICT Policy must be owned by all stakeholder groups who will continually seek to have the mandates of the policy adhered to in all spheres of national life. The policy must have a Champion in the highest levels of the Government. Accordingly, the following Policy Ownership arrangement is envisaged. The National ICT Policy shall be monitored and coordinated by the Minister in charge of ICT while the associated action programmes will be implemented and/or supported by the Bangladesh Computer Council or its successor organisation; all Government agencies and quasi-state bodies will implement ICT Policy in their respective area. Instruction from National ICT Task Force will be taken for any deviation in implementing the Policy. The action plans under the policy shall be reviewed at least once a year for implementation status checks, necessary reprioritizations and changes in programmes. The strategic themes shall be reviewed every three years along with realignment of specific goals with new developments. The whole policy itself shall be reviewed in totality every six years and long-term goals adjusted according to achievements and failures along the way. With the aims and objectives of the National ICT Policy 2009 materialized, Bangladesh is expected to become a ‘knowledge society’ within one generation. Vision Expand and diversify the use of ICTs to establish a transparent, responsive and accountable government; develop skilled human resources; enhance social equity; ensure cost-effective delivery of citizen-services through public-private partnerships; and support the national goal of becoming a middle-income country within 2021 and join the ranks of the developed countries of the world within thirty years. Objectives Social Equity: Ensure social equity, gender parity, equal opportunity and equitable participation in nation- building through access to ICTs for all, including persons with disabilities and special needs Productivity: Achieve higher productivity across all economic sectors including agriculture and SMME (small, medium and micro enterprises) through the use of ICTs. Integrity: Achieve transparency, accountability, responsiveness and higher efficiency in the delivery of citizen-services. Education and Research: Expand the reach and quality of education to all parts of the country using ICTs, ensure computer literacy at all levels of education and public service and facilitate innovation, creation of intellectual property and adoption of ICTs through appropriate research and development. Employment Generation: Enlarge the pool of world-class ICT professionals to cater to the local and overseas employment opportunities. Strengthening Exports: Ensure a thriving software, ITES and IT manufacturing industry to meet domestic and global demands and thereby increase foreign exchange earnings, attract foreign direct investments and reduce dependence on imports. Healthcare: Ensure quality healthcare to all citizens by innovative application of ICTs. Page 1 of 123 Universal Access: Ensure connectivity to all as a public service obligation (PSO). Environment, Climate and Disaster Management: Enhance creation and adoption of environment-friendly green technologies, ensure safe disposal of toxic wastes, minimize disaster response times and enable effective climate change management programmes through use of ICTs as Bangladesh is facing the dual scourge of environmental pollution due to rising industrial and consumer wastes and also global-warming- induced climate-change due to excessive carbon emissions of the industrialized countries Supports to ICTs: Develop appropriate infrastructure including power, and regulatory framework for effective adoption and use of ICTs throughout the country. E. Strategic Themes E.1. Social Equity: 1.1 Mainstream social advancement opportunities for disadvantaged groups as an immediate priority to minimize economic disparity and bridge the digital divide for (a) lower income groups, (b) ethnic minorities, (c) women, and (d) persons with disabilities and special needs 1.2 Facilitate citizens’ participation in local and national government, and policy making as a broad national agenda 1.3 Provide incentives to the private sector and NGO/CSO/CBOs to generate and share locally relevant and local language digital content and online services 1.4 Develop and preserve content to bolster culture, heritage and religion 1.5 Bring into focus children's issues, including protection of children from harmful digital content E.2. Productivity: 2.1 Encourage maximum utilization of ICT services nationwide to boost productivity of small, medium and micro enterprises and agriculture sector, and focus on innovation and competitiveness 2.2 Ensure dissemination and utilization of latest know-how and market information to increase production capability and supply chain management of agriculture through ICT applications 2.3 Ensure better monitoring, skills gap determination, appropriate training and modern enterprise operations to enhance productivity of large enterprises by encouraging immediate implementation of end to end applications (ERP) 2.4 Ensure sustainable productivity in the service sector through increased automation of operations and management information systems 2.5 Encourage e-commerce, e-payments, and e-transactions in general bringing in a new dimension of productivity to the economy at the earliest E.3. Integrity: 3.1 Ensure the use of Bangla in all ICT activities 3.2 Reduce harassment, time and cost of the people and ensure transparency and accountability in government service delivery by monitoring citizens' charter and making results of all services delivery public including services related to justice and law & order 3.3 Establish interconnectivity across government offices for effective data sharing 3.4 Build capacity of public functionaries and foster leadership for electronic service delivery 3.5 Mandate availability of all public information through electronic means and ensure sustainability of ICT- based citizens’ services delivery 3.6 Introduce ICT-based monitoring of planning, implementation and effectiveness of development projects E.4. Education and Research: 4.1 Assess skills of ICT professionals and meet gaps with targeted training programmes to overcome the short-term skills shortage in the ICT industry and adopt continuing education and professional skills assessment and enhancement programmes 4.2 Encourage closer collaboration between academia and industry to align curriculum with market needs 4.3 Establish an ICT Centre of Excellence with necessary long-term funding to teach and conduct research in advanced ICTs 4.4 Extend the reach of ICT literacy throughout the country by incorporating ICT courses in primary and secondary education and technical and vocational education and training (TVET) programmes 4.5 Enhance the quality and reach of education at all levels with a special focus on Mathematics, Science and English 4.6 Ensure ICT Literacy for all in public service Page 2 of 123 4.7 Boost use of ICT tools in all levels of education including ECDP, mass literacy and lifelong learning 4.8 Ensure access to education and research for people with disabilities and special needs using ICT tools 4.9 Ensure that all universities provide global standard ICT education and introduce Postgraduate Programmes in ICT education to encourage research and innovation E.5. Employment Generation: 5.1 Provide incentives for investment in local ICT industry 5.2 Build institutional capacity for producing greater number of IT professionals in line with domestic and global demands for knowledge workers 5.3 Standardize skills for local ICT industry 5.4 Facilitate global employment of skilled ICT workforce 5.5 Provide financial assistance to ICT professionals for skills development E.6. Strengthening Exports: 6.1 Develop strong marketing, promotion and branding for Bangladeshi ICT products and services in global markets 6.2 Ensure access to finance for promising software and ITES companies 6.3 Develop and maintain reliable ICT infrastructure 6.4 Provide incentives to increase export and create industry friendly policy and enabling environment 6.5 Foster innovation through research and development to improve quality, process, technology, domain, value chain and niche markets E.7. Healthcare: 7.1 Improve management of healthcare delivery system using telemedicine and modern technologies 7.2 Improve community awareness and access to health care facilities for all including difficult to access areas, with a special emphasis on child, maternal and reproduction health 7.3 Ensure Quality Assurance of health care services 7.4 Enhance capacity of National Health Service Delivery System E.8. Universal Access: 8.1 Extend universal connectivity to all citizens as a public service obligation within 5 years 8.2 Extend internet backbone infrastructure to all district headquarters immediately at the same access cost as in the capital 8.3 Extend Internet and IP telephony services to all parts of the country within 5 years through providing incentives as stipulated in the national telecom policy 8.4 Make IP-based telecommunications ubiquitous and affordable by all through aggressive adoption of NGN and license-free regime E.9. Environment, Climate and Disaster Management: 9.1 Promote entire environmental preservation including land and water resources by adopting environment- friendly green technologies 9.2 Promote entire environmental protection including land and water resources through the use of ICT tools 9.3 Protect citizens from natural disasters through ICT-based disaster warning and management technologies 9.4 Ensure safe disposal of toxic wastes resulting from use of ICTs 9.5 Promote efficient relief management and post disaster activities monitoring E.10. Supports to ICTs: 10.1 Ensure reliable and cost-effective power 10.2 Create supportive legal framework for IPR protection, online document sharing, transactions and payments 10.3 Establish a Government Interoperability Framework to be adhered to by all government ICT projects 10.4 Promote the use of cost-effective, open source and open architecture solutions 10.5 Build ICT infrastructure facilities in educational institutions 10.6 Decentralize ICT growth outside the capital 10.7 Improve education quality in IT, Mathematics and English 10.8 Improve Internet availability and reliability Page 3 of 123 B. Information and Communication Technology Act, 2006 Digital signature" means data in an electronic form, which-- a) is related with any other electronic data directly or logically; and b) is able to satisfy the following conditions for validating the digital signature-- (i) affixing with the signatory uniquely; (ii) capable to identify the signatory; (iii) created in safe manner or using a means under the sole control of the signatory; and (iv) related with the attached data in such a manner that is capable to identify any alteration made in the data thereafter. Sec- 6: Legal recognition of electronic records.--Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such information or matter is rendered or made available in an electronic form: Provided that such information or matter is accessible so as to be usable for a subsequent reference. Sec- 9: Retention of electronic records.--(1) Where any law provides that any document, record or information shall be retained for any specific period, then such requirement shall be deemed to have been satisfied if such documents, records or information, as the case may be, are retained in the electronic form if the following conditions are satisfied-- a) the information contained therein remains accessible so as to be usable for a subsequent reference; b) the electronic record is retained in the format in which it was originally generated, sent or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; c) such information, if any, as enables the identification of the origin and destination of an electronic record and the date and time when it was sent or received, is retained: Provided that this sub-clause does not apply to any information which is automatically generated solely for the purpose of enabling and electronic record to be dispatched or received. Sec- 19: Functions of the Controller.--The Controller may perform all or any of the following functions, namely:-- a) exercising supervision over the activities of the Certifying Authorities; b) laying down the standards to be maintained by the Certifying Authorities; c) specifying the qualifications and experience which employees of the Certifying Authorities should possess; d) specifying the conditions subject to which the Certifying Authorities shall conduct their business; e) specifying the contents of written, printed or visual materials and advertisements that may be used in respect of a Digital Signature Certifying; f) specifying the form and content of a Digital Signature Certificate; g) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities; h) specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them for auditing the Certifying Authorities; i) facilitatining the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems; j) specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers; k) resolving any conflict of interests between the Certifying Authorities and the subscribers; l) laying down the duties and responsibilities of the Certifying Authorities; m) maintaining computer based databases, which-- i. contain the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations; and ii. shall be accessible to the member of the public; n) perform any other function under this Act or Codes prepared under this Act. Sec- 30: Access to computers and data.— (1) Without prejudice to the provisions of section 45 of this Act the Controller or any officer authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act or rules and regulations made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. Page 4 of 123 (2) For the purpose of sub-section (1) of this section the Controller or any officer authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary. (3) If authorization has been given to a person, the authorized person shall oblige to assist as instructed under sub-section (1) of this section. Sec- 39: Suspension of Digital Signature Certificate.— 1. Subject to the provisions of sub-section (2) of this section, the Certifying Authority which has issued a Digital Signature Certificate may suspend such Digital Signature Certificate— a. on receipt of a request to that effect from the subscriber listed in the Digital Signature certificate or any person duly authorized to act on behalf of that subscriber; b. if it is opinion that the Digital Signature Certificate should be suspended in public interest. 2. A Digital Signature Certificate shall not be suspended for a period exceeding 30 (thirty) days without giving the subscriber a notice under sub-section 1 (b) of this section. 3. Certifying Authority can suspend the Digital Signature Certificate, if the Authority is satisfied on the ground that the explanation given by the subscriber in response to the notice of subsection (2) of this section is not acceptable. 4. On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber. BREACHING RULES, PREVENTION, PENALTIES ETC. Sec- 48: Penalty for failure to furnish document, return and report.—If any person fails to submit given document, return and report under the provisions of this Act, or rules and regulations made there under to the Controller or Certifying Authority, the Controller or any officer of the Government authorized by the Government by special order, as the case may be, can fine the person which may extend to Taka ten thousands mentioning reasons in written by administrative order. Sec- 49: Penalty for failure to file return, information, book etc.—If any person fails to deliver any information, books or any other documents under the provisions of this Act, or rules and regulations made there under within stipulated time, the Controller or any officer of the Government authorized by the Government by special order, as the case may be, can fine the person which may extend to Taka ten thousand mentioning reasons in written by administrative order. Sec- 50: Penalty for failure to maintain books of accounts or record.—If any person fails to maintain books of accounts or records which is supposed to be preserved under the provisions of this Act, or rules and regulations made there under, the Controller or any officer of the Government authorized by the Government by special order, as the case may be, can fine the person which may extend to Taka two lakhs mentioning reasons in written by administrative order. Sec- 51: Residuary penalty.—If any person contravenes any rules of this Act for which the provision of penalties has not been fixed separately under the provisions of this Act, or rules and regulations made there under, the Controller or any officer of the Government authorized by the Government by special order, as the case may be, can fine the person for breaching the very rule which may extend to Taka twenty five thousands mentioning reasons in written by administrative order. OFFENCES, INVESTIGATION, ADJUDICATION, PENALTIES ETC Section- 54 to 57 and 66 has been repealed by Digital Security Act- 2018 58. Punishment for failure to surrender licence.--(1) Where any Certifying Authority fails to surrender a licence under section 34 of this Act, the person in whose favour the licence is issued, the failure of the person shall be an offence. (2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to six months, or with fine which may extend to Taka ten thousand, or with both. 59. Punishment for failure to comply with order.--(1) Any person who fails to comply with any order made under section 45 of this Act, then this activity of his will be regarded as an offence. Page 5 of 123 (2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to one year, or with fine which may extend to Taka one lakh, or with both. 60. Punishment for failure to comply with order made by the Controller in emergency -- (1) Any person who fails to comply with any order made under section 46 of this Act, then this activity of his will be regarded as an offence. (2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to five years, or with fine which may extend to Taka five lakhs, or with both. 61. Punishment for unauthorized access to protected systems.--(1) Any person who secures access or attempts to secure access to protected system in contraventions of section 47 of this Act, then this activity of his will be regarded as an offence. (2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to ten years, or with fine which may extend to Taka ten lakhs, or with both. 62. Punishment for misrepresentation and obscuring information.--Whoever makes any misrepresentation to, or suppresses any material fact from the Controller or the Certifying Authority for obtaining any licence or Digital Signature Certificate shall be regarded as an offence. (2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakhs, or with both. 63. Punishment for disclosure of confidentiality and privacy.--Save as otherwise provided by this Act or any other law for the time being in force, no person who, in pursuance of any of the powers conferred under this Act, or rules and regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material shall, without the consent of the person concerned, disclose such electronic record, book, register, correspondence, information, document or other material to any other person shall be regarded as an offence. (2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakhs, or with both. 64. Punishment for publishing false Digital Signature Certificate.--No person shall publish a Digital Signature Certificate or otherwise make it available to any other person knowing that-- (a) the Certifying Authority listed in the certificate has not issued it; or (b) the subscriber listed in the certificate has not accepted it; or (c) the certificate has been revoked or suspended; unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation and by breaching the rules such Digital Signature Certificate is published or otherwise make it available to others shall be regarded as an offence. (2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakhs, or with both. 65. Punishment for publishing Digital Signature Certificate for fraudulent purpose etc.-- Whosoever knowingly creates and publishes or otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be regarded as an offence. (2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakh, or with both. 67. Offences committed by companies etc.--If any offence is committed by a company under this Act, then each director, manager, secretary, partner, officer and staff of the company who has directly involvement in committing the said offence shall be guilty of the offence or the contraventions, as the case may be, unless he proves that the offence or contravention was committed without his knowledge or that he exercised sue diligence in order to prevent commission of such offence or contravention. Explanation.—For the purposes of this section.— (a) “company” means anybody corporate and includes commercial firm, partnership business, cooperatives, association, organization or other association of individuals; and (b) “director” in relation to a commercial firm includes a partner or member of Board of Directors. Page 6 of 123 DIGITAL SECURITY ACT 2018 CHAPTER SIX Crime and Punishment 17) Punishment for Illegal Entrance in Critical Information Infrastructure, etc.: - (1) If any person intentionally or knowingly in any Critical information infrastructure- a) Illegally enters, or b) By means of illegal entrance, harms or destroys or renders inactive the infrastructure or tries to do so, Then the above activity of that person will be an offense under the Act (2) If any person of Sub Section (1)- a. Commits any offense within the Clause (a) then, the person will be penalized by imprisonment for a term not exceeding 7(seven) years or by fine not exceeding 25 (twenty five) lacs taka or with both. b. Commits any offense within Clause (b) then, the person will be penalized by imprisonment for a term not exceeding 14 (fourteen) years or with fine not exceeding 1 (one) crore taka or with both. (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits the offense then, he will be punished with lifetime imprisonment or with fine not exceeding 5 (five) crore taka or with both 18) Illegal Entrance in computer, digital device, computer system, etc. and punishment:- (1) If any person willingly- a. illegally enters or help to enter in any computer, computer system or computer network, or b. illegally enters or helps to enter with the intention of committing a crime then the activity of that person will be a offense under the Act (2) If any person under Sub Section (1)- a. Commits any offense within the Clause (a) then, the person will be penalized with imprisonment for a term not exceeding 6 months or by fine not exceeding3 (three) lacs taka or with both. b. Commits any offense within Clause (b) then, the person will be penalized with imprisonment for a term not exceeding 3(three) years or with fine not exceeding 10 (ten) lacs taka or with both. (3) If an offence within the Sub-Section (1), is committed in case of a secured computer or computer system or computer network then, the person will be penalized by imprisonment for a term not exceeding 3(three) years or by fine not exceeding 10 (ten) lacs taka or with both. (4) If any person commits the offense within this Section for the second time or recurrently commits it then, he will be penalized with punishment that is two times of the punishment designated for the main offense 19) Damage of Computer, Computer System, etc. and punishment:- (1) If any person- a. Collects any data or data-storage, information or part of it from any computer, computer system, or computer network or collects transferable information or part of it or copy of it stored in the said computer, computer system or computer network, or b. Intentionally inserts or tries to insert any virus or malware or any harmful software in any computer or computer system or computer network, or c. Intentionally harms or tires to harm the data or data-storage of any computer, computer system, or computer network or harms or tries to harm the Programs protected in a computer, computer system, or computer network or d. By any means stops or tries to stop a valid or authorized person to enter any computer, computer system, or computer network, or e. Intentionally creates or tries to create spam or undesired emails without the permission of the sender or receiver, for any product or service marketing, or f. Interferes unjustly in any computer, computer system or Computer network or by lies and deliberate falsity enjoys the service of an individual or transfers the charge or tries to transfer of such service into the account of another Then, that person’s activity will be a an offense under the Act (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 7(seven) years or fine not exceeding 10 (ten) lacs taka or with both. Page 7 of 123 (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with imprisonment for a term not exceeding 10( ten) years of imprisonment or with fine not exceeding 25 (twenty five) lacs taka or with both. 20) Offenses relating to Computer Source Code Change and Punishment:- (1) If any person intentionally or knowingly hides or destroys or changes the source code used in any computer, computer system, or computer network or if he tries to hide, destroy or change the source through another person and if that source code is preservable and securable then that act of the said person will be considered an offense under the Act. (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 3 (three) years or fine not exceeding 3 (three) lacs taka or with both (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with imprisonment for a term not exceeding 5(five) years or with fine not exceeding 5 (five) lacs taka or with both. 21) Punishment for Any propaganda or campaign against liberation war, Cognition of liberation war, Father of the nation, National Anthem or National Flag: - (1) If any person by means of digital medium runs any propaganda or campaign or assists in running a propaganda or campaign against the liberation war of Bangladesh, Cognition of liberation war, Father of the Nation, National Anthem or national Flag then, that act of that person will be an offense under the Act. (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 10 (ten) years or with fine not exceeding 1 (one) crore taka or with both. (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with life term imprisonment or with fine not exceeding 3 (three) crores or with both 22) Digital or Electronic Forgery:- (1) If any person commits forgery by means of any digital or electronic medium then that activity of that particular person will be an offense under the Act. (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 5 (five) years or with a fine not exceeding 5 (five) lacs taka or with both (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with imprisonment for a term not exceeding 7 (seven) years or with fine not exceeding 10 (ten) lacs taka or with both Explanation:- To fulfill the objective of this Act, “Digital or Electronic Forgery” means, if any person without authority or in excess of the given authority or by means of unauthorized practice produces input or output of any computer or digital device or changes, erases or hides incorrect data or program, or results in erroneous information, or information system of any computer or digital device, data system and computer or digital network operation 23) Digital or Electronic Fraud:- (1) If any person commits fraud by means of any digital or electronic medium then that activity of that particular person will be an offense under the Act. (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 5 (five) years or by fine not exceeding 5 (five) lacs taka or with both (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with imprisonment for a term not exceeding 7 (seven) years or with fine not exceeding 10 (ten) lacs taka or with both Explanation:- To fulfill the objective of this Act, “Digital or Electric Fraud” means, if any person intentionally or knowingly or without permission changes any information, deletes, adds new information or creates distortion and reduces the value of that or the utility of any computer program, computer system, computer network, digital Page 8 of 123 device, digital system, digital network, or of a social communication medium, trying to gain benefit for himself/herself or for others or trying to harm others or to deceive others. 24) Identity Fraud or Being in Disguise:- (1) If any person intentionally or knowingly uses any computer, computer Program, computer system, computer network, digital device, digital system or digital network- a. With the intention of deceiving or cheating carries the identity of another person or shows any person’s identity as his own, or b. Intentionally by forgery assuming the identity of a alive or dead person as one’s own for the following purpose- i. To achieve some advantages for oneself or for any other person; ii. To acquire any property or interest in any property; iii. To harm a person by using another person’s identity in disguise. Then the Act of the person will be an offense under the Act (2) If any person commits any offense mentioned within sub section (1), the person will be penalized by imprisonment for a term not exceeding 5 (five) years or fine not exceeding 5 (five) lacs taka or both (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with imprisonment for a term not exceeding 7 (seven) years or with 10 (ten) lacs taka or with both 25) Publishing, sending of offensive, false or fear inducing data-information, etc.:- (1) If any person in any website or through any digital medium- a. Intentionally or knowingly sends such information which is offensive or fear inducing, or which despite knowing it as false is sent, published or propagated with the intention to annoy, insult, humiliate or denigrate a person or b. Publishes or propagates or assists in publishing or propagating any information with the intention of tarnishing the image of the nation or spread confusion or despite knowing it as false, publishes or propagates or assists in publishing or propagates information in its full or in a distorted form for the same intentions Then, the activity of that person will be an offense under the Act. (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 3(three) years of or fine not exceeding 3(three) lacs taka or with both. (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with imprisonment for a term not exceeding 5(five) years or with fine not exceeding 10 (ten) lacs taka or with both 26) Punishment for Collecting, Using identity Information without Permission, etc :- (1) If any person without any legal authority collects, sells, takes possession, supplies or uses any person’s identity information, then, that activity of that person will be an offense under the Act. (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 5 (five) years or fine not exceeding 5 (five) lacs taka or with both. (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be penalized with imprisonment for a term not exceeding 7 (seven) years or with fine not exceeding 10 (ten) lacs taka or with both. Explanation:- To fulfill the objective of this Section, “Identity Information”, means any external, biological or physical information or any other information which singly or jointly can identify a person or a system, his/her name, address, Date of birth, mother’s name , father’s name, signature, National identity , birth and death registration number, finger print, passport number , bank account number , driver’s license , E-TIN number, Electronic or digital signature , username, Credit or debit card number, voice print , retina image , iris image , DNA profile, Security related questions or any other identification which due to the excellence of technology is easily available. 27) Punishment for committing Cyber-terrorism: - (1) If any person – a. With the intention to breach the national security or to endanger the sovereignty of the Nation and to instill terror within the public or a part of them creates obstruction in the authorized access to any computer, computer network or internet network or illegally accesses the said computer, computer Page 9 of 123 network or internet network or cause the act of obstruction of access or illegal entry through someone, or b. Creates such pollution within any digital device or inserts malware which causes in the death of a person or results in serious injury to a person or raises a possibility of it, or c. Damages or destroys the supply of daily necessities of public or adversely affects any critical information infrastructure d. Intentionally or knowingly enters or penetrates any computer, computer network, internet network, any secured data information or computer database or such secured data information or computer database which can be used to damage friendly relations with another foreign country or can be used for acts against public order or which can be used for the benefit any foreign country or any foreign person or any group. Then that activity of that person will be considered as cyber security crime. (2) If any person commits any offense mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding 14(fourteen) years or with fine not exceeding 1(one) crore taka or with both. (3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently commits it then, he will be punished with lifetime imprisonment or with fine not exceeding 5(five) crore taka or with both 28) Publication, Broadcast, etc. of such information in any website or in any electronic format that hampers the religious sentiment or values:- (1) If any person or group intentionally or knowingly with the aim of hurting religious sentiments or values or with the intention to provoke publish or broadcast anything by means of any website or any electronic format which hurts religious sentiment or values then such activity of that person will be considered an offence (2) If any person commits an offence under sub section (1), the person will be sentenced to a term of imprisonment not exceeding 7 (seven) years or fine not exceeding 10 (ten) lac or both. (3) If any person commits the offence mentioned in sub-section (1) second time or repeatedly, he will be punished with imprisonment not exceeding 10 (ten) years or fine not exceeding 20 (twenty) lac taka or both 29) To publish, broadcast, etc., defamation information:- (1) If a person commits an offence of publication or broadcast defamatory information as described in section 499 of the Penal Code (Act XLV of 1860) in any website or in any other electronic format then he will be sentenced to a term of imprisonment not exceeding 3(Three) years or fine not exceeding Tk.5 (Five) lac or both. (2) If any person commits the offence mentioned in sub-section (1) second time or repeatedly, he he will be sentenced to a term of imprisonment not exceeding 5(Five) years or fine not exceeding Tk.10 (Ten) lac or both 30) E-Transaction without legal authority Offence and Punishment:- (1) If any person- a. Does e-transaction through electronic and digital medium of any bank, insurance, or any other financial institution or any mobile money service providing organisation without legal authority, or. b. Does e-transaction that has been declared illegal by the Government or Bangladesh Bank,. Then such activity will be considered as an offence. (2) If any person commits offence mentioned in sub section (1), the person will be penalized with either maximum of 5(five) years of imprisonment or fine of Tk. 5 (five) lac or will be punished with both. (3) If any person commits the offence mentioned in sub-section (1) for the second time or repeatedly, he will be punished with a maximum of 7(seven) years imprisonment or with maximum fine of Tk. 10 (ten) lac or both. Explanation:- To fulfill the objective of this Section, “E-Transaction”, means deposit or withdrawal of fund or direction, order or legally authorized money transaction for withdrawal through any bank, financial institution or through any digital or electronic medium to a specified account number by a person with the aim of transferring funds. Page 10 of 123 31) Deterioration of Act-order, etc. and Punishment:- (1) If any person intentionally publish or broadcast any kind of file in any website or digital format which will create hostility, hatred or adversity among people or destroy any communal harmony or create unrest or disorder or deteriorates or threatens to deteriorate the law and order then that activity of that person will be considered as an offence.. (2) If any person commits any crime mentioned within sub section (1), the person will be penalized with imprisonment for a term not exceeding to 7(seven) years or fine not exceeding Tk. 5(five) lac or with both. (3) If any person commits the crime mentioned in sub-section (1) for the second time or recurrently commits it, he will be punished with imprisonment for a term not exceeding 10(ten) years or with fine not exceeding Tk.10 (ten) lac or with both 32) Breaching Government Secret Offence and Punishment:- (1) If any person commits or aids and abets in committing an offence under Official Secrets Act, 1923 (Act No XIX of 1923) through computer, digital device, computer network, digital network or through any other digital medium then he will be punished to a term of imprisonment not exceeding 14(fourteen) years or with fine not exceeding Tk.25 (Twenty Five) Lac or with both. (2) If any person commits the offence mentioned in sub-section (1) for the second time or recurrently commits it, he will be punished with life imprisonment or with fine not exceeding Tk. 1(one) crore or with both. 33) Illegal Transferring, Saving etc. of Data-Information, Punishment:- (1) If any person enters any computer or digital system illegally and does any addition or subtraction, transfer or with the aim of transfer save or aid in saving any data-information belonging to government, semi-government, autonomous or statutory organization or any financial or commercial organisation , then the activity of that person will be considered an offence. (2) If any person commits an offence mentioned in sub section (1), he will be sentenced to a term of imprisonment not exceeding 5(Five) years or with fine not exceeding Tk.10 (Ten) lac or with both. (3) If any person commits the offence mentioned in sub-section (1) second time or recurrently commits it then, he will be sentenced to a term of imprisonment not exceeding 7(Seven) years or with fine not exceeding Tk.15 (Fifteen) lac or with both. 34) Hacking Related Offence and Punishment:- (1) If a person commits hacking then it will be considered an offence. and for this, he will be sentenced to a term of imprisonment not exceeding 14(Fourteen) years or with fine not exceeding Tk.1 (One) Crore or with both. (2) If any person commits the offence mentioned in sub-section (1) second time or repeatedly then, he will be penalized with life imprisonment or with fine not exceeding Tk.5 (Five) Crore or both Explanation: In this section “Hacking” means- a. To destroy, change, format, cancel any information of the computer data storage or to reduce the value or suitability of it or damaging it in any other way, or b. Without ownership or possession illegally entering and damaging any computer, server, computer network, or any electric system 35) Aiding in Commission of Offence and its Punishment:- (1) If any person aids in committing any offence under this Act then such act of that person will be considered an offence. (2) In case of aiding of an offence, the punishment will be the same as that of the original offence. 36) Offence Committed by Company:- (1) In case of a company committing an offence under this Act, all such owner, chief executive, director, manager, secretary, shareholder or any other officer or employee or representative of the company Page 11 of 123 যে কখন ো প্রশ্ন কনে ো, যে হয় েব ককছু জোন , য়ন ো ককছু ই জোন ো।– ম্যোলকম্ য োবোে having direct connection with the offence will be considered as the offender unless he can prove that the offence took place without his knowledge or he took all possible steps to stop the commission of the offence (2) If the company mentioned under subsection (1) is a company having corporate legal personality, then apart from the people mentioned, the company can also be charged and found guilty under the same proceedings, but only the monetary punishment can be imposed on the company as per the relevant provisions Explanation: In this Section- a. The word “Company” includes any commercial institution, business partnership, society, association or organization; b. In case of commercial organization meaning of “Director “will be regarded as including its shareholder or member of board of directors. 37) The power to give order of compensation: If a person cause financial damage to another person under Section 22 digital or electronic forgery, under Section 23 digital or electric fraud and under Section 24 identification fraud or by means of disguise, the tribunal, may order him to compensate the affected person by giving money equivalent to the damage caused or a suitable amount after considering the damage caused 38) No Responsibility for the service provider: (1) Any service provider will not be responsible under this Act or any rules enacted under this Act for facilitating access to data-information, if he succeeds in proving that, the offence or breach was committed without his knowledge or he took all possible steps to stop the commission of the offence. C. Ethical and Social Issues in Information Systems 1. What ethical, social, and political issues are raised by information systems? 2. What specific principles for conduct can be used to guide ethical decisions? 3. Why do contemporary information systems technology and the Internet pose challenges to the protection of individual privacy and intellectual property? 4. How have information systems affected laws for establishing accountability, liability, and the quality of everyday life? যে যলোনকে কবনবক েববদো কোজ কনে ো, োনক কখন োই কবশ্বোে কনেো ো- লনেন্স স্টো ব Page 12 of 123 WHAT ETHICAL, SOCIAL, AND POLITICAL ISSUES ARE RAISED BY INFORMATION SYSTEMS? Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behaviors. Information systems raise new ethical questions for both individuals and societies because they create opportunities for intense social change, and thus threaten existing distributions of power, money, rights, and obligations. Like other technologies, such as steam engines, electricity, the telephone, and the radio, information technology can be used to achieve social progress, but it can also be used to commit crimes and threaten cherished social values. The development of information technology will produce benefits for many and costs for others. Ethical issues in information systems have been given new urgency by the rise of the Internet and electronic commerce. Internet and digital firm technologies make it easier than ever to assemble, integrate, and distribute information, unleashing new concerns about the appropriate use of customer information, the protection of personal privacy, and the protection of intellectual property. Other pressing ethical issues raised by information systems include establishing accountability for the consequences of information systems, setting standards to safeguard system quality that protects the safety of the individual and society, and preserving values and institutions considered essential to the quality of life in an information society. When using information systems, it is essential to ask, “What is the ethical and socially responsible course of action?” A MODEL FOR THINKING ABOUT ETHICAL, SOCIAL, AND POLITICAL ISSUES Ethical, social, and political issues are closely linked. The ethical dilemma you may face as a manager of information systems typically is reflected in social and political debate. One way to think about these relationships is shown in Figure 4.1. Imagine society as a more or less calm pond on a summer day, a delicate ecosystem in partial equilibrium with individuals and with social and political institutions. Individuals know how to act in this pond because social institutions (family, education, organizations) have developed well-honed rules of behavior, and these are supported by laws developed in the political sector that prescribe behavior and promise sanctions for violations. Now toss a rock into the center of the pond. What happens? Ripples of course. The introduction of new information technology has a ripple effect, raising new ethical, social, and political issues that must be dealt with on the individual, social, and political levels. These issues have five moral dimensions: information rights and obligations, property rights and obligations, system quality, quality of life, and accountability and control. The introduction of new information technology has a ripple effect, raising new ethical, social, and political issues that must be dealt with on the individual, social, and political levels. These issues have five moral Page 13 of 123 েুন্দে ক ম্বল বযবহোে ম্ৃ ু যে পনেও ম্ো ুষনক স্মৃক ন স্থোয়ী কনে েোনখ। - জজব ম্ুে dimensions: information rights and obligations, property rights and obligations, system quality, quality of life, and accountability and control. FIVE MORAL DIMENSIONS OF THE INFORMATION AGE The major ethical, social, and political issues raised by information systems include the following moral dimensions: Information rights and obligations. What information rights do individuals and organizations possess with respect to themselves? What can they protect? Property rights and obligations. How will traditional intellectual property rights be protected in a digital society in which tracing and accounting for ownership are difficult and ignoring such property rights is so easy? Accountability and control. Who can and will be held accountable and liable for the harm done to individual and collective information and property rights? System quality. What standards of data and system quality should we demand to protect individual rights and the safety of society? Quality of life. What values should be preserved in an information- and knowledge-based society? Which institutions should we protect from violation? Which cultural values and practices are supported by the new information technology? KEY TECHNOLOGY TRENDS THAT RAISE ETHICALISSUES A new data analysis technology called non-obvious relationship awareness (NORA) has given both the government and the private sector even more powerful profiling capabilities. NORA can take information about people from many disparate sources, such as employment applications, telephone records, customer listings, and “wanted” lists, and correlate relationships to find obscure hidden connections that might help identify criminals or terrorists (see Figure 4.2). NORA technology scans data and extracts information as the data are being generated so that it could, for example, instantly discover a man at an airline ticket counter who shares a phone number with a known terrorist before that person boards an airplane. The technology is considered a valuable tool for homeland security but does have privacy implications because it can provide such a detailed picture of the activities and associations of a single individual. Page 14 of 123 যে বন্ধু অহংকোে ও স্বোনথবে উনবব থোনক, যেই প্রকৃ বন্ধু । -যজোনে েউক্স WHAT SPECIFIC PRINCIPLES FOR CONDUCT CAN BE USED TO GUIDE ETHICAL DECISIONS? BASIC CONCEPTS: RESPONSIBILITY, ACCOUNTABILITY, AND LIABILITY Ethical choices are decisions made by individuals who are responsible for the consequences of their actions. Responsibility is a key element of ethical action. Responsibility means that you accept the potential costs, duties, and obligations for the decisions you make. Accountability is a feature of systems and social institutions: It means that mechanisms are in place to determine who took responsible action, and who is responsible. Systems and institutions in which it is impossible to find out who took what action are inherently incapable of ethical analysis or ethical action. Liability extends the concept of responsibility further to the area of laws. Liability is a feature of political systems in which a body of laws is in place that permits individuals to recover the damages done to them by other actors, systems, or organizations. Due process is a related feature of law- overned societies and is a process in which laws are known and understood, and there is an ability to appeal to higher authorities to ensure that the laws are applied correctly. ETHICAL ANALYSIS When confronted with a situation that seems to present ethical issues, how should you analyze it? The following five-step process should help: 1. Identify and describe the facts clearly. Find out who did what to whom, and where, when, and how. In many instances, you will be surprised at the errors in the initially reported facts, and often you will find that simply getting the facts straight helps define the solution. It also helps to get the opposing parties involved in an ethical dilemma to agree on the facts. 2. Define the conflict or dilemma and identify the higher-order values involved. Ethical, social, and political issues always reference higher values. The parties to a dispute all claim to be pursuing higher values (e.g., freedom, privacy, protection of property, and the free enterprise system). Typically, an ethical issue involves a dilemma: two diametrically opposed courses of action that support worthwhile values. For example, the chapter-opening case study illustrates two competing values: the need to improve access to digital content and the need to respect the property rights of the owners of that content. 3. Identify the stakeholders. Every ethical, social, and political issue has stakeholders: players in the game who have an interest in the outcome, who have invested in the situation, and usually who have Page 15 of 123 দয়ো ঈম্োন ে প্রম্ো , েোে দয়ো য ই োে ঈম্ো য ই। -আল-হোকদে vocal opinions. Find out the identity of these groups and what they want. This will be useful later when designing a solution. 4. Identify the options that you can reasonably take. You may find that none of the options satisfy all the interests involved, but that some options do a better job than others. Sometimes arriving at a good or ethical solution may not always be a balancing of consequences to stakeholders. 5. Identify the potential consequences of your options. Some options may be ethically correct but disastrous from other points of view. Other options may work in one instance but not in other similar instances. Always ask yourself, “What if I choose this option consistently over time?” CANDIDATE ETHICAL PRINCIPLES Once your analysis is complete, what ethical principles or rules should you use to make a decision? What higher-order values should inform your judgment? Although you are the only one who can decide which among many ethical principles you will follow, and how you will prioritize them, it is helpful to consider some ethical principles with deep roots in many cultures that have survived throughout recorded history: 1. Do unto others as you would have them do unto you (the Golden Rule). Putting yourself into the place of others, and thinking of yourself as the object of the decision, can help you think about fairness in decision making. 2. If an action is not right for everyone to take, it is not right for anyone (Immanuel Kant’s Categorical Imperative). Ask yourself, “If everyone did this, could the organization, or society, survive?” 3. If an action cannot be taken repeatedly, it is not right to take at all. This is the slippery-slope rule: An action may bring about a small change now that is acceptable, but if it is repeated, it would bring unacceptable changes in the long run. In the vernacular, it might be stated as “once started down a slippery path, you may not be able to stop.” 4. Take the action that achieves the higher or greater value (Utilitarian Principle). This rule assumes you can prioritize values in a rank order and understand the consequences of various courses of action. 5. Take the action that produces the least harm or the least potential cost (Risk version Principle). Some actions have extremely high failure costs of very low probability (e.g., building a nuclear generating facility in an urban area) or extremely high failure costs of moderate probability (speeding and automobile accidents). Avoid these high-failure-cost actions, paying greater attention to high-failure-cost potential of moderate to high probability. 6. Assume that virtually all tangible and intangible objects are owned by someone else unless there is a specific declaration otherwise. (This is the ethical “no free lunch” rule.) If something someone else has created is useful to you, it has value, and you should assume the creator wants compensation for this work. Actions that do not easily pass these rules deserve close attention and a great deal of caution. The appearance of unethical behavior WHY DO CONTEMPORARY INFORMATION SYSTEMS TECHNOLOGY AND THE INTERNET POSE CHALLENGES TO THE PROTECTION OF INDIVIDUAL PRIVACY AND INTELLECTUAL PROPERTY? INFORMATION RIGHTS: PRIVACY AND FREEDOM IN THE INTERNET AGE Privacy is the claim of individuals to be left alone, free from surveillance or interference from other individuals or organizations, including the state. Claims to privacy are also involved at the workplace: Millions of employees are subject to electronic and other forms of high-tech surveillance. Information technology and systems threaten individual claims to privacy by making the invasion of privacy cheap, profitable, and effective. Fair Information Practices (FIP) is a set of principles governing the collection and use of information about individuals. FIP principles are based on the notion of a mutuality of interest between the record holder and the individual. The individual has an interest in engaging in a transaction, and the record keeper—usually a business or government agency—requires information about the individual to support the transaction. Once information is gathered, the individual maintains an interest in the record, and the record may not be used to support other activities without the individual’s consent. In 1998, the FTC restated and extended the original FIP to provide guidelines for protecting online privacy. Table 4.4 describes the FTC’s Fair Information Practice principles. Page 16 of 123 দয়ো ঈম্োন ে প্রম্ো , েোে দয়ো য ই োে ঈম্ো য ই। -আল-হোকদে Internet Challenges to Privacy Internet technology has posed new challenges for the protection of individual privacy. Information sent over this vast network of networks may pass through many different computer systems before it reaches its final destination. Each of these systems is capable of monitoring, capturing, and storing communications that pass through it. Web sites track searches that have been conducted, the Web sites and Web pages visited, the online content a person has accessed, and what items that person has inspected or purchased over the Web. This monitoring and tracking of Web site visitors occurs in the background without the visitor’s knowledge. It is conducted not just by individual Web sites but by advertising networks such as Microsoft Advertising, Yahoo, and Google’s Double Click that are capable of tracking personal browsing behavior across thousands of Web sites. Both Web site publishers and the advertising industry defend tracking of individuals across the Web because doing so allows more relevant ads to be targeted to users, and it pays for the cost of publishing Web sites. In this sense, it’s like broadcast television: advertiser-supported content that is free to the user. The commercial demand for this personal information is virtually insatiable. However, these practices also impinge on individual privacy, as discussed in the Interactive Session on Technology. Cookies are small text files deposited on a computer hard drive when a user visits Web sites. Cookies identify the visitor’s Web browser software and track visits to the Web site. When the visitor returns to a site that has stored a cookie, the Web site software will search the visitor’s computer, find the cookie, and know what that person has done in the past. It may also update the cookie, depending on the activity during the visit. Web beacons, also called Web bugs (or simply “tracking files”), are tiny software programs that keep a record of users’ online clickstream and report this data back to whomever owns the tracking file invisibly embedded in e-mail messages and Web pages that are designed to monitor the behavior of the user visiting a Web site or sending e-mail. Web beacons are placed on popular Web sites by third-party firms who pay the Web sites a fee for access to their audience. Technical Solutions In addition to legislation, there are a few technologies that can protect user privacy during interactions with Web sites. Many of these tools are used for encrypting e-mail, for making e-mail or surfing activities appear anonymous, for preventing client computers from accepting cookies, or for detecting and eliminating spyware. For the most part, technical solutions have failed to protect users from being tracked as they move from one site to another. PROPERTY RIGHTS: INTELLECTUAL PROPERTY Intellectual property is subject to a variety of protections under three different legal traditions: trade secrets, copyright, and patent law. Trade Secrets Any intellectual work product—a formula, device, pattern, or compilation of data—used for a business purpose can be classified as a trade secret, provided it is not based on information in the public domain. Protections for trade secrets vary from state to state. In general, trade secret laws grant a monopoly on the ideas behind a work product, but it can be a very tenuous monopoly. Software that contains novel or unique elements, procedures, or compilations can be included as a trade secret. Trade secret law protects the actual ideas in a work product, not only their manifestation. To make this claim, the creator or owner must Page 17 of 123 take care to bind employees and customers with nondisclosure agreements and to prevent the secret from falling into the public domain. The limitation of trade secret protection is that, although virtually all software programs of any complexity contain unique elements of some sort, it is difficult to prevent the ideas in the work from falling into the public domain when the software is widely distributed. Copyright Copyright is a statutory grant that protects creators of intellectual property from having their work copied by others for any purpose during the life of the author plus an additional 70 years after the author’s death. For corporate-owned works, copyright protection lasts for 95 years after their initial creation. Congress has extended copyright protection to books, periodicals, lectures, dramas, musical compositions, maps, drawings, artwork of any kind, and motion pictures. The intent behind copyright laws has been to encourage creativity and authorship by ensuring that creative people receive the financial and other benefits of their work. Most industrial nations have their own copyright laws, and there are several international conventions and bilateral agreements through which nations coordinate and enforce their laws. Patents A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20 years. The congressional intent behind patent law was to ensure that inventors of new machines, devices, or methods receive the full financial and other rewards of their labor and yet make widespread use of the invention possible by providing detailed diagrams for those wishing to use the idea under license from the patent’s owner. The granting of a patent is determined by the United States Patent and Trademark Office and relies on court rulings. The key concepts in patent law are originality, novelty, and invention. Challenges to Intellectual Property Rights Contemporary information technologies, especially software, pose severe challenges to existing intellectual property regimes and, therefore, create significant ethical, social, and political issues. Digital media differ from books, periodicals, and other media in terms of ease of replication; ease of transmission; ease of alteration; difficulty in classifying a software work as a program, book, or even music; compactness—making theft easy; and difficulties in establishing uniqueness. The proliferation of electronic networks, including the Internet, has made it even more difficult to protect intellectual property. Before widespread use of networks, copies of software, books, magazine articles, or films had to be stored on physical media, such as paper, computer disks, or videotape, creating some hurdles to distribution. Using networks, information can be more widely reproduced and distributed. The Ninth Annual Global Software Piracy Study conducted by International Data Corporation and the Business Software Alliance reported that the rate of global software piracy climbed to 42 percent in 2013, representing $73 billion in global losses from software piracy. Worldwide, for every $100 worth of legitimate software sold that year, an additional $75 worth was obtained illegally (Business Software Alliance, 2014). The Internet was designed to transmit information freely around the world, including copyrighted information. With the World Wide Web in particular, you can easily copy and distribute virtually anything to thousands and even millions of people around the world, even if they are using different types of computer systems. Information can be illicitly copied from one place and distributed through other systems and networks even though these parties do not willingly participate in the infringement. Individuals have been illegally copying and distributing digitized music files on the Internet for several decades. File-sharing services such as Napster, and later Grokster, Kazaa, and Morpheus, Megaupload, The Pirate Bay, sprung up to help users locate and swap digital music and video files, including those protected by copyright. Illegal file sharing became so widespread that it threatened the viability of the music recording industry and, at one point, consumed 20 percent of Internet bandwidth. The recording industry won several legal battles for shutting these services down, but it has not been able to halt illegal file sharing entirely. The motion picture and cable television industries are waging similar battles, as described in the chapter-opening case study. Several European nations have worked with U.S. authorities to shut down illegal sharing sites, with mixed results. In France, illegal downloaders can lose access to the Internet for a year or more. The Digital Millennium Copyright Act (DMCA) of 1998 also provides some copyright protection. The DMCA implemented a World Intellectual Property Organization Treaty that makes it illegal to circumvent technology-based protections of copyrighted materials. Internet service providers (ISPs) are required to take down sites of copyright infringers they are hosting once the ISPs are notified of the problem. Page 18 of 123 HOW HAVE INFORMATION SYSTEMS AFFECTED LAWS FOR STABLISHING ACCOUNTABILITY, LIABILITY, AND THE QUALITY OF EVERYDAY LIFE? COMPUTER-RELATED LIABILITY PROBLEMS SYSTEM QUALITY: DATA QUALITY AND SYSTEM ERRORS QUALITY OF LIFE: EQUITY, ACCESS, AND BOUNDARIES Balancing Power: Center Versus Periphery Rapidity of Change: Reduced Response Time to Competition Maintaining Boundaries: Family, Work, and Leisure Dependence and Vulnerability Computer Crime and Abuse Employment: Trickle-Down Technology and Reengineering Job Loss Equity and Access: Increasing Racial and Social Class Cleavages Health Risks: RSI, CVS, and Techno stress Page 19 of 123 CHAPTER # 02: DECISION SUPPORT SYSTEMS A. Decision Support in Business Information, Decisions, and Management Levels of management decision making still exist, but their size, shape, and participants continue to change as today’s fluid organizational structures evolve. Thus, the levels of managerial decision making that must be supported by information technology in a successful organization are: Strategic Management. Typically, a board of directors and an executive committee of the CEO and top executives develop overall organizational goals, strategies, policies, and objectives as part of a strategic planning process. They also monitor the strategic performance of the organization and its overall direction in the political, economic, and competitive business environment. Tactical Management. Increasingly, business professionals in self-directed teams as well as business unit managers develop short- and medium-range plans, schedules, and budgets and specify the policies, procedures, and business objectives for their subunits of the company. They also allocate resources and monitor the performance of their organizational subunits, including departments, divisions, process teams, project teams, and other workgroups. Operational Management. The members of self-directed teams or operating managers develop short- range plans such as weekly production schedules. They direct the use of resources and the performance of tasks according to procedures and within budgets and schedules they establish for the teams and other workgroups of the organization. Information Quality What characteristics of information products make them valuable and useful to you? To answer this important question, we must first examine the characteristics or attributes of information quality. Information that is outdated, inaccurate, or hard to understand is not very meaningful, useful, or valuable to you or other business professionals. People need information of high quality, that is, information products whose characteristics, attributes, or qualities make the information more valuable to them. It is useful to think of information as having the three dimensions of time, content, and form. Figure 10.3 summarizes the important attributes of information quality and groups them into these three dimensions. Decision Structure Decisions made at the operational management level tend to be more structured, those at the tactical level are more semi-structured, and those at the strategic management level are more unstructured. Structured decisions involve situations in which the procedures to follow, when a decision is needed, can be specified in advance. The inventory reorder decisions that most businesses face are a typical example. Unstructured decisions involve decision situations in which it is not possible to specify in advance most of Page 20 of 123 the decision procedures to follow. Most decisions related to long-term strategy can be thought of as unstructured (e.g., “What product lines should we develop over the next five years?”). Most business decision situations are semi-structured; that is, some decision procedures can be pre- specified but not enough to lead to a definite recommended decision. For example, decisions involved in starting a new line of e-commerce services or making major changes to employee benefits would probably range from unstructured to semi-structured. Finally, decisions that are unstructured are those for which no procedures or rules exist to guide the decision makers toward the correct decision. In these types of decisions, many sources of information must be accessed, and the decision often rests on experience and “gut feeling.” One example of an unstructured decision might be the answer to the question, “What business should we be in 10 years from now?” ❖ Business Intelligence (BI): refers to all applications and technologies in the organisation that are focused on the gathering and analysis of data and information that can be used to derive strategic business decisions. Differences between business analytics and business intelligence: Business analytics focuses on developing new insights and understanding of business performance based on data and statistical methods. In contrast, business intelligence traditionally focuses on using a consistent set of metrics to both measure past performance and guide business planning, which is also based on data and statistical methods. Business analytics makes much more extensive use of data, statistical and quantitative analysis, explanatory and predictive modeling, and fact-based management to drive decision making. Analytics may be used as input for human decisions or may drive fully automated decisions. Business intelligence is more associated with querying, reporting, online analytical processing (OLAP), and “alerts.” In other words, querying, reporting, OLAP, and alert tools can answer the questions: what happened; how many; how often; where; where exactly is the problem; and what actions are needed. Business analytics, in contrast, can answer the questions: why is this happening; what if these trends continue; what will happen next (that is, predict); and what is the best that can happen (that is, optimize). Figure 10.7 highlights several major information technologies that are being customized, personalized, and Web-enabled to provide key business information and analytical tools for managers, business professionals, and business stakeholders. Decision Support Systems Decision support systems are computer-based information systems that provide interactive information support to managers and business professionals during the decision making process. Decision support Page 21 of 123 systems use (1) analytical models, (2) specialized databases, (3) a decision maker’s own insights and judgments, and (4) an interactive, computer-based modeling process to support semi-structured business decisions. For example, Sales managers typically rely on management information systems to produce sales analysis reports. These reports contain sales performance figures by product line, salesperson, sales region, and so on. A decision support system (DSS), however, would also interactively show a sales manager the effects on sales performance of changes in a variety of factors (e.g., promotion expense and salesperson compensation). The DSS could then use several criteria (e.g., expected gross margin and market share) to evaluate and rank alternative combinations of sales performance factors. DSS Components Unlike management information systems, decision support systems rely on model bases, as well as databases, as vital system resources. A DSS model base is a software component that consists of models used in computational and analytical routines that mathematically express relationships among variables. For example, a spreadsheet program might contain models that express simple accounting relationships among variables, such as Revenue 2 Expenses 5 Profit. A DSS model base could also include models and analytical techniques used to express much more complex relationships. For example, it might contain linear programming models, multiple regression forecasting models, and capital budgeting present value models. Such models may be stored in the form of spreadsheet models or templates, or statistical and mathematical programs and program modules. In addition, DSS software packages can combine model components to create integrated models that support specific types of decisions. As businesses become more aware of the power of decision support systems, they are using them in ever- increasing areas of the business. Management Information Systems An MIS produces information products that support many of the day-to-day decision-making needs of managers and business professionals. Reports, displays, and responses produced by management information systems provide information that these decision makers have specified in advance as adequately meeting their information needs. Such predefined information products satisfy the information needs of decision makers at the operational and tactical levels of the organization who are faced with more structured types of decision situations. For example, sales managers rely heavily on sales analysis reports to evaluate differences in performance among salespeople who sell the same types of products to the same types of customers. They have a pretty good idea of the kinds of information about sales results (by product line, sales territory, customer, salesperson, and so on) that they need to manage sales performance effectively. Management Reporting Alternatives Management information systems provide a variety of information products to managers. Four major reporting alternatives are provided by such systems. Periodic Scheduled Reports. This traditional form of providing information to managers uses a pre- specified format designed to provide managers with information on a regular basis. Typical examples of such periodic scheduled reports are daily or weekly sales analysis reports and monthly financial statements. Exception Reports. In some cases, reports are produced only when exceptional conditions occur. In other cases, reports are produced periodically but contain information only about these exceptional conditions. For example, a credit manager can be provided with a report that contains only information on customers who have exceeded their credit limits. Exception reporting reduces information overload instead of overwhelming decision makers with periodic detailed reports of business activity. Demand Reports and Responses. Information is available whenever a manager demands it. For example, Web browsers, DBMS query languages, and report generators enable managers at PC workstations to get immediate responses or to find and obtain customized reports as a result of their requests for the information they need. Thus, managers do not have to wait for periodic reports to arrive as scheduled. Push Reporting. Information is pushed to a manager’s networked workstation. Thus, many companies are using Webcasting software to broadcast selectively reports and other information to the networked PCs of managers and specialists over their corporate intranets. Page 22 of 123 Online Analytical Processing Online analytical processing (OLAP) enables managers and analysts to interactively examine and manipulate large amounts of detailed and consolidated data from many perspectives. OLAP involves analyzing complex relationships among thousands or even millions of data items stored in data marts, data warehouses, and other multidimensional databases to discover patterns, trends, and exception conditions. An OLAP session takes place online in real time, with rapid responses to a manager’s or analyst’s queries, so that the analytical or decision-making process is undisturbed. Online analytical processing involves several basic analytical operations, including consolidation, “drill- down,” and “slicing and dicing.” Consolidation. Consolidation involves the aggregation of data, which can involve simple roll-ups or complex groupings involving interrelated data. For example, data about sales offices can be rolled up to the district level, and the district-level data can be rolled up to provide a regional-level perspective. Drill-down. OLAP can also go in the reverse direction and automatically display detailed data that comprise consolidated data. This process is called drill-down. For example, the sales by individual products or sales reps that make up a region’s sales totals could be easily accessed. Slicing and Dicing. Slicing and dicing refers to the ability to look at the database from different viewpoints. One slice of the sales database might show all sales of a product type within regions. Another slice might show all sales by sales channel within each product type. Slicing and dicing is often performed along a time axis to analyze trends and find time-based patterns in the data. Geographic Information and Data Visualization Systems A geographic information system is a DSS that uses geographic databases to construct and display maps, as well as other graphics displays that support decisions affecting the geographic distribution of people and other resources. Many companies are using GIS technology along with global positioning system (GPS) devices to help them choose new retail store locations, optimize distribution routes, or analyze the demographics of their target audiences. Data visualization systems represent complex data using interactive, three-dimensional, graphical forms such as charts, graphs, and maps. DVS tools help users interactively sort, subdivide, combine, and organize data while the data are in their graphical form. This assistance helps users discover patterns, links, and anomalies in business or scientific data in an interactive knowledge discovery and decision support process. Business applications like data mining typically use interactive graphs that let users drill down in real time and manipulate the underlying data of a business model to help clarify their meaning for business decision making. Figure 10.14 is an example of airline flight analysis by a data visualization system. Page 23 of 123 Using Decision Support Systems A decision support system involves an interactive analytical modeling process. For example, using a DSS software package for decision support may result in a series of displays in response to alternative what-if changes entered by a manager. This differs from the demand responses of management information systems because decision makers are not demanding pre-specified information; rather, they are exploring possible alternatives. Thus, they do not have to specify their information needs in advance. Instead, they use the DSS to find the information they need to help them make a decision. This is the essence of the decision support system concept. Four basic types of analytical modeling activities are involved in using a decision support system: (1) what-if analysis, (2) sensitivity analysis, (3) goal-seeking analysis, and (4) optimization analysis. Let’s briefly look at each type of analytical modeling that can be used for decision support. What-If Analysis In what-if analysis, a user makes changes to variables, or relationships among variables, and observes the resulting changes in the values of other variables. Sensitivity Analysis Sensitivity analysis is a special case of what-if analysis. Typically, the value of only one variable is changed repeatedly, and the resulting changes on other variables are observed. As such, sensitivity analysis is really a case of what-if analysis that involves repeated changes to only one variable at a time. Some DSS packages automatically make repeated small changes to a variable when asked to perform sensitivity analysis. Typically, decision makers use sensitivity analysis when they are uncertain about the assumptions made in estimating the value of certain key variables. Goal-Seeking Analysis Goal-seeking analysis reverses the direction of the analysis done in what-if and sensitivity analyses. Instead of observing how changes in a variable affect other variables, goal-seeking analysis (also called how-can analysis) sets a target value (goal) for a variable and then repeatedly changes other variables until the target value is achieved. Optimization Analysis Optimization analysis is a more complex extension of goal-seeking analysis. Instead of setting a specific target value for a variable, the goal is to find the optimum value for one or more target variables, given certain constraints. Then one or more other variables are changed repeatedly, subject to the specified constraints, until you discover the best values for the target variables. Data Mining for Decision Support Data mining’s main purpose is to provide decision support to managers and business professionals through a process referred to as knowledge discovery. Data mining software analyzes the vast stores of historical business data that have been prepared for analysis in corporate data warehouses and tries to discover patterns, trends, and correlations hidden in the data that can help a company improve its business performance. Data mining software may perform regression, decision tree, neural network, cluster detection, or market basket analysis for a business. Market basket analysis (MBA) is one of the most common and useful types of data mining for marketing and is a key technique in business analytics. The purpose of market basket analysis is to determine which products customers purchase together with other products. MBA takes its name from the concept of customers throwing all of their purchases into a shopping cart (a market basket) during grocery shopping. Page 24 of 123 Consider some of the typical applications of MBA: Cross Selling. Offer the associated items when customer buys any items from your store. Product Placement. Items that are associated (such as bread and butter, tissues and cold medicine, potato chips and beer) can be put near each other. If the customers see them, it has higher probability that they will purchase them together. Affinity Promotion. Design the promotional events based on associated products. Survey Analysis. The fact that both independent and dependent variables of market basket analysis are nominal (categorical) data type makes MBA very useful to analyze questionnaire data. Fraud Detection. Based on credit card usage data, we may be able to detect certain purchase behaviors that can be associated with fraud. Customer Behavior. Associating purchase with demographic, and socioeconomic data (such as age, gender, and preference) may produce very useful results for marketing. Executive Information Systems Executive information systems (EIS) are information systems that combine many of the features of management information systems and decision support systems. Thus, the first goal of executive information systems was to provide top executives with immediate and easy access to information about a firm’s critical success factors (CSFs), that is, key factors that are critical to accomplishing an organization’s strategic objectives. Yet managers, analysts, and other knowledge workers use executive information systems so widely that they are sometimes humorously called “everyone’s information systems.” More popular alternative names are enterprise information systems (EIS) and executive support systems (ESS). Features of an EIS In an EIS, information is presented in forms tailored to the preferences of the executives using the system. Other information presentation methods used by an EIS include exception reporting and trend analysis. The ability to drill down, which allows executives to retrieve displays of related information quickly at lower levels of detail, is another important capability. Executive information systems have spread into the ranks of middle management and business professionals as their feasibility and benefits have been recognized and as less expensive systems for client/server networks and corporate intranets became available. For example, one popular EIS software package reports that only 3 percent of its users are top executives. Enterprise Portals and Decision Support Decision support in business is changing, driven by rapid developments in end-user computing and networking; Internet and Web technologies; and Web-enabled business applications. One of the key changes taking place in management information and decision support systems in business is the rapid growth of enterprise information portals. Enterprise Information Portals An enterprise information portal (EIP) is a Web-based interface and integration of MIS, DSS, EIS, and other technologies that give all intranet users and selected extranet users access to a variety of internal and external business applications and services. The business benefits of enterprise information portals include providing more specific and selective information to business users, providing easy access to key corporate intranet Web site resources, delivering industry and business news, and providing better access to company data for selected customers, suppliers, or business partners. Enterprise information portals can also help avoid excessive surfing by employees across company and Internet Web sites by making it easier for them to receive or find the information and services they need, thus improving the productivity of a company’s workforce. Knowledge Management Systems In many organizations, hypermedia databases at corporate intranet