IT Governance PL.pdf

Transcript

A Complete Summary of
IT Governance
as per references
for
Professional Level

Prepared by:
MD. SOHEL BEPARY
 Table of Contents

CHAPTER # 01: INFORMATION TECHNOLOGY POLICIES AND LAWS.......................................... 1
A. National ICT Policy 2009...................................................................................................................... 1
B. Information and Communication Technology Act, 2006.................................................................. 4
DIGITAL SECURITY ACT 2018............................................................................................................... 7
C. Ethical and Social Issues in Information Systems.......................................................................... 12
CHAPTER # 02: DECISION SUPPORT SYSTEMS............................................................................... 20
A. Decision Support in Business............................................................................................................ 20
B. Artificial Intelligence Technologies in Business.............................................................................. 26
C. Understanding Blockchain Technology............................................................................................ 31
D. Understanding Fintech Technologies............................................................................................... 38
CHAPTER # 03: IT GOVERNANCE, ORGANISATION AND STRATEGY......................................... 42
A. IT Governance..................................................................................................................................... 42
B. IT Organisations and Strategy........................................................................................................... 43
CHAPTER # 04: INFORMATION SYSTEMS SECURITY..................................................................... 53
A. System Vulnerability and Abuse........................................................................................................ 53
B. Business Value of Security Control.................................................................................................. 55
C. Ethical Responsibilities of Business Professional.......................................................................... 56
D. Computer Crime.................................................................................................................................. 57
E. Privacy Issues...................................................................................................................................... 59
F. Current State of Cyber Law................................................................................................................ 60
G. Other Challenges................................................................................................................................ 61
H. Establishing a Framework for Security and Control....................................................................... 63
I. Technologies and Tools for Security.................................................................................................. 65
J. Information Security Management..................................................................................................... 68
K. Auditing Information Security Management Framework............................................................... 71
L. Cybersecurity........................................................................................................................................ 75
CHAPTER # 05: DEVELOPING BUSINESS/ IT SOLUTIONS............................................................. 79
A. Developing Business Systems.......................................................................................................... 79
B. Implementing Business Systems...................................................................................................... 87
CHAPTER # 06: INFORMATION SYSTEMS AUDITING...................................................................... 94
A. Management of the IS Audit Function.............................................................................................. 94
B. ISACA IS Audit and Assurance Standards and Guidelines.......................................................... 96
C. IS Controls............................................................................................................................................ 97
D. Performing an IS Audit..................................................................................................................... 103
E. Communicating Audit Results......................................................................................................... 115
 CHAPTER # 01: INFORMATION TECHNOLOGY POLICIES AND LAWS

A. National ICT Policy 2009

Structure and Conventions
The policy document is structured as a hierarchical pyramid with a single vision, 10 broad objectives, 56
strategic themes and 306 action items. The vision and objectives are aligned with the general national goals
while the strategic themes are areas within the broad objectives that can readily benefit from the use of
ICTs. The action items are generally meant to be implemented either in the
short term (18 months or less),
medium term (5 years or less) or
long term (10 years or less).
However, some action items have been recommended for continuation throughout multiple terms where the
scope of the activity gradually expands in the longer terms. Conventional notions of vision, objective,
strategic theme, etc. tend to differ greatly from person to person and from discipline to discipline. Thus, for
the purpose of this policy proposal, the following definitions have been adopted for a) Vision, b) Objective c)
Strategic Theme, d) Action Item, and e) ICTs.

B. Policy Ownership, Monitoring and Review
The ICT Policy must be owned by all stakeholder groups who will continually seek to have the mandates of
the policy adhered to in all spheres of national life. The policy must have a Champion in the highest levels of
the Government. Accordingly, the following Policy Ownership arrangement is envisaged. The National ICT
Policy shall be monitored and coordinated by the Minister in charge of ICT while the associated action
programmes will be implemented and/or supported by the Bangladesh Computer Council or its successor
organisation; all Government agencies and quasi-state bodies will implement ICT Policy in their respective
area. Instruction from National ICT Task Force will be taken for any deviation in implementing the Policy.
The action plans under the policy shall be reviewed at least once a year for implementation status checks,
necessary reprioritizations and changes in programmes. The strategic themes shall be reviewed every three
years along with realignment of specific goals with new developments. The whole policy itself shall be
reviewed in totality every six years and long-term goals adjusted according to achievements and failures
along the way. With the aims and objectives of the National ICT Policy 2009 materialized, Bangladesh is
expected to become a ‘knowledge society’ within one generation.

Vision
Expand and diversify the use of ICTs to establish a transparent, responsive and accountable government;
develop skilled human resources; enhance social equity; ensure cost-effective delivery of citizen-services
through public-private partnerships; and support the national goal of becoming a middle-income country
within 2021 and join the ranks of the developed countries of the world within thirty years.

Objectives
Social Equity: Ensure social equity, gender parity, equal opportunity and equitable participation in nation-
building through access to ICTs for all, including persons with disabilities and special needs

Productivity: Achieve higher productivity across all economic sectors including agriculture and SMME
(small, medium and micro enterprises) through the use of ICTs.

Integrity: Achieve transparency, accountability, responsiveness and higher efficiency in the delivery of
citizen-services.

Education and Research: Expand the reach and quality of education to all parts of the country using ICTs,
ensure computer literacy at all levels of education and public service and facilitate innovation, creation of
intellectual property and adoption of ICTs through appropriate research and development.

Employment Generation: Enlarge the pool of world-class ICT professionals to cater to the local and
overseas employment opportunities.

Strengthening Exports: Ensure a thriving software, ITES and IT manufacturing industry to meet domestic
and global demands and thereby increase foreign exchange earnings, attract foreign direct investments and
reduce dependence on imports.

Healthcare: Ensure quality healthcare to all citizens by innovative application of ICTs.

Page 1 of 123
Universal Access: Ensure connectivity to all as a public service obligation (PSO).

Environment, Climate and Disaster Management: Enhance creation and adoption of environment-friendly
green technologies, ensure safe disposal of toxic wastes, minimize disaster response times and enable
effective climate change management programmes through use of ICTs as Bangladesh is facing the dual
scourge of environmental pollution due to rising industrial and consumer wastes and also global-warming-
induced climate-change due to excessive carbon emissions of the industrialized countries

Supports to ICTs: Develop appropriate infrastructure including power, and regulatory framework for
effective adoption and use of ICTs throughout the country.

E. Strategic Themes

E.1. Social Equity:
1.1 Mainstream social advancement opportunities for disadvantaged groups as an immediate priority to
minimize economic disparity and bridge the digital divide for (a) lower income groups, (b) ethnic minorities,
(c) women, and (d) persons with disabilities and special needs
1.2 Facilitate citizens’ participation in local and national government, and policy making as a broad national
agenda
1.3 Provide incentives to the private sector and NGO/CSO/CBOs to generate and share locally relevant and
local language digital content and online services
1.4 Develop and preserve content to bolster culture, heritage and religion
1.5 Bring into focus children's issues, including protection of children from harmful digital content

E.2. Productivity:
2.1 Encourage maximum utilization of ICT services nationwide to boost productivity of small, medium and
micro enterprises and agriculture sector, and focus on innovation and competitiveness
2.2 Ensure dissemination and utilization of latest know-how and market information to increase production
capability and supply chain management of agriculture through ICT applications
2.3 Ensure better monitoring, skills gap determination, appropriate training and modern enterprise
operations to enhance productivity of large enterprises by encouraging immediate implementation of end to
end applications (ERP)
2.4 Ensure sustainable productivity in the service sector through increased automation of operations and
management information systems
2.5 Encourage e-commerce, e-payments, and e-transactions in general bringing in a new dimension of
productivity to the economy at the earliest

E.3. Integrity:
3.1 Ensure the use of Bangla in all ICT activities
3.2 Reduce harassment, time and cost of the people and ensure transparency and accountability in
government service delivery by monitoring citizens' charter and making results of all services delivery public
including services related to justice and law & order
3.3 Establish interconnectivity across government offices for effective data sharing
3.4 Build capacity of public functionaries and foster leadership for electronic service delivery
3.5 Mandate availability of all public information through electronic means and ensure sustainability of ICT-
based citizens’ services delivery
3.6 Introduce ICT-based monitoring of planning, implementation and effectiveness of development projects

E.4. Education and Research:
4.1 Assess skills of ICT professionals and meet gaps with targeted training programmes to overcome the
short-term skills shortage in the ICT industry and adopt continuing education and professional skills
assessment and enhancement programmes
4.2 Encourage closer collaboration between academia and industry to align curriculum with market needs
4.3 Establish an ICT Centre of Excellence with necessary long-term funding to teach and conduct research
in advanced ICTs
4.4 Extend the reach of ICT literacy throughout the country by incorporating ICT courses in primary and
secondary education and technical and vocational education and training (TVET) programmes
4.5 Enhance the quality and reach of education at all levels with a special focus on Mathematics, Science
and English
4.6 Ensure ICT Literacy for all in public service

Page 2 of 123
4.7 Boost use of ICT tools in all levels of education including ECDP, mass literacy and lifelong learning
4.8 Ensure access to education and research for people with disabilities and special needs using ICT tools
4.9 Ensure that all universities provide global standard ICT education and introduce Postgraduate
Programmes in ICT education to encourage research and innovation

E.5. Employment Generation:
5.1 Provide incentives for investment in local ICT industry
5.2 Build institutional capacity for producing greater number of IT professionals in line with domestic and
global demands for knowledge workers
5.3 Standardize skills for local ICT industry
5.4 Facilitate global employment of skilled ICT workforce
5.5 Provide financial assistance to ICT professionals for skills development

E.6. Strengthening Exports:
6.1 Develop strong marketing, promotion and branding for Bangladeshi ICT products and services in global
markets
6.2 Ensure access to finance for promising software and ITES companies
6.3 Develop and maintain reliable ICT infrastructure
6.4 Provide incentives to increase export and create industry friendly policy and enabling environment
6.5 Foster innovation through research and development to improve quality, process, technology, domain,
value chain and niche markets

E.7. Healthcare:
7.1 Improve management of healthcare delivery system using telemedicine and modern technologies
7.2 Improve community awareness and access to health care facilities for all including difficult to access
areas, with a special emphasis on child, maternal and reproduction health
7.3 Ensure Quality Assurance of health care services
7.4 Enhance capacity of National Health Service Delivery System

E.8. Universal Access:
8.1 Extend universal connectivity to all citizens as a public service obligation within 5 years
8.2 Extend internet backbone infrastructure to all district headquarters immediately at the same access cost
as in the capital
8.3 Extend Internet and IP telephony services to all parts of the country within 5 years through providing
incentives as stipulated in the national telecom policy
8.4 Make IP-based telecommunications ubiquitous and affordable by all through aggressive adoption of
NGN and license-free regime

E.9. Environment, Climate and Disaster Management:
9.1 Promote entire environmental preservation including land and water resources by adopting environment-
friendly green technologies
9.2 Promote entire environmental protection including land and water resources through the use of ICT tools
9.3 Protect citizens from natural disasters through ICT-based disaster warning and management
technologies
9.4 Ensure safe disposal of toxic wastes resulting from use of ICTs
9.5 Promote efficient relief management and post disaster activities monitoring

E.10. Supports to ICTs:
10.1 Ensure reliable and cost-effective power
10.2 Create supportive legal framework for IPR protection, online document sharing, transactions and
payments
10.3 Establish a Government Interoperability Framework to be adhered to by all government ICT projects
10.4 Promote the use of cost-effective, open source and open architecture solutions
10.5 Build ICT infrastructure facilities in educational institutions
10.6 Decentralize ICT growth outside the capital
10.7 Improve education quality in IT, Mathematics and English
10.8 Improve Internet availability and reliability

Page 3 of 123
B. Information and Communication Technology Act, 2006

Digital signature" means data in an electronic form, which--
a) is related with any other electronic data directly or logically; and
b) is able to satisfy the following conditions for validating the digital signature--
(i) affixing with the signatory uniquely;
(ii) capable to identify the signatory;
(iii) created in safe manner or using a means under the sole control of the signatory; and
(iv) related with the attached data in such a manner that is capable to identify any alteration made
in the data thereafter.

Sec- 6: Legal recognition of electronic records.--Where any law provides that information or any other
matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in
such law, such information or matter is rendered or made available in an electronic form:
Provided that such information or matter is accessible so as to be usable for a subsequent reference.

Sec- 9: Retention of electronic records.--(1) Where any law provides that any document, record or
information shall be retained for any specific period, then such requirement shall be deemed to have been
satisfied if such documents, records or information, as the case may be, are retained in the electronic form if
the following conditions are satisfied--
a) the information contained therein remains accessible so as to be usable for a subsequent reference;
b) the electronic record is retained in the format in which it was originally generated, sent or received, or in
a format which can be demonstrated to represent accurately the information originally generated, sent or
received;
c) such information, if any, as enables the identification of the origin and destination of an electronic record
and the date and time when it was sent or received, is retained:
Provided that this sub-clause does not apply to any information which is automatically generated solely for
the purpose of enabling and electronic record to be dispatched or received.

Sec- 19: Functions of the Controller.--The Controller may perform all or any of the following functions,
namely:--
a) exercising supervision over the activities of the Certifying Authorities;
b) laying down the standards to be maintained by the Certifying Authorities;
c) specifying the qualifications and experience which employees of the Certifying Authorities should
possess;
d) specifying the conditions subject to which the Certifying Authorities shall conduct their business;
e) specifying the contents of written, printed or visual materials and advertisements that may be used
in respect of a Digital Signature Certifying;
f) specifying the form and content of a Digital Signature Certificate;
g) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;
h) specifying the terms and conditions subject to which auditors may be appointed and the
remuneration to be paid to them for auditing the Certifying Authorities;
i) facilitatining the establishment of any electronic system by a Certifying Authority either solely or
jointly with other Certifying Authorities and regulation of such systems;
j) specifying the manner in which the Certifying Authorities shall conduct their dealings with the
subscribers;
k) resolving any conflict of interests between the Certifying Authorities and the subscribers;
l) laying down the duties and responsibilities of the Certifying Authorities;
m) maintaining computer based databases, which--
i. contain the disclosure record of every Certifying Authority containing such particulars as may be
specified by regulations; and
ii. shall be accessible to the member of the public;
n) perform any other function under this Act or Codes prepared under this Act.

Sec- 30: Access to computers and data.—
(1) Without prejudice to the provisions of section 45 of this Act the Controller or any officer authorized by him
shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act or rules and
regulations made there under has been committed, have access to any computer system, any apparatus,
data or any other material connected with such system, for the purpose of searching or causing a search to
be made for obtaining any information or data contained in or available to such computer system.

Page 4 of 123
(2) For the purpose of sub-section (1) of this section the Controller or any officer authorized by him may, by
order, direct any person in charge of, or otherwise concerned with the operation of, the computer system,
data apparatus or material, to provide him with such reasonable technical and other assistance as he may
consider necessary.
(3) If authorization has been given to a person, the authorized person shall oblige to assist as instructed
under sub-section (1) of this section.

Sec- 39: Suspension of Digital Signature Certificate.—
1. Subject to the provisions of sub-section (2) of this section, the Certifying Authority which has issued a
Digital Signature Certificate may suspend such Digital Signature Certificate—
a. on receipt of a request to that effect from the subscriber listed in the Digital Signature certificate or
any person duly authorized to act on behalf of that subscriber;
b. if it is opinion that the Digital Signature Certificate should be suspended in public interest.
2. A Digital Signature Certificate shall not be suspended for a period exceeding 30 (thirty) days without
giving the subscriber a notice under sub-section 1 (b) of this section.
3. Certifying Authority can suspend the Digital Signature Certificate, if the Authority is satisfied on the
ground that the explanation given by the subscriber in response to the notice of subsection (2) of this
section is not acceptable.
4. On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall
communicate the same to the subscriber.

BREACHING RULES, PREVENTION, PENALTIES ETC.

Sec- 48: Penalty for failure to furnish document, return and report.—If any person fails to submit given
document, return and report under the provisions of this Act, or rules and regulations made there under to
the Controller or Certifying Authority, the Controller or any officer of the Government authorized by the
Government by special order, as the case may be, can fine the person which may extend to Taka ten
thousands mentioning reasons in written by administrative order.

Sec- 49: Penalty for failure to file return, information, book etc.—If any person fails to deliver any
information, books or any other documents under the provisions of this Act, or rules and regulations made
there under within stipulated time, the Controller or any officer of the Government authorized by the
Government by special order, as the case may be, can fine the person which may extend to Taka ten
thousand mentioning reasons in written by administrative order.

Sec- 50: Penalty for failure to maintain books of accounts or record.—If any person fails to maintain
books of accounts or records which is supposed to be preserved under the provisions of this Act, or rules
and regulations made there under, the Controller or any officer of the Government authorized by the
Government by special order, as the case may be, can fine the person which may extend to Taka two lakhs
mentioning reasons in written by administrative order.

Sec- 51: Residuary penalty.—If any person contravenes any rules of this Act for which the provision of
penalties has not been fixed separately under the provisions of this Act, or rules and regulations made there
under, the Controller or any officer of the Government authorized by the Government by special order, as
the case may be, can fine the person for breaching the very rule which may extend to Taka twenty five
thousands mentioning reasons in written by administrative order.

OFFENCES, INVESTIGATION, ADJUDICATION, PENALTIES ETC

Section- 54 to 57 and 66 has been repealed by Digital Security Act- 2018

58. Punishment for failure to surrender licence.--(1) Where any Certifying Authority fails to surrender a
licence under section 34 of this Act, the person in whose favour the licence is issued, the failure of the
person shall be an offence.
(2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment
for a term which may extend to six months, or with fine which may extend to Taka ten thousand, or with
both.

59. Punishment for failure to comply with order.--(1) Any person who fails to comply with any order made
under section 45 of this Act, then this activity of his will be regarded as an offence.

Page 5 of 123
(2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment
for a term which may extend to one year, or with fine which may extend to Taka one lakh, or with both.

60. Punishment for failure to comply with order made by the Controller in emergency --
(1) Any person who fails to comply with any order made under section 46 of this Act, then this activity of his
will be regarded as an offence.
(2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment
for a term which may extend to five years, or with fine which may extend to Taka five lakhs, or with both.

61. Punishment for unauthorized access to protected systems.--(1) Any person who secures access or
attempts to secure access to protected system in contraventions of section 47 of this Act, then this activity of
his will be regarded as an offence.
(2) Whoever commits offence under sub-section (1) of this section he shall be punishable with imprisonment
for a term which may extend to ten years, or with fine which may extend to Taka ten lakhs, or with both.

62. Punishment for misrepresentation and obscuring information.--Whoever makes any
misrepresentation to, or suppresses any material fact from the Controller or the Certifying Authority for
obtaining any licence or Digital Signature Certificate shall be regarded as an offence.
(2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakhs, or
with both.

63. Punishment for disclosure of confidentiality and privacy.--Save as otherwise provided by this Act or
any other law for the time being in force, no person who, in pursuance of any of the powers conferred under
this Act, or rules and regulations made thereunder, has secured access to any electronic record, book,
register, correspondence, information, document or other material shall, without the consent of the person
concerned, disclose such electronic record, book, register, correspondence, information, document or other
material to any other person shall be regarded as an offence.
(2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakhs, or
with both.

64. Punishment for publishing false Digital Signature Certificate.--No person shall publish a Digital
Signature Certificate or otherwise make it available to any other person knowing that--
(a) the Certifying Authority listed in the certificate has not issued it; or
(b) the subscriber listed in the certificate has not accepted it; or
(c) the certificate has been revoked or suspended; unless such publication is for the purpose of verifying a
digital signature created prior to such suspension or revocation and by breaching the rules such Digital
Signature Certificate is published or
otherwise make it available to others shall be regarded as an offence.
(2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakhs, or
with both.

65. Punishment for publishing Digital Signature Certificate for fraudulent purpose etc.-- Whosoever
knowingly creates and publishes or otherwise makes available a Digital Signature Certificate for any
fraudulent or unlawful purpose shall be regarded as an offence.
(2) Whoever commits any offence under sub-section (1) of this section he shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Taka two lakh, or
with both.

67. Offences committed by companies etc.--If any offence is committed by a company under this Act,
then each director, manager, secretary, partner, officer and staff of the company who has directly
involvement in committing the said offence shall be guilty of the offence or the contraventions, as the case
may be, unless he proves that the offence or contravention was committed without his knowledge or that he
exercised sue diligence in order to prevent commission of such offence or contravention.
Explanation.—For the purposes of this section.—
(a) “company” means anybody corporate and includes commercial firm, partnership business, cooperatives,
association, organization or other association of individuals; and
(b) “director” in relation to a commercial firm includes a partner or member of Board of Directors.

Page 6 of 123
 DIGITAL SECURITY ACT 2018

CHAPTER SIX

Crime and Punishment

17) Punishment for Illegal Entrance in Critical Information Infrastructure, etc.: -

(1) If any person intentionally or knowingly in any Critical information infrastructure-
a) Illegally enters, or
b) By means of illegal entrance, harms or destroys or renders inactive the infrastructure or tries to do so,
Then the above activity of that person will be an offense under the Act
(2) If any person of Sub Section (1)- a. Commits any offense within the Clause (a) then, the person will be
penalized by imprisonment for a term not exceeding 7(seven) years or by fine not exceeding 25 (twenty
five) lacs taka or with both.
b. Commits any offense within Clause (b) then, the person will be penalized by imprisonment for a term
not exceeding 14 (fourteen) years or with fine not exceeding 1 (one) crore taka or with both.
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits the offense then, he will be punished with lifetime imprisonment or with fine not exceeding 5
(five) crore taka or with both

18) Illegal Entrance in computer, digital device, computer system, etc. and punishment:-

(1) If any person willingly-
a. illegally enters or help to enter in any computer, computer system or computer network, or
b. illegally enters or helps to enter with the intention of committing a crime then the activity of that person
will be a offense under the Act
(2) If any person under Sub Section (1)-
a. Commits any offense within the Clause (a) then, the person will be penalized with imprisonment for a
term not exceeding 6 months or by fine not exceeding3 (three) lacs taka or with both.
b. Commits any offense within Clause (b) then, the person will be penalized with imprisonment for a
term not exceeding 3(three) years or with fine not exceeding 10 (ten) lacs taka or with both.
(3) If an offence within the Sub-Section (1), is committed in case of a secured computer or computer system
or computer network then, the person will be penalized by imprisonment for a term not exceeding
3(three) years or by fine not exceeding 10 (ten) lacs taka or with both.

(4) If any person commits the offense within this Section for the second time or recurrently commits it then,
he will be penalized with punishment that is two times of the punishment designated for the main offense

19) Damage of Computer, Computer System, etc. and punishment:-

(1) If any person-
a. Collects any data or data-storage, information or part of it from any computer, computer system, or
computer network or collects transferable information or part of it or copy of it stored in the said
computer, computer system or computer network, or
b. Intentionally inserts or tries to insert any virus or malware or any harmful software in any computer or
computer system or computer network, or
c. Intentionally harms or tires to harm the data or data-storage of any computer, computer system, or
computer network or harms or tries to harm the Programs protected in a computer, computer system, or
computer network or
d. By any means stops or tries to stop a valid or authorized person to enter any computer, computer
system, or computer network, or
e. Intentionally creates or tries to create spam or undesired emails without the permission of the sender
or receiver, for any product or service marketing, or
f. Interferes unjustly in any computer, computer system or Computer network or by lies and deliberate
falsity enjoys the service of an individual or transfers the charge or tries to transfer of such service into
the account of another
Then, that person’s activity will be a an offense under the Act
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 7(seven) years or fine not exceeding 10 (ten) lacs taka or with
both.

Page 7 of 123
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with imprisonment for a term not exceeding 10( ten) years of
imprisonment or with fine not exceeding 25 (twenty five) lacs taka or with both.

20) Offenses relating to Computer Source Code Change and Punishment:-

(1) If any person intentionally or knowingly hides or destroys or changes the source code used in any
computer, computer system, or computer network or if he tries to hide, destroy or change the source
through another person and if that source code is preservable and securable then that act of the said
person will be considered an offense under the Act.
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 3 (three) years or fine not exceeding 3 (three) lacs taka or with
both
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with imprisonment for a term not exceeding 5(five) years or with fine
not exceeding 5 (five) lacs taka or with both.

21) Punishment for Any propaganda or campaign against liberation war, Cognition of liberation war,
Father of the nation, National Anthem or National Flag: -

(1) If any person by means of digital medium runs any propaganda or campaign or assists in running a
propaganda or campaign against the liberation war of Bangladesh, Cognition of liberation war, Father of
the Nation, National Anthem or national Flag then, that act of that person will be an offense under the
Act.
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 10 (ten) years or with fine not exceeding 1 (one) crore taka or
with both.
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with life term imprisonment or with fine not exceeding 3 (three)
crores or with both

22) Digital or Electronic Forgery:-
(1) If any person commits forgery by means of any digital or electronic medium then that activity of that
particular person will be an offense under the Act.
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 5 (five) years or with a fine not exceeding 5 (five) lacs taka or
with both
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with imprisonment for a term not exceeding 7 (seven) years or with
fine not exceeding 10 (ten) lacs taka or with both
Explanation:-
To fulfill the objective of this Act, “Digital or Electronic Forgery” means, if any person without authority or
in excess of the given authority or by means of unauthorized practice produces input or output of any
computer or digital device or changes, erases or hides incorrect data or program, or results in erroneous
information, or information system of any computer or digital device, data system and computer or digital
network operation
23) Digital or Electronic Fraud:-

(1) If any person commits fraud by means of any digital or electronic medium then that activity of that
particular person will be an offense under the Act.
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 5 (five) years or by fine not exceeding 5 (five) lacs taka or with
both
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with imprisonment for a term not exceeding 7 (seven) years or with
fine not exceeding 10 (ten) lacs taka or with both

Explanation:-
To fulfill the objective of this Act, “Digital or Electric Fraud” means, if any person intentionally or knowingly
or without permission changes any information, deletes, adds new information or creates distortion and
reduces the value of that or the utility of any computer program, computer system, computer network, digital

Page 8 of 123
device, digital system, digital network, or of a social communication medium, trying to gain benefit for
himself/herself or for others or trying to harm others or to deceive others.

24) Identity Fraud or Being in Disguise:-
(1) If any person intentionally or knowingly uses any computer, computer Program, computer system,
computer network, digital device, digital system or digital network-
a. With the intention of deceiving or cheating carries the identity of another person or shows any
person’s identity as his own, or
b. Intentionally by forgery assuming the identity of a alive or dead person as one’s own for the following
purpose-
i. To achieve some advantages for oneself or for any other person;
ii. To acquire any property or interest in any property;
iii. To harm a person by using another person’s identity in disguise.
Then the Act of the person will be an offense under the Act
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized by
imprisonment for a term not exceeding 5 (five) years or fine not exceeding 5 (five) lacs taka or both
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with imprisonment for a term not exceeding 7 (seven) years or with
10 (ten) lacs taka or with both

25) Publishing, sending of offensive, false or fear inducing data-information, etc.:-
(1) If any person in any website or through any digital medium-
a. Intentionally or knowingly sends such information which is offensive or fear inducing, or which despite
knowing it as false is sent, published or propagated with the intention to annoy, insult, humiliate or
denigrate a person or
b. Publishes or propagates or assists in publishing or propagating any information with the intention of
tarnishing the image of the nation or spread confusion or despite knowing it as false, publishes or
propagates or assists in publishing or propagates information in its full or in a distorted form for the same
intentions
Then, the activity of that person will be an offense under the Act.
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 3(three) years of or fine not exceeding 3(three) lacs taka or with
both.
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with imprisonment for a term not exceeding 5(five) years or with fine
not exceeding 10 (ten) lacs taka or with both

26) Punishment for Collecting, Using identity Information without Permission, etc :-
(1) If any person without any legal authority collects, sells, takes possession, supplies or uses any person’s
identity information, then, that activity of that person will be an offense under the Act.
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 5 (five) years or fine not exceeding 5 (five) lacs taka or with both.
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be penalized with imprisonment for a term not exceeding 7 (seven) years or with
fine not exceeding 10 (ten) lacs taka or with both.

Explanation:-
To fulfill the objective of this Section, “Identity Information”, means any external, biological or physical
information or any other information which singly or jointly can identify a person or a system, his/her name,
address, Date of birth, mother’s name , father’s name, signature, National identity , birth and death
registration number, finger print, passport number , bank account number , driver’s license , E-TIN number,
Electronic or digital signature , username, Credit or debit card number, voice print , retina image , iris image ,
DNA profile, Security related questions or any other identification which due to the excellence of technology
is easily available.

27) Punishment for committing Cyber-terrorism: -
(1) If any person –
a. With the intention to breach the national security or to endanger the sovereignty of the Nation and to
instill terror within the public or a part of them creates obstruction in the authorized access to any
computer, computer network or internet network or illegally accesses the said computer, computer

Page 9 of 123
 network or internet network or cause the act of obstruction of access or illegal entry through someone,
or
b. Creates such pollution within any digital device or inserts malware which causes in the death of a
person or results in serious injury to a person or raises a possibility of it, or
c. Damages or destroys the supply of daily necessities of public or adversely affects any critical
information infrastructure
d. Intentionally or knowingly enters or penetrates any computer, computer network, internet network, any
secured data information or computer database or such secured data information or computer database
which can be used to damage friendly relations with another foreign country or can be used for acts
against public order or which can be used for the benefit any foreign country or any foreign person or
any group.
Then that activity of that person will be considered as cyber security crime.
(2) If any person commits any offense mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding 14(fourteen) years or with fine not exceeding 1(one) crore taka or
with both.
(3) If any person commits the offense mentioned in sub-section (1) for the second time or recurrently
commits it then, he will be punished with lifetime imprisonment or with fine not exceeding 5(five) crore
taka or with both

28) Publication, Broadcast, etc. of such information in any website or in any electronic format that
hampers the religious sentiment or values:-

(1) If any person or group intentionally or knowingly with the aim of hurting religious sentiments or values or
with the intention to provoke publish or broadcast anything by means of any website or any electronic
format which hurts religious sentiment or values then such activity of that person will be considered an
offence
(2) If any person commits an offence under sub section (1), the person will be sentenced to a term of
imprisonment not exceeding 7 (seven) years or fine not exceeding 10 (ten) lac or both.

(3) If any person commits the offence mentioned in sub-section (1) second time or repeatedly, he will be
punished with imprisonment not exceeding 10 (ten) years or fine not exceeding 20 (twenty) lac taka or
both

29) To publish, broadcast, etc., defamation information:-

(1) If a person commits an offence of publication or broadcast defamatory information as described in
section 499 of the Penal Code (Act XLV of 1860) in any website or in any other electronic format then he
will be sentenced to a term of imprisonment not exceeding 3(Three) years or fine not exceeding Tk.5
(Five) lac or both.
(2) If any person commits the offence mentioned in sub-section (1) second time or repeatedly, he he will be
sentenced to a term of imprisonment not exceeding 5(Five) years or fine not exceeding Tk.10 (Ten) lac
or both

30) E-Transaction without legal authority Offence and Punishment:-

(1) If any person-
a. Does e-transaction through electronic and digital medium of any bank, insurance, or any other
financial institution or any mobile money service providing organisation without legal authority, or.
b. Does e-transaction that has been declared illegal by the Government or Bangladesh Bank,.
Then such activity will be considered as an offence.
(2) If any person commits offence mentioned in sub section (1), the person will be penalized with either
maximum of 5(five) years of imprisonment or fine of Tk. 5 (five) lac or will be punished with both.
(3) If any person commits the offence mentioned in sub-section (1) for the second time or repeatedly, he will
be punished with a maximum of 7(seven) years imprisonment or with maximum fine of Tk. 10 (ten) lac or
both.

Explanation:-
To fulfill the objective of this Section, “E-Transaction”, means deposit or withdrawal of fund or
direction, order or legally authorized money transaction for withdrawal through any bank, financial
institution or through any digital or electronic medium to a specified account number by a person with the
aim of transferring funds.

Page 10 of 123
31) Deterioration of Act-order, etc. and Punishment:-

(1) If any person intentionally publish or broadcast any kind of file in any website or digital format which will
create hostility, hatred or adversity among people or destroy any communal harmony or create unrest or
disorder or deteriorates or threatens to deteriorate the law and order then that activity of that person will
be considered as an offence..
(2) If any person commits any crime mentioned within sub section (1), the person will be penalized with
imprisonment for a term not exceeding to 7(seven) years or fine not exceeding Tk. 5(five) lac or with
both.
(3) If any person commits the crime mentioned in sub-section (1) for the second time or recurrently commits
it, he will be punished with imprisonment for a term not exceeding 10(ten) years or with fine not
exceeding Tk.10 (ten) lac or with both

32) Breaching Government Secret Offence and Punishment:-

(1) If any person commits or aids and abets in committing an offence under Official Secrets Act, 1923 (Act
No XIX of 1923) through computer, digital device, computer network, digital network or through any
other digital medium then he will be punished to a term of imprisonment not exceeding 14(fourteen)
years or with fine not exceeding Tk.25 (Twenty Five) Lac or with both.

(2) If any person commits the offence mentioned in sub-section (1) for the second time or recurrently
commits it, he will be punished with life imprisonment or with fine not exceeding Tk. 1(one) crore or with
both.

33) Illegal Transferring, Saving etc. of Data-Information, Punishment:-

(1) If any person enters any computer or digital system illegally and does any addition or subtraction,
transfer or with the aim of transfer save or aid in saving any data-information belonging to government,
semi-government, autonomous or statutory organization or any financial or commercial organisation ,
then the activity of that person will be considered an offence.
(2) If any person commits an offence mentioned in sub section (1), he will be sentenced to a term of
imprisonment not exceeding 5(Five) years or with fine not exceeding Tk.10 (Ten) lac or with both.
(3) If any person commits the offence mentioned in sub-section (1) second time or recurrently commits it
then, he will be sentenced to a term of imprisonment not exceeding 7(Seven) years or with fine not
exceeding Tk.15 (Fifteen) lac or with both.

34) Hacking Related Offence and Punishment:-

(1) If a person commits hacking then it will be considered an offence. and for this, he will be sentenced to a
term of imprisonment not exceeding 14(Fourteen) years or with fine not exceeding Tk.1 (One) Crore or
with both.
(2) If any person commits the offence mentioned in sub-section (1) second time or repeatedly then, he will
be penalized with life imprisonment or with fine not exceeding Tk.5 (Five) Crore or both
Explanation:
In this section “Hacking” means-
a. To destroy, change, format, cancel any information of the computer data storage or to reduce the
value or suitability of it or damaging it in any other way, or
b. Without ownership or possession illegally entering and damaging any computer, server, computer
network, or any electric system

35) Aiding in Commission of Offence and its Punishment:-

(1) If any person aids in committing any offence under this Act then such act of that person will be
considered an offence.
(2) In case of aiding of an offence, the punishment will be the same as that of the original offence.

36) Offence Committed by Company:-

(1) In case of a company committing an offence under this Act, all such owner, chief executive, director,
manager, secretary, shareholder or any other officer or employee or representative of the company

Page 11 of 123
যে কখন ো প্রশ্ন কনে ো, যে হয় েব ককছু জোন , য়ন ো ককছু ই জোন ো।– ম্যোলকম্
য োবোে
 having direct connection with the offence will be considered as the offender unless he can prove that the
offence took place without his knowledge or he took all possible steps to stop the commission of the
offence
(2) If the company mentioned under subsection (1) is a company having corporate legal personality, then
apart from the people mentioned, the company can also be charged and found guilty under the same
proceedings, but only the monetary punishment can be imposed on the company as per the relevant
provisions

Explanation:
In this Section-
a. The word “Company” includes any commercial institution, business partnership, society, association
or organization;
b. In case of commercial organization meaning of “Director “will be regarded as including its shareholder
or member of board of directors.

37) The power to give order of compensation:

If a person cause financial damage to another person under Section 22 digital or electronic forgery, under
Section 23 digital or electric fraud and under Section 24 identification fraud or by means of disguise, the
tribunal, may order him to compensate the affected person by giving money equivalent to the damage
caused or a suitable amount after considering the damage caused

38) No Responsibility for the service provider:

(1) Any service provider will not be responsible under this Act or any rules enacted under this Act for
facilitating access to data-information, if he succeeds in proving that, the offence or breach was
committed without his knowledge or he took all possible steps to stop the commission of the offence.

C. Ethical and Social Issues in Information Systems

1. What ethical, social, and political issues are raised by information systems?
2. What specific principles for conduct can be used to guide ethical decisions?
3. Why do contemporary information systems technology and the Internet pose challenges to the
protection of individual privacy and intellectual property?
4. How have information systems affected laws for establishing accountability, liability, and the quality of
everyday life?

যে যলোনকে কবনবক েববদো কোজ কনে ো, োনক কখন োই কবশ্বোে কনেো ো- লনেন্স স্টো ব Page 12 of 123
WHAT ETHICAL, SOCIAL, AND POLITICAL ISSUES ARE RAISED BY INFORMATION SYSTEMS?

Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make
choices to guide their behaviors. Information systems raise new ethical questions for both individuals and
societies because they create opportunities for intense social change, and thus threaten existing
distributions of power, money, rights, and obligations. Like other technologies, such as steam engines,
electricity, the telephone, and the radio, information technology can be used to achieve social progress, but
it can also be used to commit crimes and threaten cherished social values. The development of information
technology will produce benefits for many and costs for others. Ethical issues in information systems have
been given new urgency by the rise of the Internet and electronic commerce. Internet and digital firm
technologies make it easier than ever to assemble, integrate, and distribute information, unleashing new
concerns about the appropriate use of customer information, the protection of personal privacy, and the
protection of intellectual property.

Other pressing ethical issues raised by information systems include establishing accountability for the
consequences of information systems, setting standards to safeguard system quality that protects the safety
of the individual and society, and preserving values and institutions considered essential to the quality of life
in an information society. When using information systems, it is essential to ask, “What is the ethical and
socially responsible course of action?”

A MODEL FOR THINKING ABOUT ETHICAL, SOCIAL, AND POLITICAL ISSUES

Ethical, social, and political issues are closely linked. The ethical dilemma you may face as a manager of
information systems typically is reflected in social and political debate. One way to think about these
relationships is shown in Figure 4.1. Imagine society as a more or less calm pond on a summer day, a
delicate ecosystem in partial equilibrium with individuals and with social and political institutions. Individuals
know how to act in this pond because social institutions (family, education, organizations) have developed
well-honed rules of behavior, and these are supported by laws developed in the political sector that
prescribe behavior and promise sanctions for violations. Now toss a rock into the center of the pond. What
happens? Ripples of course.

The introduction of new information technology has a ripple effect, raising new ethical, social, and political
issues that must be dealt with on the individual, social, and political levels. These issues have five moral
dimensions: information rights and obligations, property rights and obligations, system quality, quality of life,
and accountability and control.

The introduction of new information technology has a ripple effect, raising new ethical, social, and political
issues that must be dealt with on the individual, social, and political levels. These issues have five moral

Page 13 of 123
েুন্দে ক ম্বল বযবহোে ম্ৃ ু যে পনেও ম্ো ুষনক স্মৃক ন স্থোয়ী কনে েোনখ। - জজব ম্ুে
dimensions: information rights and obligations, property rights and obligations, system quality, quality of life,
and accountability and control.

FIVE MORAL DIMENSIONS OF THE INFORMATION AGE

The major ethical, social, and political issues raised by information systems include the following moral
dimensions:
Information rights and obligations. What information rights do individuals and organizations
possess with respect to themselves? What can they protect?
Property rights and obligations. How will traditional intellectual property rights be protected in a digital
society in which tracing and accounting for ownership are difficult and ignoring such property rights is so
easy?
Accountability and control. Who can and will be held accountable and liable for the harm done to
individual and collective information and property rights?
System quality. What standards of data and system quality should we demand to protect individual
rights and the safety of society?
Quality of life. What values should be preserved in an information- and knowledge-based society?
Which institutions should we protect from violation? Which cultural values and practices are supported
by the new information technology?

KEY TECHNOLOGY TRENDS THAT RAISE ETHICALISSUES

A new data analysis technology called non-obvious relationship awareness (NORA) has given both the
government and the private sector even more powerful profiling capabilities. NORA can take information
about people from many disparate sources, such as employment applications, telephone records, customer
listings, and “wanted” lists, and correlate relationships to find obscure hidden connections that might help
identify criminals or terrorists (see Figure 4.2). NORA technology scans data and extracts information as the
data are being generated so that it could, for example, instantly discover a man at an airline ticket counter
who shares a phone number with a known terrorist before that person boards an airplane. The technology is
considered a valuable tool for homeland security but does have privacy implications because it can provide
such a detailed picture of the activities and associations of a single individual.

Page 14 of 123
যে বন্ধু অহংকোে ও স্বোনথবে উনবব থোনক, যেই প্রকৃ বন্ধু । -যজোনে েউক্স
WHAT SPECIFIC PRINCIPLES FOR CONDUCT CAN BE USED TO GUIDE ETHICAL DECISIONS?

BASIC CONCEPTS: RESPONSIBILITY, ACCOUNTABILITY, AND LIABILITY

Ethical choices are decisions made by individuals who are responsible for the consequences of their actions.
Responsibility is a key element of ethical action. Responsibility means that you accept the potential costs,
duties, and obligations for the decisions you make. Accountability is a feature of systems and social
institutions: It means that mechanisms are in place to determine who took responsible action, and who is
responsible. Systems and institutions in which it is impossible to find out who took what action are inherently
incapable of ethical analysis or ethical action. Liability extends the concept of responsibility further to the
area of laws. Liability is a feature of political systems in which a body of laws is in place that permits
individuals to recover the damages done to them by other actors, systems, or organizations. Due process is
a related feature of law- overned societies and is a process in which laws are known and understood, and
there is an ability to appeal to higher authorities to ensure that the laws are applied correctly.

ETHICAL ANALYSIS
When confronted with a situation that seems to present ethical issues, how should you analyze it? The
following five-step process should help:
1. Identify and describe the facts clearly. Find out who did what to whom, and where, when, and how. In
many instances, you will be surprised at the errors in the initially reported facts, and often you will find
that simply getting the facts straight helps define the solution. It also helps to get the opposing parties
involved in an ethical dilemma to agree on the facts.
2. Define the conflict or dilemma and identify the higher-order values involved. Ethical, social, and
political issues always reference higher values. The parties to a dispute all claim to be pursuing higher
values (e.g., freedom, privacy, protection of property, and the free enterprise system). Typically, an
ethical issue involves a dilemma: two diametrically opposed courses of action that support worthwhile
values. For example, the chapter-opening case study illustrates two competing values: the need to
improve access to digital content and the need to respect the property rights of the owners of that
content.
3. Identify the stakeholders. Every ethical, social, and political issue has stakeholders: players in the
game who have an interest in the outcome, who have invested in the situation, and usually who have

Page 15 of 123
দয়ো ঈম্োন ে প্রম্ো , েোে দয়ো য ই োে ঈম্ো য ই। -আল-হোকদে
 vocal opinions. Find out the identity of these groups and what they want. This will be useful later when
designing a solution.
4. Identify the options that you can reasonably take. You may find that none of the options satisfy all
the interests involved, but that some options do a better job than others. Sometimes arriving at a good or
ethical solution may not always be a balancing of consequences to stakeholders.
5. Identify the potential consequences of your options. Some options may be ethically correct but
disastrous from other points of view. Other options may work in one instance but not in other similar
instances. Always ask yourself, “What if I choose this option consistently over time?”

CANDIDATE ETHICAL PRINCIPLES
Once your analysis is complete, what ethical principles or rules should you use to make a decision? What
higher-order values should inform your judgment? Although you are the only one who can decide which
among many ethical principles you will follow, and how you will prioritize them, it is helpful to consider some
ethical principles with deep roots in many cultures that have survived throughout recorded history:

1. Do unto others as you would have them do unto you (the Golden Rule). Putting yourself into the place
of others, and thinking of yourself as the object of the decision, can help you think about fairness in
decision making.
2. If an action is not right for everyone to take, it is not right for anyone (Immanuel Kant’s Categorical
Imperative). Ask yourself, “If everyone did this, could the organization, or society, survive?”
3. If an action cannot be taken repeatedly, it is not right to take at all. This is the slippery-slope rule: An
action may bring about a small change now that is acceptable, but if it is repeated, it would bring
unacceptable changes in the long run. In the vernacular, it might be stated as “once started down a
slippery path, you may not be able to stop.”
4. Take the action that achieves the higher or greater value (Utilitarian Principle). This rule assumes you
can prioritize values in a rank order and understand the consequences of various courses of action.
5. Take the action that produces the least harm or the least potential cost (Risk version Principle). Some
actions have extremely high failure costs of very low probability (e.g., building a nuclear generating
facility in an urban area) or extremely high failure costs of moderate probability (speeding and
automobile accidents). Avoid these high-failure-cost actions, paying greater attention to high-failure-cost
potential of moderate to high probability.
6. Assume that virtually all tangible and intangible objects are owned by someone else unless there is a
specific declaration otherwise. (This is the ethical “no free lunch” rule.) If something someone else
has created is useful to you, it has value, and you should assume the creator wants compensation for
this work. Actions that do not easily pass these rules deserve close attention and a great deal of caution.
The appearance of unethical behavior

WHY DO CONTEMPORARY INFORMATION SYSTEMS TECHNOLOGY AND THE INTERNET POSE
CHALLENGES TO THE PROTECTION OF INDIVIDUAL PRIVACY AND INTELLECTUAL PROPERTY?

INFORMATION RIGHTS: PRIVACY AND FREEDOM IN THE INTERNET AGE

Privacy is the claim of individuals to be left alone, free from surveillance or interference from other
individuals or organizations, including the state. Claims to privacy are also involved at the workplace:
Millions of employees are subject to electronic and other forms of high-tech surveillance. Information
technology and systems threaten individual claims to privacy by making the invasion of privacy cheap,
profitable, and effective.

Fair Information Practices (FIP) is a set of principles governing the collection and use of information about
individuals. FIP principles are based on the notion of a mutuality of interest between the record holder and
the individual. The individual has an interest in engaging in a transaction, and the record keeper—usually a
business or government agency—requires information about the individual to support the transaction. Once
information is gathered, the individual maintains an interest in the record, and the record may not be used to
support other activities without the individual’s consent. In 1998, the FTC restated and extended the original
FIP to provide guidelines for protecting online privacy. Table 4.4 describes the FTC’s Fair Information
Practice principles.

Page 16 of 123
দয়ো ঈম্োন ে প্রম্ো , েোে দয়ো য ই োে ঈম্ো য ই। -আল-হোকদে
Internet Challenges to Privacy
Internet technology has posed new challenges for the protection of individual privacy. Information sent over
this vast network of networks may pass through many different computer systems before it reaches its final
destination. Each of these systems is capable of monitoring, capturing, and storing communications that
pass through it.
Web sites track searches that have been conducted, the Web sites and Web pages visited, the online
content a person has accessed, and what items that person has inspected or purchased over the Web. This
monitoring and tracking of Web site visitors occurs in the background without the visitor’s knowledge. It is
conducted not just by individual Web sites but by advertising networks such as Microsoft Advertising, Yahoo,
and Google’s Double Click that are capable of tracking personal browsing behavior across thousands of
Web sites. Both Web site publishers and the advertising industry defend tracking of individuals across the
Web because doing so allows more relevant ads to be targeted to users, and it pays for the cost of
publishing Web sites. In this sense, it’s like broadcast television: advertiser-supported content that is free to
the user. The commercial demand for this personal information is virtually insatiable. However, these
practices also impinge on individual privacy, as discussed in the Interactive Session on Technology.

Cookies are small text files deposited on a computer hard drive when a user visits Web sites. Cookies
identify the visitor’s Web browser software and track visits to the Web site. When the visitor returns to a site
that has stored a cookie, the Web site software will search the visitor’s computer, find the cookie, and know
what that person has done in the past. It may also update the cookie, depending on the activity during the
visit.

Web beacons, also called Web bugs (or simply “tracking files”), are tiny software programs that keep a
record of users’ online clickstream and report this data back to whomever owns the tracking file invisibly
embedded in e-mail messages and Web pages that are designed to monitor the behavior of the user visiting
a Web site or sending e-mail. Web beacons are placed on popular Web sites by third-party firms who pay
the Web sites a fee for access to their audience.

Technical Solutions
In addition to legislation, there are a few technologies that can protect user privacy during interactions with
Web sites. Many of these tools are used for encrypting e-mail, for making e-mail or surfing activities appear
anonymous, for preventing client computers from accepting cookies, or for detecting and eliminating
spyware. For the most part, technical solutions have failed to protect users from being tracked as they move
from one site to another.

PROPERTY RIGHTS: INTELLECTUAL PROPERTY
Intellectual property is subject to a variety of protections under three different legal traditions: trade secrets,
copyright, and patent law.

Trade Secrets
Any intellectual work product—a formula, device, pattern, or compilation of data—used for a business
purpose can be classified as a trade secret, provided it is not based on information in the public domain.
Protections for trade secrets vary from state to state. In general, trade secret laws grant a monopoly on the
ideas behind a work product, but it can be a very tenuous monopoly. Software that contains novel or unique
elements, procedures, or compilations can be included as a trade secret. Trade secret law protects the
actual ideas in a work product, not only their manifestation. To make this claim, the creator or owner must

Page 17 of 123
take care to bind employees and customers with nondisclosure agreements and to prevent the secret from
falling into the public domain.
The limitation of trade secret protection is that, although virtually all software programs of any complexity
contain unique elements of some sort, it is difficult to prevent the ideas in the work from falling into the public
domain when the software is widely distributed.

Copyright
Copyright is a statutory grant that protects creators of intellectual property from having their work copied by
others for any purpose during the life of the author plus an additional 70 years after the author’s death. For
corporate-owned works, copyright protection lasts for 95 years after their initial creation. Congress has
extended copyright protection to books, periodicals, lectures, dramas, musical compositions, maps,
drawings, artwork of any kind, and motion pictures. The intent behind copyright laws has been to encourage
creativity and authorship by ensuring that creative people receive the financial and other benefits of their
work. Most industrial nations have their own copyright laws, and there are several international conventions
and bilateral agreements through which nations coordinate and enforce their laws.

Patents
A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20 years. The
congressional intent behind patent law was to ensure that inventors of new machines, devices, or methods
receive the full financial and other rewards of their labor and yet make widespread use of the invention
possible by providing detailed diagrams for those wishing to use the idea under license from the patent’s
owner. The granting of a patent is determined by the United States Patent and Trademark Office and relies
on court rulings. The key concepts in patent law are originality, novelty, and invention.

Challenges to Intellectual Property Rights
Contemporary information technologies, especially software, pose severe challenges to existing intellectual
property regimes and, therefore, create significant ethical, social, and political issues. Digital media differ
from books, periodicals, and other media in terms of ease of replication; ease of transmission; ease of
alteration; difficulty in classifying a software work as a program, book, or even music; compactness—making
theft easy; and difficulties in establishing uniqueness.

The proliferation of electronic networks, including the Internet, has made it even more difficult to protect
intellectual property. Before widespread use of networks, copies of software, books, magazine articles, or
films had to be stored on physical media, such as paper, computer disks, or videotape, creating some
hurdles to distribution. Using networks, information can be more widely reproduced and distributed. The
Ninth Annual Global Software Piracy Study conducted by International Data Corporation and the Business
Software Alliance reported that the rate of global software piracy climbed to 42 percent in 2013, representing
$73 billion in global losses from software piracy. Worldwide, for every $100 worth of legitimate software sold
that year, an additional $75 worth was obtained illegally (Business Software Alliance, 2014).

The Internet was designed to transmit information freely around the world, including copyrighted information.
With the World Wide Web in particular, you can easily copy and distribute virtually anything to thousands
and even millions of people around the world, even if they are using different types of computer systems.
Information can be illicitly copied from one place and distributed through other systems and networks even
though these parties do not willingly participate in the infringement.

Individuals have been illegally copying and distributing digitized music files on the Internet for several
decades. File-sharing services such as Napster, and later Grokster, Kazaa, and Morpheus, Megaupload,
The Pirate Bay, sprung up to help users locate and swap digital music and video files, including those
protected by copyright. Illegal file sharing became so widespread that it threatened the viability of the music
recording industry and, at one point, consumed 20 percent of Internet bandwidth. The recording industry
won several legal battles for shutting these services down, but it has not been able to halt illegal file sharing
entirely. The motion picture and cable television industries are waging similar battles, as described in the
chapter-opening case study. Several European nations have worked with U.S. authorities to shut down
illegal sharing sites, with mixed results. In France, illegal downloaders can lose access to the Internet for a
year or more.

The Digital Millennium Copyright Act (DMCA) of 1998 also provides some copyright protection. The
DMCA implemented a World Intellectual Property Organization Treaty that makes it illegal to circumvent
technology-based protections of copyrighted materials. Internet service providers (ISPs) are required to take
down sites of copyright infringers they are hosting once the ISPs are notified of the problem.

Page 18 of 123
HOW HAVE INFORMATION SYSTEMS AFFECTED LAWS FOR STABLISHING ACCOUNTABILITY,
LIABILITY, AND THE QUALITY OF EVERYDAY LIFE?

COMPUTER-RELATED LIABILITY PROBLEMS

SYSTEM QUALITY: DATA QUALITY AND SYSTEM ERRORS

QUALITY OF LIFE: EQUITY, ACCESS, AND BOUNDARIES
Balancing Power: Center Versus Periphery
Rapidity of Change: Reduced Response Time to Competition
Maintaining Boundaries: Family, Work, and Leisure
Dependence and Vulnerability
Computer Crime and Abuse
Employment: Trickle-Down Technology and
Reengineering Job Loss
Equity and Access: Increasing Racial and Social Class Cleavages
Health Risks: RSI, CVS, and Techno stress

Page 19 of 123
 CHAPTER # 02: DECISION SUPPORT SYSTEMS

A. Decision Support in Business

Information, Decisions, and Management
Levels of management decision making still exist, but their size, shape, and participants continue to change
as today’s fluid organizational structures evolve. Thus, the levels of managerial decision making that must be
supported by information technology in a successful organization are:
Strategic Management. Typically, a board of directors and an executive committee of the CEO and top
executives develop overall organizational goals, strategies, policies, and objectives as part of a strategic
planning process. They also monitor the strategic performance of the organization and its overall
direction in the political, economic, and competitive business environment.
Tactical Management. Increasingly, business professionals in self-directed teams as well as business
unit managers develop short- and medium-range plans, schedules, and budgets and specify the policies,
procedures, and business objectives for their subunits of the company. They also allocate resources and
monitor the performance of their organizational subunits, including departments, divisions, process
teams, project teams, and other workgroups.
Operational Management. The members of self-directed teams or operating managers develop short-
range plans such as weekly production schedules. They direct the use of resources and the performance
of tasks according to procedures and within budgets and schedules they establish for the teams and
other workgroups of the organization.

Information Quality
What characteristics of information products make them valuable and useful to you? To answer this
important question, we must first examine the characteristics or attributes of information quality. Information
that is outdated, inaccurate, or hard to understand is not very meaningful, useful, or valuable to you or other
business professionals. People need information of high quality, that is, information products whose
characteristics, attributes, or qualities make the information more valuable to them. It is useful to think of
information as having the three dimensions of time, content, and form. Figure 10.3 summarizes the important
attributes of information quality and groups them into these three dimensions.

Decision Structure
Decisions made at the operational management level tend to be more structured, those at the tactical level
are more semi-structured, and those at the strategic management level are more unstructured. Structured
decisions involve situations in which the procedures to follow, when a decision is needed, can be specified in
advance. The inventory reorder decisions that most businesses face are a typical example.
Unstructured decisions involve decision situations in which it is not possible to specify in advance most of

Page 20 of 123
the decision procedures to follow. Most decisions related to long-term strategy can be thought of as
unstructured (e.g., “What product lines should we develop over the next five years?”).
Most business decision situations are semi-structured; that is, some decision procedures can be pre-
specified but not enough to lead to a definite recommended decision. For example, decisions involved in
starting a new line of e-commerce services or making major changes to employee benefits would probably
range from unstructured to semi-structured.
Finally, decisions that are unstructured are those for which no procedures or rules exist to guide the decision
makers toward the correct decision. In these types of decisions, many sources of information must be
accessed, and the decision often rests on experience and “gut feeling.” One example of an unstructured
decision might be the answer to the question, “What business should we be in 10 years from now?”

❖ Business Intelligence (BI): refers to all applications and technologies in the organisation that are
focused on the gathering and analysis of data and information that can be used to derive strategic
business decisions.

Differences between business analytics and business intelligence: Business analytics focuses on
developing new insights and understanding of business performance based on data and statistical methods.
In contrast, business intelligence traditionally focuses on using a consistent set of metrics to both measure
past performance and guide business planning, which is also based on data and statistical methods.
Business analytics makes much more extensive use of data, statistical and quantitative analysis,
explanatory and predictive modeling, and fact-based management to drive decision making. Analytics may
be used as input for human decisions or may drive fully automated decisions. Business intelligence is more
associated with querying, reporting, online analytical processing (OLAP), and “alerts.” In other words,
querying, reporting, OLAP, and alert tools can answer the questions: what happened; how many; how often;
where; where exactly is the problem; and what actions are needed. Business analytics, in contrast, can
answer the questions: why is this happening; what if these trends continue; what will happen next (that is,
predict); and what is the best that can happen (that is, optimize).

Figure 10.7 highlights several major information technologies that are being customized, personalized, and
Web-enabled to provide key business information and analytical tools for managers, business professionals,
and business stakeholders.

Decision Support Systems
Decision support systems are computer-based information systems that provide interactive information
support to managers and business professionals during the decision making process. Decision support

Page 21 of 123
systems use (1) analytical models, (2) specialized databases, (3) a decision maker’s own insights and
judgments, and (4) an interactive, computer-based modeling process to support semi-structured business
decisions. For example, Sales managers typically rely on management information systems to produce sales
analysis reports. These reports contain sales performance figures by product line, salesperson, sales region,
and so on. A decision support system (DSS), however, would also interactively show a sales manager the
effects on sales performance of changes in a variety of factors (e.g., promotion expense and salesperson
compensation). The DSS could then use several criteria (e.g., expected gross margin and market share) to
evaluate and rank alternative combinations of sales performance factors.

DSS Components
Unlike management information systems, decision support systems rely on model bases, as well as
databases, as vital system resources. A DSS model base is a software component that consists of models
used in computational and analytical routines that mathematically express relationships among variables. For
example, a spreadsheet program might contain models that express simple accounting relationships among
variables, such as Revenue 2 Expenses 5 Profit. A DSS model base could also include models and analytical
techniques used to express much more complex relationships. For example, it might contain linear
programming models, multiple regression forecasting models, and capital budgeting present value models.
Such models may be stored in the form of spreadsheet models or templates, or statistical and mathematical
programs and program modules. In addition, DSS software packages can combine model components to
create integrated models that support specific types of decisions.

As businesses become more aware of the power of decision support systems, they are using them in ever-
increasing areas of the business.

Management Information Systems
An MIS produces information products that support many of the day-to-day decision-making needs of
managers and business professionals. Reports, displays, and responses produced by management
information systems provide information that these decision makers have specified in advance as
adequately meeting their information needs. Such predefined information products satisfy the information
needs of decision makers at the operational and tactical levels of the organization who are faced with more
structured types of decision situations. For example, sales managers rely heavily on sales analysis reports
to evaluate differences in performance among salespeople who sell the same types of products to the same
types of customers. They have a pretty good idea of the kinds of information about sales results (by product
line, sales territory, customer, salesperson, and so on) that they need to manage sales performance
effectively.

Management Reporting Alternatives
Management information systems provide a variety of information products to managers. Four major
reporting alternatives are provided by such systems.
Periodic Scheduled Reports. This traditional form of providing information to managers uses a pre-
specified format designed to provide managers with information on a regular basis. Typical examples of
such periodic scheduled reports are daily or weekly sales analysis reports and monthly financial
statements.
Exception Reports. In some cases, reports are produced only when exceptional conditions occur. In
other cases, reports are produced periodically but contain information only about these exceptional
conditions. For example, a credit manager can be provided with a report that contains only information on
customers who have exceeded their credit limits. Exception reporting reduces information overload
instead of overwhelming decision makers with periodic detailed reports of business activity.
Demand Reports and Responses. Information is available whenever a manager demands it. For
example, Web browsers, DBMS query languages, and report generators enable managers at PC
workstations to get immediate responses or to find and obtain customized reports as a result of their
requests for the information they need. Thus, managers do not have to wait for periodic reports to arrive
as scheduled.
Push Reporting. Information is pushed to a manager’s networked workstation. Thus, many companies
are using Webcasting software to broadcast selectively reports and other information to the networked
PCs of managers and specialists over their corporate intranets.

Page 22 of 123
Online Analytical Processing
Online analytical processing (OLAP) enables managers and analysts to interactively examine and
manipulate large amounts of detailed and consolidated data from many perspectives. OLAP involves
analyzing complex relationships among thousands or even millions of data items stored in data marts, data
warehouses, and other multidimensional databases to discover patterns, trends, and exception conditions.
An OLAP session takes place online in real time, with rapid responses to a manager’s or analyst’s queries,
so that the analytical or decision-making process is undisturbed.

Online analytical processing involves several basic analytical operations, including consolidation, “drill-
down,” and “slicing and dicing.”
Consolidation. Consolidation involves the aggregation of data, which can involve simple roll-ups or
complex groupings involving interrelated data. For example, data about sales offices can be rolled up to
the district level, and the district-level data can be rolled up to provide a regional-level perspective.
Drill-down. OLAP can also go in the reverse direction and automatically display detailed data that
comprise consolidated data. This process is called drill-down. For example, the sales by individual
products or sales reps that make up a region’s sales totals could be easily accessed.
Slicing and Dicing. Slicing and dicing refers to the ability to look at the database from different
viewpoints. One slice of the sales database might show all sales of a product type within regions.
Another slice might show all sales by sales channel within each product type. Slicing and dicing is often
performed along a time axis to analyze trends and find time-based patterns in the data.

Geographic Information and Data Visualization Systems
A geographic information system is a DSS that uses geographic databases to construct and display maps,
as well as other graphics displays that support decisions affecting the geographic distribution of people and
other resources. Many companies are using GIS technology along with global positioning system (GPS)
devices to help them choose new retail store locations, optimize distribution routes, or analyze the
demographics of their target audiences.

Data visualization systems represent complex data using interactive, three-dimensional, graphical forms
such as charts, graphs, and maps. DVS tools help users interactively sort, subdivide, combine, and organize
data while the data are in their graphical form. This assistance helps users discover patterns, links, and
anomalies in business or scientific data in an interactive knowledge discovery and decision support process.
Business applications like data mining typically use interactive graphs that let users drill down in real time
and manipulate the underlying data of a business model to help clarify their meaning for business decision
making. Figure 10.14 is an example of airline flight analysis by a data visualization system.

Page 23 of 123
Using Decision Support Systems
A decision support system involves an interactive analytical modeling process. For example, using a DSS
software package for decision support may result in a series of displays in response to alternative what-if
changes entered by a manager. This differs from the demand responses of management information
systems because decision makers are not demanding pre-specified information; rather, they are exploring
possible alternatives. Thus, they do not have to specify their information needs in advance. Instead, they use
the DSS to find the information they need to help them make a decision. This is the essence of the decision
support system concept.
Four basic types of analytical modeling activities are involved in using a decision support system: (1) what-if
analysis, (2) sensitivity analysis, (3) goal-seeking analysis, and (4) optimization analysis. Let’s briefly look at
each type of analytical modeling that can be used for decision support.

What-If Analysis
In what-if analysis, a user makes changes to variables, or relationships among variables, and observes the
resulting changes in the values of other variables.
Sensitivity Analysis
Sensitivity analysis is a special case of what-if analysis. Typically, the value of only one variable is changed
repeatedly, and the resulting changes on other variables are observed. As such, sensitivity analysis is really
a case of what-if analysis that involves repeated changes to only one variable at a time. Some DSS
packages automatically make repeated small changes to a variable when asked to perform sensitivity
analysis. Typically, decision makers use sensitivity analysis when they are uncertain about the assumptions
made in estimating the value of certain key variables.
Goal-Seeking Analysis
Goal-seeking analysis reverses the direction of the analysis done in what-if and sensitivity analyses. Instead
of observing how changes in a variable affect other variables, goal-seeking analysis (also called how-can
analysis) sets a target value (goal) for a variable and then repeatedly changes other variables until the target
value is achieved.
Optimization Analysis
Optimization analysis is a more complex extension of goal-seeking analysis. Instead of setting a specific
target value for a variable, the goal is to find the optimum value for one or more target variables, given
certain constraints. Then one or more other variables are changed repeatedly, subject to the specified
constraints, until you discover the best values for the target variables.

Data Mining for Decision Support
Data mining’s main purpose is to provide decision support to managers and business professionals through
a process referred to as knowledge discovery. Data mining software analyzes the vast stores of historical
business data that have been prepared for analysis in corporate data warehouses and tries to discover
patterns, trends, and correlations hidden in the data that can help a company improve its business
performance. Data mining software may perform regression, decision tree, neural network, cluster detection,
or market basket analysis for a business.

Market basket analysis (MBA) is one of the most common and useful types of data mining for marketing and
is a key technique in business analytics. The purpose of market basket analysis is to determine which
products customers purchase together with other products. MBA takes its name from the concept of
customers throwing all of their purchases into a shopping cart (a market basket) during grocery shopping.

Page 24 of 123
Consider some of the typical applications of MBA:
Cross Selling. Offer the associated items when customer buys any items from your store.
Product Placement. Items that are associated (such as bread and butter, tissues and cold medicine,
potato chips and beer) can be put near each other. If the customers see them, it has higher probability
that they will purchase them together.
Affinity Promotion. Design the promotional events based on associated products.
Survey Analysis. The fact that both independent and dependent variables of market basket analysis
are nominal (categorical) data type makes MBA very useful to analyze questionnaire data.
Fraud Detection. Based on credit card usage data, we may be able to detect certain purchase
behaviors that can be associated with fraud.
Customer Behavior. Associating purchase with demographic, and socioeconomic data (such as age,
gender, and preference) may produce very useful results for marketing.

Executive Information Systems
Executive information systems (EIS) are information systems that combine many of the features of
management information systems and decision support systems. Thus, the first goal of executive information
systems was to provide top executives with immediate and easy access to information about a firm’s critical
success factors (CSFs), that is, key factors that are critical to accomplishing an organization’s strategic
objectives.
Yet managers, analysts, and other knowledge workers use executive information systems so widely that
they are sometimes humorously called “everyone’s information systems.” More popular alternative names
are enterprise information systems (EIS) and executive support systems (ESS).

Features of an EIS
In an EIS, information is presented in forms tailored to the preferences of the executives using the system.
Other information presentation methods used by an EIS include exception reporting and trend analysis. The
ability to drill down, which allows executives to retrieve displays of related information quickly at lower levels
of detail, is another important capability. Executive information systems have spread into the ranks of middle
management and business professionals as their feasibility and benefits have been recognized and as less
expensive systems for client/server networks and corporate intranets became available. For example, one
popular EIS software package reports that only 3 percent of its users are top executives.

Enterprise Portals and Decision Support
Decision support in business is changing, driven by rapid developments in end-user computing and
networking; Internet and Web technologies; and Web-enabled business applications. One of the key
changes taking place in management information and decision support systems in business is the rapid
growth of enterprise information portals.

Enterprise Information Portals
An enterprise information portal (EIP) is a Web-based interface and integration of MIS, DSS, EIS, and other
technologies that give all intranet users and selected extranet users access to a variety of internal and
external business applications and services. The business benefits of enterprise information portals include
providing more specific and selective information to business users, providing easy access to key corporate
intranet Web site resources, delivering industry and business news, and providing better access to company
data for selected customers, suppliers, or business partners. Enterprise information portals can also help
avoid excessive surfing by employees across company and Internet Web sites by making it easier for them
to receive or find the information and services they need, thus improving the productivity of a company’s
workforce.

Knowledge Management Systems
In many organizations, hypermedia databases at corporate intranet