ITE 15 Midterms Outline PDF
Document Details
Uploaded by Deleted User
John Binze Escol
Tags
Summary
This document is an outline for an ITE 15 midterm, focusing on ethics, morals and laws in the business world. It discusses concepts like corporate social responsibility, supply chain sustainability, and how organizations can foster ethical practices.
Full Transcript
Chapter 1: AN OVERVIEW OF ETHICS WHAT IS ETHICS? Ethics is a code of behavior that is defined by the group to which an individual belongs. Ethical behavior conforms to generally accepted norms, which may change over time to meet the evolving needs of the society or a group of people who share si...
Chapter 1: AN OVERVIEW OF ETHICS WHAT IS ETHICS? Ethics is a code of behavior that is defined by the group to which an individual belongs. Ethical behavior conforms to generally accepted norms, which may change over time to meet the evolving needs of the society or a group of people who share similar laws, traditions, and values that provide structure to enable them to live in an organized manner. Ethics help members of a group understand their roles and responsibilities so they can work together to achieve mutual benefits such as security, access to resources, and the pursuit of life goals. Morals are the personal principles upon which an individual bases his or her decisions about what is right and what is wrong. They are core beliefs formed and adhered to by an individual. Your moral principles are statements of what you believe to be rules of right conduct. A virtue is a habit that inclines people to do what is acceptable. Fairness, generosity, and loyalty are examples of virtues. A vice is a habit of unacceptable behavior. Vanity, greed, envy, and anger are considered vices. People’s virtues and vices help define their personal value system—the complex scheme of moral values by which they live. Software piracy is a form of copyright infringement that involves making copies of software or enabling others to access software to which they are not entitled. THE IMPORTANCE OF INTEGRITY A person who acts with integrity acts in accordance with a personal code of principles. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 1 The Difference Between Morals, Ethics, and Laws Law is a system of rules that tells us what we can and cannot do. Laws are enforced by a set of institutions (the police, courts, law-making bodies). Violation of a law can result in censure, fines, and/or imprisonment. Legal acts are acts that conform to the law. Moral acts conform to what an individual believes to be the right thing to do. ETHICS IN BUSINESS WORLD The moral corruption of people in power, which is often facilitated by a tendency for people to look the other way when their leaders act inappropriately has been given the name Bathsheba syndrome. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 2 CORPORATE SOCIAL RESPONSIBILITY Corporate social responsibility (CSR) is the concept that an organization should act ethically by taking responsibility for the impact of its actions on its shareholders, consumers, employees, community, environment, and suppliers (see Figure 1-4). Supply chain sustainability is a component of CSR that focuses on developing and maintaining a supply chain that meets the needs of the present without compromising the ability of future generations to meet their needs. Supply chain sustainability takes into account issues such as fair labor practices, energy and resource conservation, human rights, and community responsibility. WHY FOSTERING CORPORATE SOCIAL RESPONSIBILITY AND GOOD BUSINESS ETHICS IS IMPORTANT? Organizations have at least five good reasons to pursue CSR goals and to promote a work environment in which employees are encouraged to act ethically when making business decisions: ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 3 Gaining the goodwill of the community Creating an organization that operates consistently Fostering good business practices Protecting the organization and its employees from legal action Avoiding unfavorable publicity Gaining the Goodwill of the Community Philanthropy is one way in which an organization can demonstrate its values in action and make a positive connection with its stakeholders. A stakeholder is someone who stands to gain or lose, depending on how a particular situation is resolved. Creating an Organization That Operates Consistently Consistency also means that shareholders, customers, suppliers, and the community know what they can expect of the organization—that it will behave in the future much as it has in the past. It is especially important for multinational or global organizations to present a consistent face to their shareholders, customers, and suppliers, no matter where those stakeholders live or operate their business. Although each company’s value system is different, many share the following values: Operate with honesty and integrity, staying true to organizational principles Operate according to standards of ethical conduct, in words and action Treat colleagues, customers, and consumers with respect Strive to be the best at what matters most to the organization Value diversity Make decisions based on facts and principles Fostering Good Business Practices In many cases, good ethics can mean good business and improved profits. Companies that produce safe and effective products avoid costly recalls and lawsuits. Companies that provide excellent service retain their customers instead of losing them to competitors. Companies that develop and maintain strong employee relations enjoy lower turnover rates and better employee morale. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 4 All these factors tend to increase revenue and profits while decreasing expenses. As a result, ethical companies tend to be more profitable over the long term than unethical companies. On the other hand, bad ethics can lead to bad business results. Bad ethics can have a negative impact on employees, many of whom may develop negative attitudes if they perceive a difference between their own values and those stated or implied by an organization’s actions. Avoiding Unfavorable Publicity The public reputation of a company strongly influences the value of its stock, how consumers regard its products and services, the degree of oversight it receives from government agencies, and the amount of support and cooperation it receives from its business partners. Thus, many organizations are motivated to build a strong ethics program to avoid negative publicity. If an organization is perceived as operating ethically, customers, business partners, shareholders, consumer advocates, financial institutions, and regulatory bodies will usually regard it more favorably. HOW ORGANIZATIONS CAN IMPROVE THEIR ETHICS? A well-implemented ethics and compliance program and a strong ethical culture can, in turn, lead to less pressure on employees to misbehave and a decrease in observed misconduct. It also creates an environment in which employees are more comfortable reporting instances of misconduct, partly because there is less fear of potential retaliation by management against reporters (for example, reduced hours, transfer to less desirable jobs, and delays in promotions). See Figure 1-5.3 ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 5 The Ethics Resource Center has defined the following characteristics of a successful ethics program: Employees are willing to seek advice about ethics-related issues. Employees feel prepared to handle situations that could lead to misconduct. Employees are rewarded for ethical behavior. The organization does not reward success obtained through questionable means. Employees feel positively about their company. The risk of unethical behavior is increasing, so improving business ethics is becoming more important for all companies. The following sections explain some of the actions corporations can take to improve business ethics. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 6 Appoint a Corporate Ethics Officer A corporate ethics officer (also called a corporate compliance officer) provides an organization with vision and leadership in the area of business conduct. This individual “aligns the practices of a workplace with the stated ethics and beliefs of that workplace, holding people accountable to ethical standards.” Typically, the ethics officer tries to establish an environment that encourages ethical decision making through the actions described in this chapter. Specific responsibilities include the following: Responsibility for compliance—that is, ensuring that ethical procedures are put into place and consistently adhered to throughout the organization Responsibility for creating and maintaining the ethics culture envisioned by the highest level of corporate authority Responsibility for being a key knowledge and contact person on issues relating to corporate ethics and principles Require the Board of Directors to Set and Model High Ethical Standards The board of directors is responsible for the careful and responsible management of an organization. In a for- profit organization, the board’s primary objective is to oversee the organization’s business activities and management for the benefit of all stakeholders, including shareholders, employees, customers, suppliers, and the community. In a non-profit organization, the board reports to a different set of stakeholders—in particular, the local community that the nonprofit serves. A board of directors fulfills some of its responsibilities directly and assigns others to various committees. The board is not normally responsible for day-to-day management and operations; these responsibilities are delegated to the organization’s management team. However, the board is responsible for supervising the management team. Board members are expected to conduct themselves according to the highest standards for personal and professional integrity while setting the standard for company-wide ethical conduct and ensuring compliance with laws and regulations. Establish a Corporate Code of Ethics A code of ethics is a statement that highlights an organization’s key ethical issues and identifies the overarching values and principles that are important to the organization and its decision making. Codes of ethics frequently ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 7 include a set of formal, written statements about the purpose of an organization, its values, and the principles that should guide its employees’ actions. An effective code of ethics helps ensure that employees abide by the law, follow necessary regulations, and behave in an ethical manner. Conduct Social Audits In a social audit, an organization reviews how well it is meeting its ethical and social responsibility goals and communicates its new goals for the upcoming year. Require Employees to Take Ethics Training An organization’s code of ethics must be promoted and continually communicated within the organization, from the top to the bottom. Organizations can do this by showing the employees examples of how to apply the code of ethics in real life. One approach is through a comprehensive ethics education program that encourages employees to act responsibly and ethically. Employees may also be given examples of recent company decisions based on principles from the code of ethics. Formal ethics training not only makes employees more aware of a company’s code of ethics and how to apply it but also demonstrates that the company intends to operate in an ethical manner. The existence of formal training programs can also reduce a company’s liability in the event of legal action. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 8 Include Ethical Criteria in Employee Appraisals Managers can help employees to meet performance expectations by monitoring employee behavior and providing feedback; increasingly, managers are including ethical conduct as part of an employee’s performance appraisal. Create an Ethical Work Environment Most employees want to perform their jobs successfully and ethically, but good employees sometimes make bad ethical choices. The most important influence on how employees act is their perception of their immediate boss’s expectations. If the boss sets the expectation that compliance failures and ethical lapses will not be tolerated, then employees will be less likely to fail. The following list includes several examples of how managerial behavior can encourage unethical employee behavior: A manager sets and holds people accountable to meet “stretch” goals, quotas, and budgets, causing employees to think, “My boss wants results, not excuses, so I have to cut corners to meet the goals my boss has set.” A manager fails to provide a corporate code of ethics and operating principles to make decisions, so employees think, “Because the company has not established any guidelines, I don’t think my conduct is really wrong or illegal.” A manager fails to act in an ethical manner and instead sets a poor example for others to follow, so employees think, “I have seen other successful people take unethical actions and not suffer negative repercussions.” Managers fail to hold people accountable for unethical actions, so employees think, “No one will ever know the difference, and if they do, so what?” Managers put a three-inch-thick binder entitled “Corporate Business Ethics, Policies, and Procedures” on the desks of new employees and tell them to “read it when you have time and sign the attached form that says you read and understand the corporate policy.” Employees think, “This is overwhelming. Can’t they just give me the essentials? I can never absorb all this.” Employees must have a knowledgeable resource with whom they can discuss perceived unethical practices. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 9 INCLUDING ETHICAL CONSIDERATIONS IN DECISION MAKING We are all faced with difficult decisions in our work and in our personal life. Most of us have developed a decision- making process that we execute automatically, without thinking about the steps we go through. For many of us, the process generally follows the steps outlined in Figure 1-7. The following sections discuss this decision-making process further and point out where and how ethical considerations need to be brought into the process. Develop Problem Statement A problem statement is a clear, concise description of the issue that needs to be addressed. A good problem statement answers the following questions: What do people observe that causes them to think there is a problem? Who is directly affected by the problem? Is anyone else affected? How often does the problem occur? What is the impact of the problem? How serious is the problem? Development of a problem statement is the most critical step in the decision-making process. Without a clear statement of the problem or the decision to be made, it is useless to proceed. You must gather and analyze facts to develop a good problem statement. Seek information and opinions from a variety of people to broaden your frame of reference. During this process, you must be extremely careful not to make assumptions about the situation and carefully check key facts for validity. Simple situations can sometimes turn into complex controversies because no one takes the time to gather and analyze the real facts. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 10 Identify Alternatives During this stage of decision making, it is ideal to enlist the help of others, including stakeholders, to identify several alternative solutions to the problem. Brainstorming with others will increase your chances of identifying a broad range of alternatives and determining the best solution. Choose Alternative Once a set of alternatives has been identified, the group must evaluate them based on numerous criteria, such as effectiveness of addressing the issue, the extent of risk associated with each alternative, cost, and time to implement. An alternative that sounds attractive but that is not feasible will not help solve the problem. The alternative selected should be ethically and legally defensible to a collection of your coworkers, peers, and your profession’s governing body of ethics; be consistent with the organization’s policies and code of ethics; take into account the impact on others; and, of course, provide a good solution to the problem. Implement the Decision Once an alternative is selected, it should be implemented in an efficient, effective, and timely manner. This is often much easier said than done, because people tend to resist change. In fact, the bigger the change, the greater is the resistance to it. Communication is the key to helping people accept a change. It is imperative that someone whom the stakeholders trust and respect answer the following questions: Why are we doing this? What is wrong with the current way we do things? What are the benefits of the new way for you? A transition plan must be defined to explain to people how they will move from the old way of doing things to the new way. It is essential that the transition be seen as relatively easy and pain free. It may be necessary to train the people affected, provide incentives for making the change in a successful fashion, and modify the reward system to encourage new behaviors consistent with the change. Evaluate the Results After the solution to the problem has been implemented, monitor the results to see if the desired effect was achieved and observe its impact on the organization and the various stakeholders. Were the success criteria fully met? Were there any unintended consequences? This evaluation may indicate that further refinements are needed. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 11 If so, return to the problem development step, refine the problem statement as necessary, and work through the process again. On the other hand, the proper alternative may have been selected, but it was implemented in a poor fashion so the desired results were not achieved. This may require redoing some of the implementation steps. ETHICS IN INFORMATION TECHNOLOGY In the midst of the many IT breakthroughs in recent years, the importance of ethics and human values has been underemphasized—with a range of consequences. Here are some examples that raise public concern about the ethical use of information technology: Governments around the world have implemented various systems that enable the surveillance of their citizens and are struggling to achieve the proper balance between privacy and security. Many employees have their email and Internet access monitored while at work, as employers struggle to balance their need to manage important company assets and work time with employees’ desire for privacy and self-direction. Millions of people have downloaded music and movies at no charge and in apparent violation of copyright laws at tremendous expense to the owners of those copyrights. Organizations contact millions of people worldwide through unsolicited email and text messages in an extremely low cost, but intrusive marketing approach. Hackers break into databases of financial and retail institutions to steal customer information and then use it to commit identity theft—opening new accounts and charging purchases to unsuspecting victims. Students around the world have been caught downloading material from the web and plagiarizing content for their term papers. Websites plant cookies or spyware on visitors’ hard drives to track their online purchases and activities. Chapter 2: ETHICS FOR IT WORKERS AND IT USERS ORGANIZATIONS BEHAVING BADLY Successful IT outsourcing projects require the development of strong working relationships among members of the client organization and the outside organization that are built on a solid foundation of trust. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 12 IT WORKER RELATIONSHIPS THAT MUST BE MANAGED IT workers typically become involved in many different work relationships, including those with employers, clients, suppliers, other professionals, IT users, and society at large. In each relationship, an ethical IT worker acts honestly and appropriately. These various relationships are discussed in the following sections. Relationships Between IT Workers and Employers IT workers and employers have a critical, multifaceted relationship that requires ongoing effort by both parties to keep it strong. An IT worker and an employer typically agree on the fundamental aspects of this relationship before the worker accepts an employment offer. These issues may include job title, general performance expectations, specific work responsibilities, drug-testing requirements, dress code, location of employment, salary, work hours, and company benefits. Many other aspects of this relationship may be addressed in a company’s policy and procedures manual or in the company’s code of conduct, if one exists. Topics addressed in such a manual or code of conduct might include protection of company secrets; vacation policy; time off allowed for a funeral or an illness in the family; tuition reimbursement; and use of company resources, including computers and networks. As the stewards of an organization’s IT resources, IT workers must set an example and enforce policies regarding the ethical use of IT. IT workers often have the skills and knowledge to abuse systems and data or to enable others to do so. Software piracy is an area in which IT workers may be tempted to violate laws and policies. Although end users often get the blame when it comes to using illegal copies of commercial software, software piracy in a corporate setting is sometimes directly traceable to IT staff members—either they allow it to happen or they actively engage in it, often to reduce IT-related spending. Trade secrecy is another area that can present challenges for IT workers and their employers. A trade secret is information, generally unknown to the public, that a company has taken strong measures to keep confidential. It represents something of economic value that has required effort or cost to develop and that has some degree of uniqueness or novelty. Another issue that can create friction between employers and IT workers is whistle-blowing. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 13 Whistle-blowing is an effort by an employee to attract attention to a negligent, illegal, unethical, abusive, or dangerous act by a company that threatens the public interest. Whistle-blowers often have special information based on their expertise or position within the offending organization. Relationships Between IT Workers and Client IT workers provide services to clients; sometimes those “clients” are coworkers who are part of the same company as the IT worker. In other cases, the client is part of a different company. In relationships between IT workers and clients, each party agrees to provide something of value to the other. Generally speaking, the IT worker provides hardware, software, or services at a certain cost and within a given time frame. The client provides compensation, access to key contacts, and perhaps a work space. This relationship is usually documented in contractual terms— who does what, when the work begins, how long it will take, how much the client pays, and so on. One potential ethical problem that can interfere with the relationship between IT workers and their clients involves IT consultants or auditors who recommend their own products and services or those of an affiliated vendor to remedy a problem they have detected. Such a situation has the potential to undermine the objectivity of an IT worker due to a conflict of interest—a conflict between the IT worker’s (or the IT firm’s) self-interest and the client’s interests. Problems can also arise during a project if IT workers find themselves unable to provide full and accurate reporting of the project’s status due to a lack of information, tools, or experience needed to perform an accurate assessment. Fraud is the crime of obtaining goods, services, or property through deception or trickery. Fraudulent misrepresentation occurs when a person consciously decides to induce another person to rely and act on a misrepresentation. To prove fraud in a court of law, prosecutors must demonstrate the following elements: The wrongdoer made a false representation of material fact. The wrongdoer intended to deceive the innocent party. The innocent party justifiably relied on the misrepresentation. The innocent party was injured. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 14 Misrepresentation is the misstatement or incomplete statement of a material fact. If the misrepresentation causes the other party to enter into a contract, that party may have the legal right to cancel the contract or seek reimbursement for damages. Breach of contract occurs when one party fails to meet the terms of a contract. Further, a material breach of contract occurs when a party fails to perform certain express or implied obligations, which impairs or destroys the essence of the contract. Because there is no clear line between a minor breach and a material breach, determination is made on a case-by-case basis. “When there has been a material breach of contract, the non- breaching party can either: (1) rescind the contract, seek restitution of any compensation paid under the contract to the breaching party, and be discharged from any further performance under the contract; or (2) treat the contract as being in effect and sue the breaching party to recover damages.” When IT projects go wrong because of cost overruns, schedule slippage, lack of system functionality, and so on, aggrieved parties might charge fraud, fraudulent misrepresentation, and/or breach of contract. Trials can take years to settle, generate substantial legal fees, and create bad publicity for both parties. As a result, the vast majority of such disputes are settled out of court, and the proceedings and outcomes are concealed from the public. Clients and vendors often disagree about who is to blame in such circumstances. Frequent causes of problems in IT projects include the following (see Figure 2-1): Scope creep—Changes to the scope of the project or the system requirements can result in cost overruns, missed deadlines, and a project that fails to meet end-user expectations. Poor communication—Miscommunication or a lack of communication between customer and vendor can lead to a system whose performance does not meet expectations. Delivery of an obsolete solution—The vendor delivers a system that meets customer requirements, but a competitor comes out with a system that offers more advanced and useful features. Legacy systems—If a customer fails to reveal information about legacy systems or databases that must connect with the new hardware or software at the start of a project, implementation can become extremely difficult. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 15 Relationships Between IT Workers and Suppliers IT workers deal with many different hardware, software, and service providers. IT workers can develop good relationships with suppliers by dealing fairly with them and not making unreasonable demands. Suppliers strive to maintain positive relationships with their customers in order to make and increase sales. To achieve this goal, they may sometimes engage in unethical actions—for example, offering an IT worker a gift that is actually intended as a bribe. Clearly, IT workers should not accept a bribe from a vendor, and they must be careful when considering what constitutes a bribe. Bribery is the act of providing money, property, or favors to someone in business or government in order to obtain a business advantage. Internal control is the process established by an organization’s board of directors, managers, and IT systems people to provide reasonable assurance for the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. An organization’s internal control resources include all the people, policies, processes, procedures, and systems controlled by management that enable it to meet these goals (see Figure 2-2). ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 16 ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 17 Policies are the guidelines and standards by which the organization must abide. The guidelines and standards are often in response to some law. Policies drive processes and procedures. Processes are a collection of tasks designed to accomplish a stated objective. A procedure defines the exact instructions for completing each task in a process. A fundamental concept of good internal controls is the careful separation of duties associated with any process that involves the handling of financial transactions so that different aspects of the process are handled by different people. Relationships Between IT Workers and Other Professionals Professionals often feel a degree of loyalty to the other members of their profession. As a result, they are often quick to help each other obtain new positions but slow to criticize each other in public. Professionals also have an interest in their profession as a whole, because how it is perceived affects how individual members are viewed and treated. A number of ethical problems can arise among members of the IT profession. One of the most common is résumé inflation, which involves lying on a résumé by, for example, claiming competence in an IT skill that is in high demand. Even though an IT worker might benefit in the short term from exaggerating his or her qualifications, such an action can hurt the profession and the individual in the long run. Many employers consider lying on a résumé as grounds for immediate dismissal. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 18 Another ethical issue that can arise in relationships between IT workers and other professionals is the inappropriate sharing of corporate information. Because of their roles, IT workers may have access to corporate databases of private and confidential information about employees, customers, suppliers, new product plans, promotions, budgets, and so on. It might be sold to other organizations or shared informally during work conversations with others who have no need to know. Revealing such private or confidential information is grounds for termination in many organizations and could even lead to criminal charges. Relationships Between IT Workers and IT Users The term IT user refers to a person who uses a hardware or software product; the term distinguishes end users from the IT workers who develop, install, service, and support the product. IT users need the product to deliver organizational benefits or to increase their productivity IT workers have a duty to understand a user’s needs and capabilities and to deliver products and services that best meet those needs—subject, of course, to budget and time constraints. They also have a key responsibility to establish an environment that supports ethical behaviors by users. Such an environment discourages software piracy, minimizes the inappropriate use of corporate computing resources, and avoids the inappropriate sharing of information. Relationships Between IT Workers and Society Often, professionals can clearly see the effect their work will have and can take action to eliminate potential public risks. Thus, society expects members of a profession to provide significant benefits and to not cause harm through their actions. One approach to meeting this expectation is to establish and maintain professional standards that protect the public. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 19 There is currently no single, formal organization of IT workers that takes responsibility for establishing and maintaining standards that protect the public. However, as discussed in the following sections, there are a number of professional organizations that provide useful professional codes of ethics to guide actions that support the ethical behavior of IT workers. ENCOURAGING THE PROFESSIONALISM OF IT WORKERS A professional is one who possesses the skill, good judgment, and work habits expected from a person who has the training and experience to do a job well. Organizations—including many IT organizations—are desperately seeking workers who have the following characteristics of a professional: They are an expert in the tools and skills needed to do their job. They adhere to high ethical and moral standards. They produce high quality results. They meet their commitments. They communicate effectively. They train and develop others who are less skilled or experienced. IT workers of all types can improve their profession’s reputation for professionalism by (1) subscribing to a professional code of ethics, (2) joining and participating in professional organizations, (3) obtaining appropriate certifications, and (4) supporting government licensing where available. Professional Code of Ethics A professional code of ethics states the principles and core values that are essential to the work of a particular occupational group. Practitioners in many professions subscribe to a code of ethics that governs their behavior. Most codes of ethics created by professional organizations have two main parts: The first outlines what the organization aspires to become and the second typically lists rules and principles by which members of the organization are expected to abide. Many codes also include a commitment to continuing education for those who practice the profession. Laws do not provide a complete guide to ethical behavior. Nor can a professional code of ethics be expected to provide an answer to every ethical dilemma—no code can be a definitive collection of behavioral standards. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 20 However, following a professional code of ethics can produce many benefits for the individual, the profession, and society as a whole: Ethical decision making—Adherence to a professional code of ethics means that practitioners use a common set of core values and beliefs as a guideline for ethical decision making. High standards of practice and ethical behavior—Adherence to a code of ethics reminds professionals of the responsibilities and duties that they may be tempted to compromise to meet the pressures of day- to-day business. The code also defines acceptable and unacceptable behaviors to guide professionals in their interactions with others. Strong codes of ethics have procedures for censuring professionals for serious violations, with penalties that can include the loss of the right to practice. Such codes are the exception, however, and few exist in the IT arena. Trust and respect from the general public—Public trust is built on the expectation that a professional will behave ethically. People must often depend on the integrity and good judgment of a professional to tell the truth, abstain from giving self-serving advice, and offer warnings about the potential negative side effects of their actions. Thus, adherence to a code of ethics enhances trust and respect for professionals and their profession. Evaluation benchmark—A code of ethics provides an evaluation benchmark that a professional can use as a means of self-assessment. Peers of the professional can also use the code for recognition or censure. Professional Organizations No one IT professional organization has emerged as preeminent, so there is no universal code of ethics for IT workers. However, the existence of such organizations is useful in a field that is rapidly growing and changing. In order to stay on the top of the many new developments in their field, IT workers need to network with others, seek out new ideas, and continually build on their personal skills and expertise. Certification Certification indicates that a professional possesses a particular set of skills, knowledge, or abilities, in the opinion of the certifying organization. Unlike licensing, which applies only to people and is required by law, certification can also apply to products (for example, the Wi-Fi CERTIFIED logo assures that the product has met rigorous interoperability testing to ensure that it will work with other Wi-Fi-certified products) and is generally ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 21 voluntary. IT-related certifications may or may not include a requirement to adhere to a code of ethics, whereas such a requirement is standard with licensing. Licensing of IT Professionals A government license is government-issued permission to engage in an activity or to operate a business. Licensing is generally administered at the state level and often requires that the recipient pass a test of some kind. Some professionals must be licensed, including certified public accountants (CPAs), lawyers, doctors, various types of medical and daycare providers, and some engineers The Case for Licensing IT Workers As a result of the increasing importance of IT in our everyday lives, the development of reliable, effective information systems has become an area of mounting public concern. This concern has led to a debate about whether the licensing of IT workers would improve information systems. Proponents argue that licensing would strongly encourage IT workers to follow the highest standards of the profession and practice a code of ethics. Without licensing, there are no clear, well-defined requirements for heightened care and no concept of professional malpractice. State licensing boards have ultimate authority over the specific requirements for licensing in their jurisdiction, and also decide whether or not to even offer a given exam. The “Software Engineering Code of Ethics and Professional Practice” documents the ethical and professional responsibilities and obligations of software engineers. (A software engineer is defined as one who applies engineering principles and practices to the design, development, implementation, testing, and maintenance of software.) IT Professional Malpractice Negligence is defined as not doing something that a reasonable person would do or doing something that a reasonable person would not do. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 22 Duty of care refers to the obligation to protect people against any unreasonable harm or risk. A breach of the duty of care is the failure to act as a reasonable person would act. Professionals who breach the duty of care are liable for injuries that their negligence causes. This liability is commonly referred to as professional malpractice. WHAT CAN BE DONE TO ENCOURAGE THE ETHICAL USE OF IT RESOURCES AMONG USERS? Common Ethical Issues for IT Users Software Piracy Software piracy in a corporate setting can sometimes be directly traceable to IT professionals—they might allow it to happen, or they might actively engage in it. Corporate IT usage policies and management should encourage users to report instances of piracy and to challenge its practice. Sometimes IT users are the ones who commit software piracy. Inappropriate Use of Computing Resources Some employees use their computers to surf popular websites that have nothing to do with their jobs, participate in chat rooms, view pornographic sites, and play computer games. These activities eat away at a worker’s productivity and waste time. Inappropriate Sharing of Information Every organization stores vast amounts of information that can be classified as either private or confidential. Private data describe individual employees—for example, their salary information, attendance data, health records, and performance ratings. Private data also include information about customers—credit card information, telephone number, home address, and so on. Confidential information describes a company and its operations, including sales and promotion plans, staffing projections, manufacturing processes, product formulas, tactical and strategic plans, and research and development. An IT user who shares this information with an unauthorized party, even inadvertently, has violated someone’s privacy or created the potential that company information could fall into the hands of competitors. There have been many other instances of the breach of sensitive information by an organization’s IT users. Supporting the Ethical Practices of IT Users ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 23 The growing use of IT has increased the potential for new ethical issues and problems; thus, many organizations have recognized the need to develop policies that protect against abuses. Although no policy can stop wrongdoers, it can set forth the general rights and responsibilities of all IT users, establish boundaries of acceptable and unacceptable behavior, and enable management to punish violators. Adherence to a policy can improve services to users, increase productivity, and reduce costs. Companies can take several actions when creating an IT usage policy. Establishing Guidelines for Use of Company Hardware and Software Company IT managers must provide clear rules that govern the use of home computers and associated software. Some companies negotiate contracts with software manufacturers and provide PCs and software so that IT users can work at home. Other companies help employees buy hardware and software at corporate discount rates. The goal should be to ensure that employees have legal copies of all the software they need to be effective, regardless of whether they work in an office, on the road, or at home. Defining an Acceptable Use Policy An acceptable use policy (AUP) is a document that stipulates restrictions and practices that a user must agree to in order to use organizational computing and network resources. It is an essential information security policy— so important that most organizations require that employees sign an acceptable use policy before being granted a user or network ID. An effective acceptable use policy is clear and concise and contains the following five key elements: Purpose of the AUP—Why is the policy needed and what are its goals? Scope—Who and what is covered under the AUP? Policy—How are both acceptable use and unacceptable use defined; what are some examples of each? Compliance—Who is responsible for monitoring compliance and how will compliance will be measured? Sanctions—What actions will be taken against an individual who violates the policy? Information security (infosec) group’s responsibilities include managing the processes, tools, and policies necessary to prevent, detect, document, and counter threats to digital and nondigital information, whether it is in transit, being processed, or at rest in storage. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 24 Structuring Information Systems to Protect Data and Information Organizations must implement systems and procedures that limit data access to just those employees who need it. Installing and Maintaining a Corporate Firewall A firewall is hardware or software (or a combination of both) that serves as the first line of defense between an organization’s network and the Internet; a firewall also limits access to the company’s network based on the organization’s Internet-usage policy. A firewall can be configured to serve as an effective deterrent to unauthorized web surfing by blocking access to specific objectionable websites. (Unfortunately, the number of such sites is continually growing, so it is difficult to block them all.) A firewall can also serve as an effective barrier to incoming email from certain websites, companies, or users. It can even be programmed to block email with certain kinds of attachments (for example, Microsoft Word documents), which reduces the risk of harmful computer viruses. Compliance Compliance means to be in accordance with established policies, guidelines, specifications, or legislation. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 25 Chapter 3: CYBERATTACKS AND CYBERSECURITY ORGANIZATIONS BEHAVING BADLY A zero-day exploit is a cyberattack that takes place before the security community and/or software developers become aware of and fix a security vulnerability. It takes advantage of security flaws that enable unauthorized users to gain access to a computer system or to download sensitive user data. Until a zero-day exploit is discovered and a patch is written to fix the underlying flaw, users of the software are vulnerable to attack. While one would hope that the discoverer of a zero-day vulnerability would immediately inform the original software manufacturer so that a fix can be created for the problem, unfortunately this is often not the case. In some cases, this knowledge is sold on the black market to hackers, cyberterrorists, governments, or large organizations that may then use it to launch their own cyberattacks. THE THREAT LANDSCAPE The security of data and information systems used in business is of utmost importance. Confidential business data and private customer and employee information must be safe-guarded, and systems must be protected against malicious acts of theft or disruption. Although the need for security is obvious, it must often be balanced against other business needs. Business managers, IT professionals, and IT users all face a number of complex trade-offs when making decisions regarding IT security, such as the following: How much effort and money should be spent to safeguard against computer crime? (In other words, how safe is safe enough?) What should be done if recommended computer security safeguards make conducting business more difficult for customers and employees, resulting in lost sales and increased costs? If a firm is a victim of a cybercrime, should it pursue prosecution of the criminals at all costs, maintain a low profile to avoid the negative publicity, inform affected customers, or take some other action The number of cybercrimes being committed against individuals, organizations, and governments continues to grow, and the destructive impact of these crimes is also intensifying. Why Computer Incidents Are So Prevalent? Increasing computing complexity, expanding and changing systems, an increase in the prevalence of bring your own device (BYOD) policies, a growing reliance on software with known vulnerabilities, and the increasing ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 26 sophistication of those who would do harm have caused a dramatic increase in the number, variety, and severity of security incidents. Increasing Complexity Increases Vulnerability Computing environments have become enormously complex. Cloud computing, networks, computers, mobile devices, virtualization, operating systems, applications, websites, switches, routers, and gateways are interconnected and driven by hundreds of millions of lines of code. This environment continues to increase in complexity every day. The number of possible entry points to a network expands continually as more devices are added, increasing the possibility of security breaches. Expanding and Changing Systems Introduce New Risks Business has moved from an era of stand-alone computers, in which critical data were stored on an isolated mainframe computer in a locked room, to an era in which personal computers and mobile devices connect to networks with millions of other computers, all capable of sharing information. Information technology has become ubiquitous and is a necessary tool for organizations to achieve their goals. However, it is increasingly difficult for IT organizations to keep up with the pace of technological change, successfully perform an ongoing assessment of new security risks, and implement approaches for dealing with them. Increasing Prevalence of BYOD Policies Bring your own device (BYOD) is a business policy that permits, and in some cases encourages, employees to use their own mobile devices (smartphones, tablets, or laptops) to access company computing resources and applications, including email, corporate databases, the corporate intranet, and the Internet. It is worth noting that employees also have concerns with BYOD policies, primarily related to privacy. Most people place a high priority on keeping any prying eyes, including those of their employer, from looking at the personal photos, text messages, and email stored on their personal mobile devices. Growing Reliance on Commercial Software with Known Vulnerabilities In computing, an exploit is an attack on an information system that takes advantage of a particular system vulnerability. Often this attack is due to poor system design or implementation. Once the vulnerability is discovered, software developers create and issue a “fix,” or patch, to eliminate the problem. Users of the system ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 27 or application are responsible for obtaining and installing the patch, which they can usually download from the web. Increasing Sophistication of Those Who Would Do Harm Today’s computer menace is much better organized and may be part of an organized group that has an agenda and targets specific organizations and websites. Some of these groups have ample resources, including money and sophisticated tools to support their efforts. Today’s computer attacker has greater depth of knowledge and expertise in getting around computer and network security safeguards. Table 3-1 summarizes the types of perpetrators of computer mischief, crime, and damage. Types of Exploits Ransomware Ransomware is malware that stops you from using your computer or accessing your data until you meet certain demands, such as paying a ransom or sending photos to the attacker. computer becomes infected with ransomware when a user opens an email attachment containing the malware or is lured to a compromised website by a deceptive email or pop-up window. Ransomware can also be spread through removable USB drives or by texting applications such as Yahoo Messenger, with the payload disguised as an image. Viruses Computer virus has become an umbrella term for many types of malicious code. Technically, a virus is a piece of programming code, usually disguised as something else, that causes a computer to behave in an unexpected and usually undesirable manner. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 28 Almost all viruses are attached to a file, meaning the virus executes only when the infected file is opened. A virus is spread to other machines when a computer user shares an infected file or sends an email with a virus-infected attachment. In other words, viruses are spread by the action of the “infected” computer user. Macro viruses have become a common and easily created form of virus. Attackers use an application macro language (such as Visual Basic or VBScript) to create programs that infect documents and templates. After an infected document is opened, the virus is executed and infects the user’s application templates. Macros can insert unwanted words, numbers, or phrases into documents or alter command functions. After a macro virus infects a user’s application, it can embed itself in all future documents created with the application. Worms Unlike a computer virus, which requires users to spread infected files to other users, a worm is a harmful program that resides in the active memory of the computer and duplicates itself. Worms differ from viruses in that they can propagate without human intervention, often sending copies of themselves to other computers by email. A worm is capable of replicating itself on your computer so that it can potentially send out thousands of copies of itself to everyone in your email address book, for example. Trojan Horses A Trojan horse is a seemingly harmless program in which malicious code is hidden. A victim on the receiving end of a Trojan horse is usually tricked into opening it because it appears to be useful software from a legitimate source, such as an update for software the user currently has installed on his or her computer. The program’s harmful payload might be designed to enable the hacker to destroy hard drives, corrupt files, control the computer remotely, launch attacks against other computers, steal passwords, or spy on users by recording keystrokes and transmitting them to a server operated by a third party. A Trojan horse often creates a “backdoor” on a computer that enables an attacker to gain future access to the system and compromise confidential or private information. A Trojan horse can be delivered via an email attachment, downloaded to a user’s computer when he or she visits a website, or contracted via a removable media device, such as a DVD or USB memory stick. Once an unsuspecting user executes the program that hosts the Trojan horse, the malicious payload is automatically launched as well—with no telltale signs. Common host programs include screen savers, greeting card systems, and games. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 29 Another type of Trojan horse is a logic bomb, which executes when it is triggered by a specific event. For example, logic bombs can be triggered by a change in a particular file, by typing a specific series of keystrokes, or at a specific time or date. Blended Threat A blended threat is a sophisticated threat that combines the features of a virus, worm, Trojan horse, and other malicious code into a single payload. A blended threat attack might use server and Internet vulnerabilities to initiate and then transmit and spread an attack on an organization’s computing devices, using multiple modes to transport itself, including email, Internet Relay Chat (IRC), and file-sharing networks. Rather than launching a narrowly focused attack on specific EXE files, a blended threat might attack multiple EXE files, HTML files, and registry keys simultaneously. Spam Email spam is the use of email systems to send unsolicited email to large numbers of people. Most spam is a form of low-cost commercial advertising, sometimes for questionable products such as pornography, phony get- rich-quick schemes, and worthless stock. Spam is also an extremely inexpensive marketing tool used by many legitimate organizations. For example, a company might send email to a broad cross section of potential customers to announce the release of a new product in an attempt to increase initial sales. However, spam is also used to deliver harmful worms and other malware. A partial solution to this problem is the use of CAPTCHA to ensure that only humans obtain free accounts. CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) software generates and grades tests that humans can pass and all but the most sophisticated computer programs cannot. DDoS Attacks A distributed denial-of-service (DDoS) attack is one in which a malicious hacker takes over computers via the Internet and causes them to flood a target site with demands for data and other small tasks. A DDoS attack does not involve infiltration of the targeted system. Instead, it keeps the target so busy responding to a stream of automated requests that legitimate users cannot get in—the Internet equivalent of dialing a telephone number repeatedly so that all other callers hear a busy signal. The targeted machine essentially holds the line open while waiting for a reply that never comes; eventually, the requests exhaust all resources of the target. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 30 In a DDoS attack, a tiny program is downloaded surreptitiously from the attacker’s computer to dozens, hundreds, or even thousands of computers all over the world. The term botnet is used to describe a large group of such computers, which are controlled from one or more remote locations by hackers, without the knowledge or consent of their owners. The collective processing capacity of some botnets exceeds that of the world’s most powerful supercomputers. Based on a command by the attacker or at a preset time, the botnet computers (called zombies) go into action, each sending a simple request for access to the target site again and again—dozens of times per second. The target computers become so overwhelmed by requests for service that legitimate users are unable to get through to the target computer. Rootkit A rootkit is a set of programs that enables its user to gain administrator-level access to a computer without the end user’s consent or knowledge. Once installed, the attacker can gain full control of the system and even obscure the presence of the rootkit from legitimate system administrators. Attackers can use the rootkit to execute files, access logs, monitor user activity, and change the computer’s configuration. Rootkits are one part of a type of blended threat that consists of a dropper, a loader, and a rootkit. The dropper code gets the rootkit installation started and can be activated by clicking on a link to a malicious website in an email or opening an infected PDF file. The dropper launches the loader program and then deletes itself. The loader loads the rootkit into memory; at that point, the computer has been compromised. Rootkits are designed so cleverly that it is difficult even to discover if they are installed on a computer. The fundamental problem with trying to detect a rootkit is that the operating system cannot be trusted to provide valid test results. The following are some symptoms of rootkit infections: The computer locks up or fails to respond to input from the keyboard or mouse. The screen saver changes without any action on the part of the user. The taskbar disappears. Network activities function extremely slowly. Advanced Persistent Threat An advanced persistent threat (APT) is a network attack in which an intruder gains access to a network and stays there—undetected—with the intention of stealing data over a long period of time (weeks or even months). Attackers in an APT must continuously rewrite code and employ sophisticated evasion techniques to avoid ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 31 discovery. APT attacks target organizations with high-value information, such as banks and financial institutions, government agencies, and insurance companies with the goal of stealing data rather than disrupting services. An APT attack advances through the following five phases: 1. Reconnaissance—The intruder begins by conducting reconnaissance on the network to gain useful information about the target (security software installed, computing resources connected to the network, number of users). 2. Incursion—The attacker next launches incursions to gain access to the network at a low level to avoid setting off any alarms or suspicion. Some forms of spear phishing may be employed in this phase. After gaining entrance, the attacker establishes a back door, or a means of accessing a computer program that bypasses security mechanisms. 3. Discovery—The intruder now begins a discovery process to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. These back doors enable the attacker to install bogus utilities for distributing malware that remains hidden in plain sight. 4. Capture—The attacker is now ready to access unprotected or compromised systems and capture information over a long period of time. 5. Export—Captured data are then exported back to the attacker’s home base for analysis and/or used to commit fraud and other crimes. Phishing Phishing is the act of fraudulently using email to try to get the recipient to reveal personal data. In a phishing scam, con artists send legitimate-looking emails urging the recipient to take action to avoid a negative consequence or to receive a reward. The requested action may involve clicking on a link to a website or opening an email attachment. Spear phishing is a variation of phishing in which the phisher sends fraudulent emails to a certain organization’s employees. It is known as spear phishing because the attack is much more precise and narrow, like the tip of a spear. The phony emails are designed to look like they came from high-level executives within the organization. Employees are directed to a fake website and then asked to enter personal information, such as name, Social Security number, and network passwords. Botnets have become the primary means for distributing phishing scams. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 32 Smishing and Vishing Smishing is another variation of phishing that involves the use of texting. In a smishing scam, people receive a legitimate-looking text message telling them to call a specific phone number or log on to a website. This is often done under the guise that there is a problem with the recipient’s bank account or credit card that requires immediate attention. However, the phone number or website is phony and is used to trick unsuspecting victims into providing personal information such as a bank account number, personal identification number, or credit card number, which can then be used to steal money from victims’ bank accounts, charge purchases on their credit cards, or open new accounts. In some cases, if victims log on to a website, malicious software is downloaded onto their smartphones, providing criminals with access to information stored on the phones. Vishing is similar to smishing except that the victims receive a voice-mail message telling them to call a phone number or access a website. Financial institutions, credit card companies, and other organizations whose customers may be targeted by criminals in this manner should be on the alert for phishing, smishing, and vishing scams. They must be prepared to act quickly and decisively, without alarming their customers if such a scam is detected. Recommended action steps for institutions and organizations include the following: Companies should educate their customers about the dangers of phishing, smishing, and vishing through letters, recorded messages for those calling into the company’s call center, and articles on the company’s website. Call center service employees should be trained to detect customer com- plaints that indicate a scam is being perpetrated. They should attempt to capture key pieces of information, such as the callback number the customer was directed to use, details of the phone message or text message, and the type of information requested. Customers should be notified immediately if a scam occurs. This can be done via a recorded message for customers phoning the call center, working with local media to place a news article in papers serving the area of the attack, placing a banner on the institution’s web page, and even displaying posters in bank drive-through and lobby areas. If it is determined that the calls are originating from within the United States, companies should report the scam to the FBI. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 33 Institutions can also try to notify the telecommunications carrier for the particular numbers to request that they shut down the phone number’s victims are requested to call. Cyberespionage Cyberespionage involves the deployment of malware that secretly steals data in the computer systems of organizations, such as government agencies, military contractors, political organizations, and manufacturing firms. The type of data most frequently targeted includes data that can provide an unfair competitive advantage to the perpetrator. These data are typically not public knowledge and may even be protected via patent, copyright, or trade secret. High-value data include the following: Sales, marketing, and new product development plans, schedules, and budgets Details about product designs and innovative processes Employee personal information Customer and client data Sensitive information about partners and partner agreements Cyberterrorism Cyberterrorism is the intimidation of government or civilian population by using information technology to disable critical national infrastructure (for example, energy, transportation, financial, law enforcement, and emergency response) to achieve political, religious, or ideological goals. It is an increasing concern for countries and organizations around the globe. THE CIA SECURITY TRIAD The IT security practices of organizations worldwide are focused on ensuring confidentiality, maintaining integrity, and guaranteeing the availability of systems and data. Confidentiality ensures that only those individuals with the proper authority can access sensitive data such as employee personal data, customer and product sales data, and new product and advertising plans. Integrity ensures that data can only be changed by authorized individuals so that the accuracy, consistency, and trustworthiness of data are guaranteed. Availability ensures that the data can be accessed when and where needed, including during times of both normal and disaster recovery operations. A widely held but difficult-to-achieve standard of availability for a system or product is known as “five 9s” or 99.999 percent availability. For an operation that runs 365 days per year, 24 hours per day ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 34 this translates to less than one hour of unavailability per year. Confidentiality, integrity, and availability are referred to as the CIA security triad. Implementing CIA at the Organization Level Implementing CIA begins at the organization level with the definition of an overall security strategy, performance of a risk assessment, laying out plans for disaster recovery, setting security policies, conducting security audits, ensuring regulatory standards compliance, and creating a security dashboard. Completion of these tasks at the organizational level will set a sound foundation and clear direction for future CIA-related actions. Security Strategy Implementing CIA security at the organization level requires a risk-based security strategy with an active governance process to minimize the potential impact of any security incident and to ensure business continuity in the event of a cyberattack. Creating such a strategy typically begins with performing a risk assessment to identify and prioritize the threats that the organization faces. The security strategy must define a disaster recovery plan that ensures the availability of key data and information technology assets. Security policies are needed to guide employees to follow recommended processes and practices to avoid security-related problems. Periodic security audits are needed to ensure that individuals are following established policies and to assess if the policies are still adequate even under changing conditions. In addition to complying with its internal policies, an organization may also need to comply with standards defined by external parties, including regulatory agencies. Many organizations ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 35 employ a security dashboard to help track the key performance indicators of their security strategy. The various components of the security strategy will now be defined. Risk Assessment Risk assessment is the process of assessing security-related risks to an organization’s computers and networks from both internal and external threats. Such threats can prevent an organization from meeting its key business objectives. The goal of risk assessment is to identify which investments of time and resources will best protect the organization from its most likely and serious threats. In the context of an IT risk assessment, an asset is any hardware, software, information system, network, or database that is used by the organization to achieve its business objectives. A loss event is any occurrence that has a negative impact on an asset, such as a computer contracting a virus or a website undergoing a DDoS attack. The steps in a general security risk assessment process are as follows: Step 1—Identify the set of IT assets about which the organization is most concerned. Priority is typically given to those assets that support the organization’s mission and the meeting of its primary business goals. Step 2—Identify the loss events or the risks or threats that could occur, such as a DDoS attack or insider fraud. Step 3—Assess the frequency of events or the likelihood of each potential threat; some threats, such as insider fraud, are more likely to occur than others. Step 4—Determine the impact of each threat occurring. Would the threat have a minor impact on the organization, or could it keep the organization from carrying out its mission for a lengthy period of time? Step 5—Determine how each threat can be mitigated so that it becomes much less likely to occur or, if it does occur, has less of an impact on the organization. Due to time and resource limitations, most organizations choose to focus on just those threats that have a high (relative to all other threats) probability of occurrence and a high (relative to all other threats) impact. In other words, first address those threats that are likely to occur and that would have a high negative impact on the organization. Step 6—Assess the feasibility of implementing the mitigation options. Step 7—Perform a cost-benefit analysis to ensure that your efforts will be cost-effective. No amount of resources can guarantee a perfect security system, so organizations must balance the risk of a security breach with the cost of preventing one. The concept of reasonable assurance in connection with IT security ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 36 recognizes that managers must use their judgment to ensure that the cost of control does not exceed the system’s benefits or the risks involved. Step 8—Make the decision on whether or not to implement a particular countermeasure. If you decide against implementing a particular counter-measure, you need to reassess if the threat is truly serious and, if so, identify a less costly countermeasure. The general security risk assessment process—and the results of that process—will vary by organization. A completed risk assessment identifies the most dangerous threats to a company and helps focus security efforts on the areas of highest payoff. Disaster Recovery Data availability requires implementing products, services, policies, and procedures that ensure that data are accessible even during disaster recovery operations. To accomplish this goal, organizations typically implement a disaster recovery plan, which is a documented process for recovering an organization’s business information system assets—including hardware, software, data, networks, and facilities—in the event of a disaster. A disaster recovery plan focuses on technology recovery and identifies the people or the teams responsible to take action in the event of a disaster, what exactly these people will do when a disaster strikes, and the information system resources required to support critical business processes. When developing a disaster recovery plan, organizations should think in terms of not being able to gain access to their normal place of business for an extended period of time, possibly up to several months. As part of defining a business continuity plan, an organization should conduct a business impact analysis to identify critical business processes and the resources that support them. The recovery time for an information system resource should match the recovery time objective for the most critical business processes that depend on that resource. Some business processes are more pivotal to continued operations and goal attainment than others. These processes are called mission-critical processes. Quickly recovering data and operations for these mission- critical processes can make the difference between failure and survival for an organization. If your billing system doesn’t work and you can’t send out invoices, your company is at the risk of going out of business due to cash flow issues. Files and databases can be protected by making a copy of all files and databases changed during the last few days or the last week, a technique called incremental backup. This approach to backup uses an image log, which is a ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 37 separate file that contains only changes to applications or data. Whenever an application is run, an image log is created that contains all changes made to all files. If a problem occurs with a database, an old database with the last full backup of the data, along with the image log, can be used to re-create the current database. For individuals and some applications, backup copies of important files can be placed on the Internet. Failover is another approach to backup. When a server, network, or database fails or is no longer functioning, failover automatically switches applications and other programs to a redundant or replicated server, network, or database to prevent an interruption of service. Failover is especially important for applications that must be operational at all times. It is imperative that a disaster plan be practiced and improvements be made to the plan based on the results of the test. One reasonable approach to testing is to simulate a disaster for a single critical portion of your business during a time of low business activity. The next disaster plan test should then target a different area of the business. Security Policies A security policy defines an organization’s security requirements, as well as the controls and sanctions needed to meet those requirements. A good security policy delineates responsibilities and the behavior expected of members of the organization. A security policy outlines what needs to be done but not how to do it. The details of how to accomplish the goals of the policy are typically provided in separate documents and procedure guidelines. Security Audits Another important prevention tool is a security audit that evaluates whether an organization has a well- considered security policy in place and if it is being followed. One result of a good audit is a list of items that needs to be addressed in order to ensure that the security policy is being met. A thorough security audit should also test system safeguards to ensure that they are operating as intended. Such tests might include trying the default system passwords that are active when software is first received from the vendor. The goal of such a test is to ensure that all such known passwords have been changed. Some organizations will also perform a penetration test of their defenses. This entails assigning individuals to try to break through the measures and identify vulnerabilities that still need to be addressed. The individuals used for this test are knowledgeable and are likely to take unique approaches in testing the security measures. ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 38 Regulatory Standards Compliance In addition to the requirement to comply with your own security program, your organization may also be required to comply with one or more standards defined by external parties. In that case, your organization’s security program must include a definition of what those standards are and how the organization will comply. Security Dashboard Many organizations use security dashboard software to provide a comprehensive display of all key performance indicators related to an organization’s security defenses, including threats, exposures, policy compliance, and incident alerts. The purpose of a security dashboard is to reduce the effort required to monitor and identify threats in time to take action. Data that appear in a security dashboard can come from a variety of sources, including security audits, firewalls, applications, servers, and other hardware and software devices. Implementing CIA at the Network Level The Internet provides a wide-open and well-travelled pathway for anyone in the world to reach your organization’s network. As a result, organizations are continuing to move more of their business processes to the Internet to better serve customers, suppliers, employees, investors, and business partners. However, unauthorized network access by a hacker or resentful employee can result in compromised sensitive data and severely degrade services, with a resulting negative impact on productivity and operational capability. This, in turn, can create a severe strain on relationships with customers, suppliers, employees, investors, and business partners, who may question the capability of the organization to protect its confidential information and offer reliable services. Organizations must carefully manage the security of their networks and implement strong measures to ensure that sensitive data are not accessible to anyone who is not authorized to see it. Authentication Methods To maintain a secure network, an organization must authenticate users attempting to access the network by requiring them to enter a username and password; inserting a smart card and entering the associated PIN; or providing a fingerprint, voice pattern sample, or retina scan. Firewall ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 39 Installation of a corporate firewall is the most common security precaution taken by businesses. A firewall is a system of software, hardware, or a combination of both that stands guard between an organization’s internal network and the Internet and limits network access based on the organization’s access policy. Any Internet traffic that is not explicitly permitted into the internal network is denied entry through a firewall. Similarly, most firewalls can be configured so that internal network users can be blocked from gaining access to websites deemed inappropriate for employees, such as those whose content is based on sex and violence. Most firewalls can also be configured to block instant messaging, access to newsgroups, and other Internet activities. A next-generation firewall (NGFW) is a hardware- or software-based network security system that is able to detect and block sophisticated attacks by filtering network traffic dependent on the packet contents. Compared to first- and second-generation firewalls, a NGFW goes deeper to inspect the content of packets and match sequences of bytes for harmful activities, such as known vulnerabilities, exploit attacks, viruses, and malware. Routers A router is a networking device that connects multiple networks together and forwards data packets from one network to another. Often, an ISP installs a router in a subscriber’s home to connect the ISP’s network to the network within the home. Routers enable you to create a secure network by assigning it a passphrase so that only individuals who have the passphrase can connect to your network. However, a skilled and committed attacker can break the passphrase to gain access to your network. So, as an additional layer of security, the router provides you the capability to specify the unique media access control (MAC) address of each legitimate device connected to the network and restrict access to any other device that attempts to connect to the network. This effectively enables the router to distinguish legitimate traffic from unsolicited traffic and reject uninvited inbound connections. Most routers also have an option to restrict access to specific websites, thus blocking access to websites that are known to infect user devices with malware. Encryption Encryption is the process of scrambling messages or data in such a way that only authorized parties can read it. Encryption is one means of keeping data secure. An encryption key is a value that is applied (using an algorithm) to a set of unencrypted text (plaintext) to produce encrypted text that appears as a series of seemingly random characters (ciphertext) that is unreadable by those ITE 15 – Midterm Topic Outline Prepared by: John Binze Escol Prepared for: M1 and N1 Page 40 without the encryption key needed to decipher it. There are two types of encryption algorithms: symmetric and asymmetric. Symmetric algorithms use the same key for both encryption and decryption. Asymmetric algorithms use one key for encryption and a different key for decryption. Advanced Encryption Standard (AES) is the most widely used symmetric algorithm and is entrusted to protect classified U.S. government information. Wireless Protected Access 2 (WPA2), which is the most commonly used security protocol for wireless networks today, employs the AES encryption algorithm. The ability to keep encrypted data secret is not determined by the encryption algorithm, which is widely known, but rather on the encryption key. The encryption key is chosen from one of a large number of possible encryption keys