Copyright Notice:
This presentation is prepared by Author for Perbanas Institute as a part of Author Lecture Series. It is to be used for educational and non-commercial purposes only and is not to be changed, altered, or used for any commercial endeavor without the express written permission from Author and/or Perbanas Institute. Appropriate legal action may be taken against any person, organization, or entity attempting to misrepresent, charge, or profit from the educational materials contained here.
Authors are allowed to use their own articles without seeking permission from any person, organization, or entity.
3. arianto.muditomo@2018
2
§ Describe the major ethical issues related to information technology and identify situations
in which they occur.
§ Identify the many threats to information security.
§ Understand the various defense mechanisms used to protect information systems.
§ Explain IT auditing and planning for disaster recovery.
5. arianto.muditomo@2018
§ Ethics refers to the principles of right and wrong that individuals use to make choices to
guide their behaviors. Deciding what is right or wrong is not always easy or clear-cut. For
this reason, many companies and professional organizations develop their own codes of
ethics.
§ A code of ethics is a collection of principles that is intended to guide decision making by
members of the organization.
4
Responsibility means that you accept the consequences of your
decisions and actions.
Accountability refers to determining who is responsible for
actions that were taken.
Liability is a legal concept that gives individuals the right to
recover the damages done to them by other individuals,
organizations, or systems.
6. arianto.muditomo@2018
5
Privacy issues involve collecting, storing, and disseminating
information about individuals.
Accuracy issues involve the authenticity, fidelity, and accuracy of
information that is collected and processed.
Property issues involve the ownership and value of information.
Accessibility issues revolve around who should have access to
information and whether they should have to pay for this access.
7. arianto.muditomo@2018
6
Privacy Issues
• What information about oneself should an
individual be required to reveal to others?
• What kind of surveillance can an employer use on
its employees?
• What types of personal information can people
keep to themselves and not be forced to reveal to
others?
• What information about individuals should be
kept in databases, and how secure is the
information there?
Accuracy Issues
• Who is responsible for the authenticity, fidelity, and
accuracy of the information collected?
• How can we ensure that the information will be
processed properly and presented accurately to
users?
• How can we ensure that errors in databases, data
transmissions, and data processing are accidental
and not intentional?
• Who is to be held accountable for errors in
information, and how should the injured parties be
compensated?
Property Issues
• Who owns the information?
• What are the just and fair prices for its exchange?
• How should one handle software piracy (copying
copyrighted software)?
• Under what circumstances can one use proprietary
databases?
• Can corporate computers be used for private
purposes?
• How should experts who contribute their
knowledge to create expert systems be
compensated?
• How should access to information channels be
allocated?
Accessibility Issues
• Who is allowed to access information?
• How much should companies charge for permitting
accessibility to information?
• How can accessibility to computers be provided for
employees with disabilities?
• Who will be provided with equipment needed for
accessing information?
• What information does a person or an organization
have a right or privilege to obtain, under what
conditions, and with what safeguards?
8. arianto.muditomo@2018
PRIVACY
Privacy is the right to be left alone and to be free of unreasonable
personal intrusions.
v Information privacy is the right to determine when, and to what
extent, information about yourself can be gathered and/or
communicated to others.
v Privacy rights apply to individuals, groups, and institutions.
7
9. arianto.muditomo@2018
§ Data aggregators, digital dossiers, and
profiling
§ Electronic Surveillance
§ Personal Information in Databases
§ Information on Internet Bulletin Boards,
Newsgroups, and Social Networking
Sites
8
Privacy Codes and Policies
Privacy policies or privacy codes are an organization’s guidelines for
protecting the privacy of customers, clients, and employees.
How to Protect?
10. arianto.muditomo@2018
PRIVACY POLICY
a business is prohibited from collecting any
personal information unless the customer
specifically authorizes it.
9
a business is permits to collect personal
information until the customer specifically
requests that the data not be collected
11. arianto.muditomo@2018
THREATS TO INFORMATION SECURITY
A number of factors contribute to the increasing vulnerability of
organizational information assets, which are
10
• Today’s interconnected, interdependent, wirelessly
networked business environment
• Government legislation
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be a computer hacker
• International organized crime taking over cyber-crime
• Downstream liability
• Increased employee use of unmanaged devices
• Lack of management support
12. arianto.muditomo@2018
11
Information
systems
controls are
the procedures,
devices, or
software aimed
at preventing a
compromise to
the system.
Organizations
have many
information
resources
(These
resources are
subject to a
huge number
of threats. )
The exposure
of an
information
resource is
the harm, loss,
or damage that
can result if a
threat
compromises
that resource.
A threat to an
information
resource is
any danger to
which a system
may be
exposed
Risk is the
likelihood that
a threat will
occur
A system’s
vulnerability
is the
possibility that
the system will
suffer harm by
a threat
14. arianto.muditomo@2018
Whitman and Mattord (2003) classified threats into five general categories to help
us better under- stand the complexity of the threat problem.
13
Unintentional
acts
• Human errors
• Social
Engineering,
Reverse Social
Engineering,
and Social Data
Mining.
• Deviations in the
Quality of
Service by
Service
Providers
• Environmental
Hazards
Natural disasters
• Natural disasters
include floods,
earthquakes,
hurricanes,
tornadoes,
lightning, and in
some cases, fires.
In many cases,
these disasters—
sometimes
referred to as acts
of God— can
cause
catastrophic
losses of systems
and data.
Technical
failures
•Technical failures
include problems
with hardware and
software. The
most common
hardware
problem is a crash
of a hard disk
drive.
Management
failures
•Management
failures involve a
lack of funding for
information secu-
rity efforts and a
lack of interest in
those efforts. Such
lack of leadership
will cause the
information
security of the
organization to
suffer.
Deliberate acts
• Espionage or
trespass
• Information
extortion
• Sabotage or
vandalism
• Theft of
equipment or
information
• Identity theft
• Compromises to
intellectual
property
• Software attacks
• Supervisory
control and data
acquisition
(SCADA) attacks
• Cyber-terrorism
and cyber-
warfare
15. arianto.muditomo@2018
14
BCP, Backup &
Recovery
Control
Risk
Management
IS
Auditing
• Risk acceptance: Accept the potential risk, continue operating with no
controls, and absorb any damages that occur.
• Risk limitation: Limit the risk by implementing controls that minimize the
impact of the threat.
• Risk transference: Transfer the risk by using other means to compensate
for the loss, such as by purchasing insurance.
• Physical Control
• Access Control
• Communication Control
• Application Control
• Types of Auditors
& Audits
• How is auditing
executes?
• Hot-site
• Warm-site
• Cold-site
• Off-site data storage
16. arianto.muditomo@2018
THE DIFFICULTIES IN PROTECTING
INFORMATION RESOURCES
§ Hundreds of potential threats exist.
§ Computing resources may be situated in many locations.
§ Many individuals control information assets.
§ Computer networks can be located outside the organization and may be difficult to
protect.
§ Rapid technological changes make some controls obsolete as soon as they are installed.
§ Many computer crimes are undetected for a long period of time so it is difficult to learn
from experience.
§ People tend to violate security procedures because the procedures are inconvenient.
§ The amount of computer knowledge necessary to commit computer crimes is usually
minimal. As a matter of fact, one can learn hacking for free on the Internet.
§ The cost of preventing hazards can be very high.Therefore, most organizations simply
cannot afford to protect against all possible hazards.
§ It is difficult to conduct a cost-benefit justification for controls before an attack occurs
because it is difficult to assess the value of a hypothetical attack.
15
17. arianto.muditomo@2018
16
§ What do know about Code Ethics?
A code of ethics is a collection of principles that is intended to guide decision making by
members of the organization.
§ What is Privacy?
Privacy is the right to be left alone and to be free of unreasonable personal intrusions.
§ Please identify the many threats to information security.
Unintentional threats include human errors, environmental hazards, and computer system
failures.
Intentional threats include espionage, extortion, vandalism, theft, software attacks, and
compromises to intellectual property.
Software attacks include viruses, worms,Trojan horses, logic bombs, back doors, denial–of–
service, alien software, phishing, and pharming.
A growing threat is cyber-crime, which includes identity theft and phishing attacks.
18. arianto.muditomo@2018
§ Please make a short description about the most privacy case
that happens for the last 10 years
§ References: Facebook privacy case, Google privacy case,
Wikileaks ethics and privacy case, Microsoft privacy case etc
17