1. The Century of Information Technology
Christian Means
Professor Ramaswamy Srinivasan
Computer Ethics
May 2, 2009
Securing Information Systems in the 21st Century
My academic research on the topic of “Information Systems” has leaded me to
understand that it is logical and ethical for any particular company to secure their
information system in the 21st century. Every company or business organization must
control what goes into their electronic systems and what they allow to flow out of them.
If a company is negligent about the sensitive data that their information system holds,
there will be severe consequences for the financial operations of that business.
What is an Information System?
An information system is a well organized computer system within a business
organization that collects stores and manipulates data in such a brilliant way that once the
information from the system is retrieved by the user, it can be used for making important
decisions that affect the growth of many businesses. An information system has many
other properties, such as a large storage capacity, and a faster and much easier approach
for its users. An information system gives a company the ability to place large amounts
of information into it and a massive amount of raw facts to live in. An information
system can hold thousands and sometimes, even millions of files of information at one
time.(Smith, Martin). For example: An information system is used at a bank institution to
record and organize the account records of the general public. Also, they are used at
various hospitals and clinics to record and organize the account records of hundreds of
patients. An information system provides a faster and much easier approach for our
society. Many centuries ago, the society did not have a computerized information
system to help them with all the data that they needed to run their businesses. They had
to run their businesses with mechanical typewriters and dozens of typed papers in their
file cabinets. These papers could become unorganized, lost and easily stolen. Also, if a
fire was started in their company buildings, it could burn up their records in a matter of
seconds and there would be no way of replacing them. Business men and women in the
21st century can now rely on and become confident upon information systems that allow
them to store and process their data much more efficiently and effectively.
What Types of Information Systems are There?
There are many different types of information systems that businesses in the 21st
century use in order to operate their companies. These information systems are the
following: Transaction Processing Systems, Management Information Systems, and
Decision Support Systems. Like with any type of technology in this world, information
systems have become not only easy to work with, but also unique by the way each kind
2. The Century of Information Technology
of information system performs a different type of task in our century’s workforce. (e.g.
schools, hospitals, law firms, police stations, etc.). Every company must decide what type
of information system is right for them, or what information system will help them with
their work endeavors.
A Transaction Processing System is used to process standard transactions
between a company and their customers. These information systems are used for
calculating the summation of bills to customers and sending them invoices, such as when
their bills are due. Also, these systems are used by companies to calculate the amount of
monies due to staff members according to their hours worked for the company for that
week. Transaction Processing Systems are very valuable assets to a company because
they allow a company to keep records of what inventory they have and it gives them the
information of when they should order more. A Management Information System
(MIS) is a type of information system that takes the information from the Transaction
Processing System and uses its data to build research information for the management of
a business to analyze. The information that this particular system offers to managers
allows them to make good decisions on what products in a business are profitable and
what products are leaning downhill.
A Decision Support System is an information system that is much like a
Management Information System. It gives managers information about their company
and helps them to make better decisions that they might be uncertain about. The
difference is that a Management Information System only gives basic reports about the
company, but a Decision Support Systems gives the manager’s options and choices about
the business that they may choice to follow. All of these different types of information
systems are great for a business, but if the company does not secure them, they can
become corrupted and cause the company to lose more than can be gained.
How Do You Secure An Information System?
I. Equal Responsibility
In order to secure a company’s information system, a company must understand
who is responsible for securing it. No one likes responsibility, but it is the only way for
a person or any type of company to be successful in life and in business. In a business
organization, everyone that works there is responsible for securing the company’s
information system, from the CIO or CEO to the mail clerk. No employee should be left
out and everyone that works for the company should be held accountable. The leaders
of the company should set the example or organizational culture for the rest of the staff
members. As they notice how the management considers the importance of their
information system, the rest of the company will follow his/ her example.
II. Identification of Assets
3. The Century of Information Technology
In order to secure a company’s information system, a company must analyze and
identify all their possible assets. This decision allows a company to set a division on
what particular items in the company are items they need to secure. If a company
decides to place barriers and boundaries around items that need no security, that company
is wasting their financial dollars on useless materials. (Smith, Martin). Once a
company perceives that their information system is one of their assets, they will
understand the importance of securing it.
III. Value for the Information System
In order to secure a company’s information system, a company must learn to
value and appreciate their system. If they don’t appreciate it, they will abuse it and act
like kids do who do not appreciate their gifts from their parents. A person who drives
drunk does not appreciate their life, so they drive anyway. A college student does not
study for their final exams because they do not appreciate their education, and what it can
do for them in the future. Likewise, companies that do not value and appreciate their
information system will not be willing to secure it either.
IV. Producing Qualities of Good Information
In order to secure a company’s information system, a company must understand
how to protect the qualities of good information. Information has three qualities within
an information system that must be protected. These qualities are the following:
integrity, continuity, and confidentially. (Smith, Martin). The level of integrity an
information system must have is very important because a company does not need a
computer that lies to them and gives them invalid information. The information the
computer gives must be always accurate and never altered in any way. The level of
continuity an information system must have is very important because a company needs a
computer that can give an output of information when they need it. A company does not
want an information system that only gives old suggestions and ideas and never gives
updated one. The level of confidentially an information system must have is very
important to a company. It can also be important to the general public because no one
wants their credit card number or social security number in the hands of a vicious black
hacker. An information system should be programmed to only show information to
users with authorized privileges and never to unwanted guests.
V. Acknowledging Threats & Risks
In order to secure a company’s information system, a company must acknowledge
all the possible risks that could affect a company, and break down their information
system.(Fites, Philip E.). Companies who secure their information systems know
exactly how to build them right and manage it right. Good systems are good for a
4. The Century of Information Technology
business and bad ones are expensive and can cause a company to lose a lot of money.
Bad systems can cost about 1-10% of a company’s gross income. Even thought
information systems are great investments to possess, they can become like “a pain in
one’s side or a thorn in one’s hand.” Many of these risks that can break down the
information system arrive because of bad decisions of management. The article “Some
ad hoc information system issues in South Africa for the New Millennium and suggestions
as how to deal with them” defines four specific risks that employers and employees need
to be cautious about while working on their task. The first risk occurs when an
information system is not designed properly or not intended for its user. When an
information system is not built for its users, this can make the users mad and very
frustrated at the system. For example: customers at an outside automated teller machine
(ATM) find out that they can not withdraw their hard-worked money or check their
current balances because the machine is not designed for that type of functionality. It is
only designed to take their money and not give it back. That would make any bank user
mad, and some users might ever try to break the machine. To stop this risk from
happening and to secure the information system, a company must create systems that are
tailored for the user. The second risk occurs when the users of the information system
lack training about the usability of the system. Employees and workers at a business can
not do their part in securing the information system if they are not properly trained to do
it. After they have been trained by qualified staff leaders, then they should not have any
type of excuses of why they did not secure it. The third risk occurs when a company is
impatient concerning buying the latest software and hardware for their information
system. They buy and set up their information systems without allowing the system to
be tested thoroughly in advance. (Heerden, Joh Van). When they rush and place the
latest systems into their businesses to work for them, they soon discover that their system
is infected with a virus. This leads me to write about the last risk. The last risk occurs
when a company allows unauthorized users to freely walk around their company and
touch their computers. When unauthorized user, like black hackers invade your
information system, they can leave with a company a virus that could shut down an entire
company.(Hadow). Many of these viruses are sent to companies through emails, thumb
drives and compact disc. Every company should carry in a safe place a back-up of their
system’s software and information to protect them from these nasty computerized “bugs.”
---Computer Bugs: A Terrible Risk---
Insects and small bugs can be a very big problem to a person who is allergic to
them. This world that we live in is full of them. An information system, just like the
world, can be attacked by small bugs or computer programs called “computer viruses.”
All of these malicious programs are extremely bad and a company must prevent them
from entering their information system if they are prepared to secure it.
These computer viruses are the following: Trojan Horses, Sleepers, Trap Doors, Logic
Bombs, and Cancers. A “Trojan Horse” is a malicious computer program that loves
to take a company’s sensitive information and send it to other users over the Internet.
They hide in the background of their computer system and secretly give out the
company’s vital information. A “Sleeper” is another malicious computer program, like
5. The Century of Information Technology
the Trojan Horse, who sleeps for awhile and hides in the background of a company’s
system. But when they awake, all the company’s information is gone in a matter of
seconds. A “Trap Door” is a computer program that hackers use to hack through all the
security features of an information system. A “Logic Bomb” is a computer program that
hackers use to erase a company’s entire hard drive of the valuable memory that is stored
from within it. Lastly, a “Cancer” is a computer program that hackers will use to slowly
eat up a company’s information system.(Smith, Martin). These viruses can be a terrible
risk for a company and their information system. To prevent these viruses from entering a
company’s information system, they should use a combination of firewalls, proxy servers
and anti-virus software to arm their system against aggressive attacks from outsiders.
VII. Build a Security Policy
In order to secure a company’s information system, a company must develop a
well-organized security policy that defines all the values they have concerning securing
their information system. Through the use of a security policy, a company is able to
prevent exposures to outsiders, detect attempted threats to their information system, and
correct any of the causes of threats to their system.(Baskerville, Richard). When
designing a security policy a company’s information system, the designers of the policy
should never limit the methods of the policy to a single type of procedure. The world of
technology is ever-changing and forever increasing and the policies of a company’s
security should also be changing and increasing. Like a circular onion that has many
layers, a company’s security policy must have many layers of operations in order to
secure their information system. These four layers of defense are the following:
physical security, software security, document security, and personnel
security.(Smith, Martin).
Physical Security
Every security policy should have some type of physical security that protects a
company’s information system from within by securing their territory from without. In
medieval times, kings and queens built magnificent castles with large gates to keep their
vicious enemies from getting inside of their shiny palaces. Likewise, a company that
desires to secure their information system must have physical security to protect them
from their enemies such as hackers and unauthorized users of their system. The physical
elements that a company must protect are their personal computers, their equipment such
as printers, modems and hard drives, and their outside premises. Physical security
should be surrounded all over the business, from gates positioned around every company
building to smoke detectors positioned throughout their hallways and rooms.(Smith,
Martin). Even though physical security is needed to secure a company’s information
system, it is not enough security to stop an intruder from getting into their system. This
6. The Century of Information Technology
measurement of security policy only slows the intruder down.
Software Security
Every security policy should have some type of software security that gives
access only to authorized users of a company’s information system. This method of
security should be programmed into the computers of a company, allowing users to enter
the information system with their knowledge of a username and unique password. Every
authorized user should never communicate their password with others.(Smith, Martin).
They should keep their usernames personal and absolutely confidential. Their user name
and password is the key that unlocks the door to the company’s information system.
There is a special type of security software application called “Polivec Builder” that is
used by companies to protect their information systems from intruders. It allows
companies to build and create customized security policies and guidelines.(Address,
Mandy). There is also a special type of software application called “Identity Finder” that
brings up a company’s sensitive information and then deletes it for them after each usage.
(Brynko, Barbara). By having software security over a company’s information system,
a company will be able to know exactly who and what time a user of the system accessed
the system. Even though software security is needed to secure a company’s information,
software security can only help a company so much.
Document Security
Every security policy should have some type of document security in order to secure a
company’s information system. A company should be concerned with what they do
with their company documents because these documents contain sensitive information
that has been copied from out of their information system. These documents could be
the following: printer output, graphs, flowcharts, floppy disc, CD’s and company USB
devices. One way that hackers and malicious users invade an information system is by
reading a company’s documents. This allows them to get an understanding of how the
company’s information system operates. When they find out how a company’s system
operates, it gives them a better chance of taking a system down. All documents at a
company must be disposed of in an ethical fashion, such as paper shredding. There
should also be some kind of “desk policy” that informs each employee to keep their
business documents secured whenever they leave their offices.(Smith, Martin).
Personnel Security
The most important security measure in information system security is a
company’s personnel security. This is because the people who are responsible for
securing a company’s information system could be the same people who are tearing it
apart. A company should only hire employees who are honest and committed to
7. The Century of Information Technology
securing the system. If an employee is suspected of committing wrongful acts against
the company’s information system, try sending them on a two week vacation. The time
they spend away from the company will allow the actions they committed to surface to
the top. If an employee is caught pursuing wrongful actions against the company, they
should be disciplined in an ethical manner, such as demotion or termination.
Background checks should be investigated in advance before hiring a new associate to
the company. Information from the company’s system should only be seen by those
persons with security clearance. Every employee should be supervised by another
employee. Company projects should be done in groups, allowing each person in the
company to never be left unattended. According to the book, “Commonsense Computer
Security”, it states, “the greatest dangers to any system come from those who work from
with it.”
Case In Point--“Everyone Is a Target”
An article wrote by Barry Smith titled “Locking down a computer security” states
that “everyone is a potential target for a security breach.” In Gaitherburg, Maryland,
there was a company who was a victim to a security breach. In the first breach, a hacker
guessed an employee’s email password and sent messages to other employees asking
them for sensitive information about the company’s information system. In the second
breach, the hacker unleashed a worm virus to one of the city’s Internet servers, reeking
havoc on their information system. Companies all over the world have something very
important that they must learn to secure and that is their information system. They must
secure their information system because there are real threats and risks in this world that
will try to tear it apart. A company must strive to protect the qualities of the information
that they hold in their information system and follow a security policy that is ethical and
carries some type of practical use for their business organization.
Works Cited
Articles & Books:
1.)
Title: “Locking down a computer security”
Author: Barry Smith
Source: American City & County Oct 2001 vol 116 issue 15 p.14
EbscoHost Database: academic search complete in Ualr library
----------------------------------------------------
8. The Century of Information Technology
2.)
Title: Security police in a box
Author: Mandy Andress
Source: InfoWorld 10/22/2001, vol.23, issue 43 p.54
ebscoHost
Database: academic search complete in Ualr library
---------------------------------------------------
3.)
Title: Some ad hoc information system issues in South Africa for the new millennium and
suggestions as how to deal with them.
Authors: Dan Remenyi, Sam Lubbe, Joh Van Heerden
Source:Information technology for Development; 2000 Vol 9 issue 3-4 p.163
Ebscohost
Copyright: JohnWiley & Sons, Inc
Database: Academic Search complete
-----------------------------------------------------
4.)
Title: Data Security for Libraries:Prevent Problems, Don’t Detect Them.
Author: Katherine Hadow
ebscoHost
Source: Feliciter; 2009 Vol. 55 issue 2, p.50-52
5.)
Title: designing information systems security
Author: Baskerville, Richard.
Publisher: John Wiley & Son’s
Chichester
Editors: Richard Boland and Rudy Hirschheim
Copyright: 1988
----------------------------------------------------
6.)
Title: Security:By the Numbers
9. The Century of Information Technology
Author: Barbara Brynko
Source: Information Today; May 2008 vol. 25 issue 5 p.44
EbscoHost
----------------------------------------------------
7.)
Title: Control and Security of Computer Information Systems
Authors: Fites, Philip E.; Kratz, Martin P.J.; Brebner, Alan F.
Publisher: Computer Science Press, Inc.
Copyright: 1989
------------------------------------------------------
8.)
Smith, Martin R.
Ttile: CommonSense computer security:our practical guide to information protection. 2nd
edition
London
Publisher: McGraw-Hill Book Company
Copyright : 1993