SlideShare a Scribd company logo
1 of 13
Ron Briggs UT-Dallas
Ethics and Security in
Information Management
• You run the Dallas County office of DHS. Its Monday
morning of the week before you take-off on a two week
vacation.You are reading your mail. There is a letter from the
Information Systems division of the Office of the State
Auditor. They will be visiting you three weeks from today to:
“review policies and procedures with respect to information security and ethics”
• do you break into a cold sweat, or say ‘no sweat, we are in
good shape’
• what needs to be in place in order for you to enjoy a care
free vacation!?
Ron Briggs UT-Dallas
The Ethical Issues in IT
• responsibility, accountability, and liability
– snow storm, roof collapses, people lose money
• privacy and open records
– is gov. e-mail private or a public record?
• intellectual property: trade secrets, copyright, patents
– more than controlling software copying
• appropriate use and ethical behavior
– avoid even the appearance of inpropriety
• equity, access, and social impact
– the digital divide: is IT widening social and economic divisions?
• personal protection and health
– safety hazards in the workplace
Security is central to at least the first three.
Ethics is fundamental to the second three.
Ron Briggs UT-Dallas
Security Problem Areas
Its not a question of if, but of when!
– disasters strike (17%--includes equipment)
» external natural/manmade disasters
– disks, etc. fail
» internal equipment failures
– staff screw-up (50%)
– employees abuse (14%)
– hackers/viruses attack (5%)
– criminals conspire (14%--mostly internal)
– somebody sues
(Numbers refer to one estimate of losses, by source)
Ron Briggs UT-Dallas
The Response
• prevention, prevention, prevention
• detection
• prosecution/suing
The majority of problems are internal not external!
Your biggest problem is trusted staff messing up!
Prosecution & suing are after the fact. They won’t
prevent the problem (or save your job)!
It’s not luck, its planning!
Ron Briggs UT-Dallas
Basic Concepts:
responsibility, accountability, liability
Responsibility: the personal issue
accepting the inherent costs and obligations of the
decisions you make
Accountability: the institutional issue
the ability to determine who took the responsible (or
irresponsible!) action
Liability: the legal issue
the ability to recover for the damage done to
individuals or organizations through a system of due
process
Ron Briggs UT-Dallas
The Three Dimensions of Security
• Confidentiality
– assuring that legally protected data is not disclosed to the
public
• Integrity
– assuring that info. is correct and protected from
unauthorized alteration
• Availability
– assuring that data is available to support the agency’s
mission and operations
» information recoverable
» operations continuable
Ron Briggs UT-Dallas
Strategies for Security
• security policy/procedures
– physical security:
» people: locks, cameras,
exit/entry monitoring,
» water: basement, pipes
» electricity: surge, UPS
» structures: no prefabs!
– system access control : logon
– database security systems and
record/attribute level control
– data management policies
(which must be known and
followed)
» data ownership and
responsibility assignation
» data classification:
confidential, sensitive, public
• error control
– program development:
independent user testing
– data entry
» one time input/automated source
capture
» validation rules
» duplicate data entry for verification
– journalling: tracking all accesses
and changes by userID, date, time,
etc. (audit trail)
– hardware/network/database
monitoring: spotting trouble ahead
of time. (alarm)
– data audits
• disaster recovery
– back-ups: on-site & off-site
– mirroring/fault tolerant systems
– hot sites/cold sites
Ron Briggs UT-Dallas
Computer Systems v. Manual System
Is vulnerability increased?
• information is more highly concentrated, easier to gather
and more difficult to control
• potentially accessed by many more people.
• tools simplify and speed up copy/deletion of large
quantities
• no paper back-up; cannot be replicated manually.
• complex and invisible: difficult to test, audit or detect
change.
• more processing steps therefore more error possibilities.
Ron Briggs UT-Dallas
Trade-offs
• security versus information access
» internal v. external
» need-to-know
» data as power
• security versus convenience
» diminishing returns
• security versus service: risk assessment
» probabilty of occurrence
» institutional impact/cost of failure
Decisions for upper management, not IT folks!
1Ron Briggs UT-Dallas
Ethics and Appropriate Use
Dealing with personal business (e-mail, phones, etc.)
• No financial gain or commercial purpose
• direct costs re-imbursed (e.g. long distance charges)
• does not impeded agency operations (e.g tie up scare dial-in
ports or slow response time)
• consumes incidental amounts of employee time (the coffee
break test)
Dealing with vendors
• no personal gain, incl. family and friends (the tee shirt test)
• all have the opportunity to be included
• follow required procedures e.g. open bidding
For the public sector, it’s a matter of law. For the private
sector, it’s determined by policy.
1Ron Briggs UT-Dallas
Network Security: Needs
applications
– e-mail
– e-forms (internal business)
– edi (eletronic data interchange: external business)
management needs
– minimum manual
intervention
– audit trails
– status and alarms
– immediate and
comprehensive
revocation
user needs
– access control
– user
transparency
data needs
– confidentiality (secret)
– integrity
(secure: no change)
– authenticity
(sender known)
– non-repudiation
(delivery confirmed)
Security
concerns
intensify.
1Ron Briggs UT-Dallas
Network Security: Methods
Network
– closed network
– perimeter security (firewalls)
– object protection
User Access
– passwords (n times)
– smart cards (one time)
– user identification (fingerprint; eyeballs)
User exchange
– encryption (for confidentiality and integrity)
» clipper chip / back door
– public/private keys (for authenticity)
1Ron Briggs UT-Dallas
The Special Case of Telecom Security
Telephone Fraud--$2 billion plus per year
Examples:
• card sharps
• shoulder surfing
• dumpster diving
• sweet talk
codes/lines
• hacking
• internal trouble
Do you even know it?
Personal use
•illegal for gov.
•costly for private
sector
Watch out for:
•international
•1-900

More Related Content

What's hot

is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 

What's hot (20)

The information security audit
The information security auditThe information security audit
The information security audit
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
To situation awareness theory
To situation awareness theoryTo situation awareness theory
To situation awareness theory
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
 
Information security management
Information security managementInformation security management
Information security management
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
 
I0516064
I0516064I0516064
I0516064
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Rothke Patchlink
Rothke    PatchlinkRothke    Patchlink
Rothke Patchlink
 
Practical Application of Physical Security Criteria
Practical Application of Physical Security CriteriaPractical Application of Physical Security Criteria
Practical Application of Physical Security Criteria
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Computing safety
Computing safetyComputing safety
Computing safety
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 

Viewers also liked

Information system
Information systemInformation system
Information system
Dhani Ahmad
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysis
Dhani Ahmad
 
Information resource management
Information resource managementInformation resource management
Information resource management
Dhani Ahmad
 
Lecture 08 distributed dbms
Lecture 08 distributed dbmsLecture 08 distributed dbms
Lecture 08 distributed dbms
emailharmeet
 
Lecture 07 relational database management system
Lecture 07 relational database management systemLecture 07 relational database management system
Lecture 07 relational database management system
emailharmeet
 
Lecture 09 dblc centralized vs decentralized design
Lecture 09   dblc centralized vs decentralized designLecture 09   dblc centralized vs decentralized design
Lecture 09 dblc centralized vs decentralized design
emailharmeet
 
Lecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculusLecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculus
emailharmeet
 
Lecture 10 distributed database management system
Lecture 10   distributed database management systemLecture 10   distributed database management system
Lecture 10 distributed database management system
emailharmeet
 

Viewers also liked (20)

Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
 
Information system
Information systemInformation system
Information system
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysis
 
Strategic planning
Strategic planningStrategic planning
Strategic planning
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issues
 
Islamic information management
Islamic information managementIslamic information management
Islamic information management
 
Types of islamic institutions and records
Types of islamic institutions and recordsTypes of islamic institutions and records
Types of islamic institutions and records
 
Security policy
Security policySecurity policy
Security policy
 
Islamic information seeking behavior
Islamic information seeking behaviorIslamic information seeking behavior
Islamic information seeking behavior
 
Physical security
Physical securityPhysical security
Physical security
 
Islamic information management sources in islam
Islamic information management sources in islamIslamic information management sources in islam
Islamic information management sources in islam
 
Information resource management
Information resource managementInformation resource management
Information resource management
 
Database design
Database designDatabase design
Database design
 
Lecture 08 distributed dbms
Lecture 08 distributed dbmsLecture 08 distributed dbms
Lecture 08 distributed dbms
 
Lecture 07 relational database management system
Lecture 07 relational database management systemLecture 07 relational database management system
Lecture 07 relational database management system
 
Lecture 09 dblc centralized vs decentralized design
Lecture 09   dblc centralized vs decentralized designLecture 09   dblc centralized vs decentralized design
Lecture 09 dblc centralized vs decentralized design
 
Lecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculusLecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculus
 
Lecture 10 distributed database management system
Lecture 10   distributed database management systemLecture 10   distributed database management system
Lecture 10 distributed database management system
 
Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3
 

Similar to Secure

Why your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramWhy your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity Program
PECB
 
Information security background
Information security backgroundInformation security background
Information security background
Nicholas Davis
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
Asad Zaman
 
DPA seminar presentation
DPA seminar presentationDPA seminar presentation
DPA seminar presentation
Rodonoghue72
 

Similar to Secure (20)

Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Why your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramWhy your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity Program
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
 
Data Protection: We\'re In This Together
Data Protection: We\'re In This TogetherData Protection: We\'re In This Together
Data Protection: We\'re In This Together
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)
 
Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...
Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...
Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...
 
Information security background
Information security backgroundInformation security background
Information security background
 
Information Security
Information SecurityInformation Security
Information Security
 
PP Lec9n10 Sp2020.pptx
PP Lec9n10 Sp2020.pptxPP Lec9n10 Sp2020.pptx
PP Lec9n10 Sp2020.pptx
 
Electronic Eavesdropping in the Workplace: Can We? Should We? What Could Poss...
Electronic Eavesdropping in the Workplace: Can We? Should We? What Could Poss...Electronic Eavesdropping in the Workplace: Can We? Should We? What Could Poss...
Electronic Eavesdropping in the Workplace: Can We? Should We? What Could Poss...
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
DPA seminar presentation
DPA seminar presentationDPA seminar presentation
DPA seminar presentation
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)
 
Internal Risk Management
Internal Risk ManagementInternal Risk Management
Internal Risk Management
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextPrivacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 

More from Dhani Ahmad (12)

Strategic information system planning
Strategic information system planningStrategic information system planning
Strategic information system planning
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effort
 
Implementing security
Implementing securityImplementing security
Implementing security
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Topic 12 report & presentations
Topic 12   report & presentationsTopic 12   report & presentations
Topic 12 report & presentations
 
Topic 11 data management
Topic 11   data managementTopic 11   data management
Topic 11 data management
 
Topic 10 sample designs & procedures
Topic 10   sample designs & proceduresTopic 10   sample designs & procedures
Topic 10 sample designs & procedures
 
Topic 9 secondary data sources
Topic 9   secondary data sourcesTopic 9   secondary data sources
Topic 9 secondary data sources
 
Topic 8 questionnaire design
Topic 8   questionnaire designTopic 8   questionnaire design
Topic 8 questionnaire design
 
Topic 7 measurement in research
Topic 7   measurement in researchTopic 7   measurement in research
Topic 7 measurement in research
 

Recently uploaded

原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
asdafd
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
Fi
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
A
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
AS
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
AS
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
AS
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
AS
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
Fir
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
AS
 

Recently uploaded (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirt
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
AI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model GeneratorAI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model Generator
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
Discovering OfficialUSA.com Your Go-To Resource.pdf
Discovering OfficialUSA.com Your Go-To Resource.pdfDiscovering OfficialUSA.com Your Go-To Resource.pdf
Discovering OfficialUSA.com Your Go-To Resource.pdf
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 

Secure

  • 1. Ron Briggs UT-Dallas Ethics and Security in Information Management • You run the Dallas County office of DHS. Its Monday morning of the week before you take-off on a two week vacation.You are reading your mail. There is a letter from the Information Systems division of the Office of the State Auditor. They will be visiting you three weeks from today to: “review policies and procedures with respect to information security and ethics” • do you break into a cold sweat, or say ‘no sweat, we are in good shape’ • what needs to be in place in order for you to enjoy a care free vacation!?
  • 2. Ron Briggs UT-Dallas The Ethical Issues in IT • responsibility, accountability, and liability – snow storm, roof collapses, people lose money • privacy and open records – is gov. e-mail private or a public record? • intellectual property: trade secrets, copyright, patents – more than controlling software copying • appropriate use and ethical behavior – avoid even the appearance of inpropriety • equity, access, and social impact – the digital divide: is IT widening social and economic divisions? • personal protection and health – safety hazards in the workplace Security is central to at least the first three. Ethics is fundamental to the second three.
  • 3. Ron Briggs UT-Dallas Security Problem Areas Its not a question of if, but of when! – disasters strike (17%--includes equipment) » external natural/manmade disasters – disks, etc. fail » internal equipment failures – staff screw-up (50%) – employees abuse (14%) – hackers/viruses attack (5%) – criminals conspire (14%--mostly internal) – somebody sues (Numbers refer to one estimate of losses, by source)
  • 4. Ron Briggs UT-Dallas The Response • prevention, prevention, prevention • detection • prosecution/suing The majority of problems are internal not external! Your biggest problem is trusted staff messing up! Prosecution & suing are after the fact. They won’t prevent the problem (or save your job)! It’s not luck, its planning!
  • 5. Ron Briggs UT-Dallas Basic Concepts: responsibility, accountability, liability Responsibility: the personal issue accepting the inherent costs and obligations of the decisions you make Accountability: the institutional issue the ability to determine who took the responsible (or irresponsible!) action Liability: the legal issue the ability to recover for the damage done to individuals or organizations through a system of due process
  • 6. Ron Briggs UT-Dallas The Three Dimensions of Security • Confidentiality – assuring that legally protected data is not disclosed to the public • Integrity – assuring that info. is correct and protected from unauthorized alteration • Availability – assuring that data is available to support the agency’s mission and operations » information recoverable » operations continuable
  • 7. Ron Briggs UT-Dallas Strategies for Security • security policy/procedures – physical security: » people: locks, cameras, exit/entry monitoring, » water: basement, pipes » electricity: surge, UPS » structures: no prefabs! – system access control : logon – database security systems and record/attribute level control – data management policies (which must be known and followed) » data ownership and responsibility assignation » data classification: confidential, sensitive, public • error control – program development: independent user testing – data entry » one time input/automated source capture » validation rules » duplicate data entry for verification – journalling: tracking all accesses and changes by userID, date, time, etc. (audit trail) – hardware/network/database monitoring: spotting trouble ahead of time. (alarm) – data audits • disaster recovery – back-ups: on-site & off-site – mirroring/fault tolerant systems – hot sites/cold sites
  • 8. Ron Briggs UT-Dallas Computer Systems v. Manual System Is vulnerability increased? • information is more highly concentrated, easier to gather and more difficult to control • potentially accessed by many more people. • tools simplify and speed up copy/deletion of large quantities • no paper back-up; cannot be replicated manually. • complex and invisible: difficult to test, audit or detect change. • more processing steps therefore more error possibilities.
  • 9. Ron Briggs UT-Dallas Trade-offs • security versus information access » internal v. external » need-to-know » data as power • security versus convenience » diminishing returns • security versus service: risk assessment » probabilty of occurrence » institutional impact/cost of failure Decisions for upper management, not IT folks!
  • 10. 1Ron Briggs UT-Dallas Ethics and Appropriate Use Dealing with personal business (e-mail, phones, etc.) • No financial gain or commercial purpose • direct costs re-imbursed (e.g. long distance charges) • does not impeded agency operations (e.g tie up scare dial-in ports or slow response time) • consumes incidental amounts of employee time (the coffee break test) Dealing with vendors • no personal gain, incl. family and friends (the tee shirt test) • all have the opportunity to be included • follow required procedures e.g. open bidding For the public sector, it’s a matter of law. For the private sector, it’s determined by policy.
  • 11. 1Ron Briggs UT-Dallas Network Security: Needs applications – e-mail – e-forms (internal business) – edi (eletronic data interchange: external business) management needs – minimum manual intervention – audit trails – status and alarms – immediate and comprehensive revocation user needs – access control – user transparency data needs – confidentiality (secret) – integrity (secure: no change) – authenticity (sender known) – non-repudiation (delivery confirmed) Security concerns intensify.
  • 12. 1Ron Briggs UT-Dallas Network Security: Methods Network – closed network – perimeter security (firewalls) – object protection User Access – passwords (n times) – smart cards (one time) – user identification (fingerprint; eyeballs) User exchange – encryption (for confidentiality and integrity) » clipper chip / back door – public/private keys (for authenticity)
  • 13. 1Ron Briggs UT-Dallas The Special Case of Telecom Security Telephone Fraud--$2 billion plus per year Examples: • card sharps • shoulder surfing • dumpster diving • sweet talk codes/lines • hacking • internal trouble Do you even know it? Personal use •illegal for gov. •costly for private sector Watch out for: •international •1-900