This document discusses legal, ethical, and operational issues related to information use for organizations. It specifically focuses on data protection laws like the Data Protection Act of 1998 and Freedom of Information Act 2000 that UK companies must abide by regarding personal information. The document also discusses ethical issues around appropriate email/internet use, whistleblowing, and information ownership. It provides an example ethical policy for the company Zayani and outlines how information security responsibilities are allocated, including the roles of the executive committee, security committee, information security manager, managers, and all employees.

1. Name
Student ID
Business Communication
EBU320

2. Task 1
1.1
There are many issues which relate to the use of information which affect an organization, there
are three main headings which are legal issues, ethical issues and operational issues. These
main headings cover all the key information and how it may affect an organization which may be
crucial to the way they deal with information and how it may need to adjust its way of operating
for legal issues, ethical issues and operational issues.
Legal issues
For many organizations legal issues are very important protect them and their clients, when it
comes down to their personal information and client information may be shared between the
company and its users. There are two relevant data protection Legislation which are Data
protection act of 1998 and the Freedom of information act 2000. These two acts are both
design in the form of purpose to help protect individuals and organizations by giving them
guidelines in which they must abide and if there were to fail to do so prosecution may be taken
as it can be a criminal offence to breach these acts.
Data protection act of 1998
For online companies such as Zayani to work and operate by abiding to data protection Act of
1998 it must be mindful of individuals information and data. It's important for companies like
Zayani to reported to the office of the information Commissioner that they are in possession of
such data which will also require them to pay a small annual fee to be allowed to keep this data
about individuals. For companies it's also important to consider these key points when it comes
to personal information
 all information must be fairly and lawfully obtained.
 information must be held for a specific and lawful purposes and not processed in any
manner incompatible with those purposes.
 adequate, relevant and not excessive for those purposes.
 all information must be kept up to date and accurate which must not be kept longer then
necessary.
 Information must be processed in accordance with the rights of their person to whom the
data refers to.
 Data must be kept securely to ensure the data is not lost or dispose of or misused.
 Data must not be transferred from the European economic call area unless the destination
has an accurate level of data protection.
Freedom of information act 2000
For organizations such as zayani on freedom of information act of 2000 does not really apply to
them directly however they do contain information about individuals and will have to follow
guidelines when information is requested. For public request they must be written and will be

3. processed within 20 days of receipt this is a very formal letter in which information will be
requested. As long as an individuals comply with requesting guidelines the organization is
obliged to provide evidence.. Data is regulated by the data protection act of 1998 which will
restrict certain information being released about an individual's personal data.
Other legislation
computer misuse act 1990: is applicable to companies such as Zayani which have many
different people using the Internet at their offices which may be prone to computer hacking.
Hacking can take place in different ways in which somebody could illegal gain access to the
system and change people's information or corrupt data or steel information sold to other
companies that might find it useful. Another way of hacking would be for someone inside the
company and gain access which will not be allowed to view such as credit card numbers or
simply attempted cause damages. It is illegal to gain information for purposes of theft or
malicious intentions. It is a criminal offences and can lead to prosecution in a court of law.
1.2
When running a company such as Zayani are a lot of ethical issues and not only for an individual
inside the company but for a company as a whole. Organizations and institutes can help develop
their own policies with their employees for users which they must comply by and in some
circumstances if they fail to comply with the policies they may be fired or in some cases criminal
prosecution which may be one of the outcomes of an bad ethical behavior.
Ethical behavior requires a code of practice or organization policies these policies are frequently
used in side companies to protect itself and its interests. Organization policies tend to be set by
the organization itself and that code of practice will be usually set by external bodies outside the
organization for example, British computer Society. All these policies are served to protect the
company organizations own interests as if somebody was to breach their policies and do damage
to their users and others they will not personally be prosecuted as a whole organization but the
individual who was responsible will be prosecuted on their own and not be related to the
organization in a court of law.
Use of email and the internet
In today's world of technology the most abused things on Earth is the Internet and emails, most
people did in their own personal time. Most likely they will distributed data which may be of
adult content being over social media or via emails and some people will think it is
and appropriate use of these services so it would not be surprising they would also inappropriate
images, videos and data as a whole at work using the company's computers and internet. T will
be what a company cannot have as it is a liability which could course a company's reputation to
be damage and weaken when it comes to client and investors trust whit their money and
business. For a company like Zayani this will not be a risk that they would want to take as it may
bring them in a legal battle if information was of a extreme content such as pornographic images

4. of children which are distributed inside the company's emails and internet, which will weaken
their image as a good business to work with.
Policies are put in place to protect companies such as Zayani from material in emails and the
Internet. these policies will be put in place protect the company as a whole and even if people
would surf the Internet and email inappropriate things the company will not be held responsible
and in some certain cases the employee who was distributing the information will be fired or in
some extreme cases prosecuted for criminal acts such as distributing inappropriate content.
Whistle blowing
In Zayani Co. is very important for complete freedom of speech and to report anything that may
be inappropriate or legal that is happening at a workplace for examples employees have the
responsibility to report colleagues for doing any inappropriate behavior that they have witnessed
in relation to the organization system. For companies like Zayani it will be very destructive if an
employee to be sealing information such as credit card numbers, addresses or simple details that
they can sell on to companies or individuals that might be using that information
for illegal purposes such detail that might allow fraudulent documents such as credit card or fake
IDs. Companies must work with employees to know that they will act on full discretion if
someone was reports colleagues for malpractice or misuse such as hacking or purposely
destroying data or distributing inappropriate images or information over the company Internet or
emailing system. Ethnically it is important for somebody to do this as personally it will not be
right for somebody to distribute inappropriate information over the company's computers and
Internet. The company must also make sure that if a employee does not approach a higher chain
of command to report these offences or others they will be accounted for these crimes too and
will face being prosecuted as a accomplice to the crime.
Information ownership
Information ownership is very important as a company or organization as when information
can often be copied so it is there it is your moral duty to take all the responsibilities that come for
looking after it. This means they should trade mark or patent work which could be copied even if
it is the online website code as all of it may be miss used or copied without their permission. As
a company such as Zayani is very important to remember that they tell their user or their
potential client about the product and all that information must be solely there's or from the
product owner which gives the product owner total ownership however it is up to them to make
sure that the data is accurate and current information that is available about. They must also
ensure that all the information has come from a reliable resource and is clearly layout laid out.
Ownership of information stored about individuals and many organizations which will require
employees to sign a nondisclosure agreement which means that they are not allowed to talk
about information that is not theirs or about their client, such as personal flares about clients for
the information such as credit card details and address. This might lead to criminal prosecution if
it the information is wrong we mentioned or sold.

5. 1.3
Zayani's Ethical policy
Policy statement
Immediate is committed to ensuring a high standard of ethical and environmental trade practices,
including the provision of safe working conditions and the protection of workers’ rights, across
its global businesses. Immediate conducts its business in accordance with the provisions of this
Code of Ethical Policy (“the Code”) and expects its Suppliers to observe the Code’s provisions
and to demonstrate a similar commitment to an ongoing programme of ensuring and, where
necessary, improving, ethical and environmental practices. This Code of Ethical Policy enshrines
the principles of the Ethical Trading Initiative Base Code and reflects the international standards
set out in the International Labour Organisation (ILO) Conventions
Scope of the code
The Code applies to all areas of Immediate’s business and to its direct Suppliers as well as to
goods and services sourced by Immediate. Immediate requires all direct Suppliers to observe the
provisions of this Code and requires that such Suppliers, in turn, obtain similar compliance with
its provisions from their Suppliers. All parties to whom this Code applies are required to comply
with applicable national and international laws. Where the provisions of this Code afford greater
protection than national law, the terms of this Code prevail.
Policy objective
The objectives of the Code are;
 Ÿ To set out a clear statement of Immediate policy
 Ÿ To promote the adoption and improvement of ethical practices globally
 Ÿ To implement effective processes for improvement of trade practices
Task 2

6. Management commitment to information security
The Board of Directors (“the Board”) is ultimately accountable for corporate governance as a
whole. The management and control of information security risks is an integral part of corporate
governance. In practice, however, the Board explicitly delegates executive responsibilities for
most governance matters to the Executive Directors, led by the Chief Executive Officer (CEO).
The Executive Directors give overall strategic direction by approving and mandating the
information security principles and axioms but delegate operational responsibilities for physical
and information security to the Security Committee (SC) chaired by the Chief Security Officer
(CSO).
Executive Committee
Chairedbythe Chief
Executive Officer
Audit Committee
ChairedbyHeadof
Audit
SecurityCommittee
ChairedbyChief
SecurityOfficerCSO
InformationSecurity
Manager
Security
Administration
Policy& Compliance
Risk & Contingency
Management
SecurityOperations
Local Security
Committees
One perlocation
InformationAsset
Owners(IAOs)
Site Security
Managers
SecurityGuards
Facilities
Management
Risk Committee
ChairedbyRisk
Manager

7. The Executive Directors depend heavily on the SC to coordinate activities throughout Zayani's
Co., ensuring that suitable policies are in place to support Zayani’s security principles and
axioms. The Executive Directors also rely on feedback from the SC, CSO, ISM, auditors, Risk
Management, Compliance, Legal and other functions to ensure that the principles, axioms and
policies are being complied-with in practice.
The Executive Directors demonstrate their commitment to information security by:
 A statement of support from the CEO;
 Reviewing and re-approving the principles and axioms every year;
 Approving the IT budget including a specific element set aside for information security;
 Receiving and acting appropriately on management reports concerning information security
performance metrics, security incidents, investment requests etc.
Information security co-ordination
Information security activities should be co-ordinated throughout Zayani to ensure consistent
application of the security principles, axioms and policy statements.
The Executive Directors have charged the SC with the task of securing Zayani'’s assets. The SC
is responsible for:
 Management oversight and direction for both physical and logical aspects of security,
including information security;
 Coordinating and directing Zayani’s entire security framework, including the information
security controls at all locations mediated through the Local Security Committees (see
below) ;
 Commissioning or preparing information security policy statements, ensuring their
compliance with the principles and axioms approved by the Executive Directors, and
formally approving them for use throughout
 Periodically reviewing the security policy statements to ensure the efficiency and
effectiveness of the information security controls infrastructure as a whole, recommending
improvements wherever necessary;
 Identifying significant trends and changes to information security risks and, where
appropriate, proposing changes to the controls framework and/or policies for example by
sponsoring major strategic initiatives to enhance information security;
 Reviewing serious security incidents and, where appropriate, recommending strategic
improvements to address any underlying root causes;
 Periodically reporting on the status of the security controls infrastructure to the Executive
Directors, and liaising as necessary with the Risk Management and Audit Committees etc.,
using metrics and other information supplied by the CSO, Local Security Committees, the
ISM, Internal Audit and others.

8. The SC delegates some of its responsibilities (for example to the ISM, the Information Security
function and Local Security Committees) but remains accountable to the Executive Directors for
the overall effectiveness of information security throughout the Company
Business units or locations within the company have Local Security Committees (LSCs) which
report to the SC. LSCs are responsible for:
 Providing the strategic direction, support and resources necessary to manage all types of local
security issues and thus ensure that company’s information assets are appropriately and
consistently protected;
 Co-ordinating and sharing information with each other to ensure consistent execution of the
information security policy manual across all company locations;
 Identifying specific Significant Information Assets, classifying them and nominating
suitable Information Asset Owners (IAOs) for them;
 Gathering metrics and other information on the overall effectiveness of information security
controls in their remit, and reporting this to the SC.
Allocation of information security responsibilities
The Executive Directors have appointed a Chief Security Officer (CSO). The CSO is
responsible for:
 Chairing the SC;
 Taking the lead on information governance as a whole for example by issuing the policy
manual and by providing the overall strategic direction, support and review necessary to
ensure that information assets are identified and suitably protected throughout
 Appointing and managing the ISM and Information Security Management team.
The ISM and Information Security Management are responsible for:
 Defining technical and non-technical information security standards, procedures and
guidelines;
 Supporting IAOs and managers in the definition and implementation of controls, processes
and supporting tools to comply with the policy manual and manage information security
risks;
 Reviewing and monitoring compliance with the policy statements and contributing to
Internal Audit and Control Self Assessment (CSA) processes;
 Collecting, analyzing and commenting on information security metrics and incidents;
 Supporting IAOs in the investigation and remediation of information security incidents or
other policy violations;
 Liaising as necessary with related internal functions such as IT Operations, Risk
Management, Compliance and Internal Audit, as well as the CSO, LSCs, SC and external
functions such as the Police when appropriate;

9.  Organizing a security awareness campaign for personnel to enhance the security culture and
develop a broad understanding of the requirements of ISO/IEC 27002.
Managers throughout <ORGANIZATION> are responsible for:
 Day-to-day implementation of the information security policy manual;
 Ensuring that suitable technical, physical and procedural controls are in place in accordance
with the manual, and are properly applied and used by all workers. In particular, they should
take measures to ensure that workers:
 Are informed of their obligations to fulfill relevant corporate policy statements by
means of appropriate awareness, training and education activities;
 Comply with the policy statements and actively support the associated controls; and
 Are monitored to assess their compliance with the policy statements and the correct
operation of the associated controls, and reminded of their obligations as
appropriate;
 Providing the direction, resources, support, and review necessary to ensure that information
assets are appropriately protected within their area of responsibility;
 Informing Information Security Management and/or IAOs of actual or suspected policy
violations (information security incidents) affecting their assets; and
 Evaluating compliance with the policy axioms through the regular CSA process and
occasional Internal Audits.
Information Asset Owners (IAOs) are managers held accountable for the protection of
particular Significant Information Assets by their LSC or the SC. IAOs may delegate
information security tasks to managers or other individuals but remain accountable for proper
implementation of the tasks. IAOs are responsible for:
 Appropriate classification and protection of the information assets;
 Specifying and funding suitable protective controls;
 Authorizing access to information assets in accordance with the classification and business
needs;
 [For new application system developments] Undertaking or commissioning information
security risk assessments to ensure that the information security requirements are properly
defined and documented during the early stages of development;
 Ensuring timely completion of regular system/data access reviews; and
 Monitoring compliance with protection requirements affecting their assets.
All workers (i.e. employees on the payroll and others acting in a similar capacity, such as
contractors, consultants, student placements etc.) are responsible for complying with the
principles, axioms and policies in the information security policy manual where relevant to their
jobs.

10. They are responsible for maintaining the security of all information entrusted to them. Upon
hire, as a condition of employment, each worker undertakes to comply with information security
policies. Any worker failing to comply with the security policies could be subject to disciplinary
action, potentially including termination of employment or contract and/or prosecution.
Exemptions process: an IAO may propose exemptions to principles, axioms or policy
statements identified in the policy manual for an information asset under their remit. The ISM is
responsible for analyzing risks arising from the proposed exemptions and, in most cases,
specifying mitigating controls to minimize those risks. Proposed exemptions which the ISM
considers could significantly impact information security risks may be referred up through the
LSC, SC, CSO and/or the Executive Directors for approval, depending on the significance of the
perceived risk. A programme (action plan) is normally required to ensure full compliance with
the within a specified time frame, in other words exemptions are not indefinite. The IAO will be
held accountable for the mitigating controls and the action plan, and must personally assume any
additional risk relating to the policy exemption and the mitigating controls until the exemption is
resolved.
Current exemptions must be reviewed at least annually by the SC, LSCs, CSO and ISM. In an
annual status report to the Executive Directors, authorized exemptions must be listed, the reasons
why policy exemptions exist must be clarified and plans to resolve the non-compliance with
policy (typically by means of strategic investment to achieve compliance, or by modifying the
policy) must be explained.
Task 3
3.1
Legal Issues
 Data Protection Act
o The Data Protection Act creates rights for those who have their data stored, and
responsibilities for those who store, process or transmit such data.
 Computer Misuse Act
o Although the Act ostensibly targets those who wish to gain unauthorized access to
computer systems for various purposes, its implications on previously relatively
widespread or well-known industry practices such as the "time-locking" of
software have been described in various computing industry publications.
 Freedom Of Information Act
o Freedom of information is an extension of freedom of speech, a
fundamental human right recognized in international law, which is today

11. understood more generally as freedom of expression in any medium, be it orally,
in writing, print, through the Internet or through art forms.
 Copyright Act
o Copyright may apply to a wide range of creative, intellectual, or artistic forms, or
"works".
Ethical issues
 Privacy Policy
o Privacy policy is a statement or a legal document (privacy law) that discloses
some or all of the ways a party gathers, uses, discloses and manages a customer or
client's data.
Operational issues
 Risk Assessments
o Risk assessment is the determination of quantitative or qualitative value of risk
related to a concrete situation and a recognized threat (also called hazard).