Week 5 Questions - Ethics and Security

1. Explain the ethical issues surrounding information technology.

• Intellectual property: The rights that protect the creative and intellectual work of individuals
• Fair use doctrine: Is the material you are using able to be used under copyright laws
• Copyright: The right to do, or use certain acts on intangible property not owned by you, such as a video or information from a website.
• Pirated software: The unauthorised use, duplication, distribution or sale of copyrighted software, that is, using software that has been downloaded or duplicated and is not an original copy.
• Counterfeit software: Software that is not real, but is manufactured to look that way.
  

2. Describe the relationship between an ‘email privacy policy’ and an ‘Internet use policy’.

• Email privacy policy: A policy relating to the sending, receiving and storing of emails. Wirth emails being a common form of communication within a business, it has become necessary for business to introduce policies in relation to emails. It states how an email system within a business can be used and to what extent they have privacy over their emails.
  The email privacy policy an organisation has in place should include:
  - How employees are to use their email for private and non-employment purposes
  - State what activities are permitted and what are not (e.g. no spamming)
  - Detail what information from emails will be recorded and who has access to that information
• Internet use policy: An internet use policy should be implemented in all business and details how employees are to use the internet, including what sites are allowed to be viewed and those of which are blocked, or banned (e.g. social networking sites such as Facebook).
  The internet use policy an organisation has in place should include:
  - The available internet services to employees and which of those sites are not to be visited
  - The position an organisation takes on the viewing of banned websites
  - Ethical use of the internet
  - The user’s responsibility for citing sources, properly handling offensive material and protecting the name of the organisation
  - The ramifications for breaches of the policy
  

3. Summarise the five steps to creating an information security plan.

1. Develop the information security policies: Who is responsible and accountable for designing and implementing the information security policies within the organisation. The chief security officer (CSO) is usually responsible for implementing these policies. Examples include having employees log off their systems and having them password protected.
2. Communicate the information security policies: Train all employees on the policies to ensure they are aware of their expectations.
3. Identify critical information assets and risks: Requires that all systems be installed with anti-virus software, as well as having user log-ins with passwords. All systems linked with external systems should have firewall installed for protection.
4. Test and re-evaluate risks: Continually perform security reviews, audits, background checks and security assessments.
5. Obtain stakeholder support: Gain approval and support on your information policies from the board of directors and all stakeholders.


4. What do the terms; authentication and authorization mean, how do they differ, provide some examples of each term.

• Authentication: A method to confirm the identity of a user. It is the means by which you have the rights to access a system.
• Authorisation: The process of giving someone permission to do or have access to something. This means that when you have accessed a system, what, within the system, you have access to.
  Authentication and authorisation broken down into three categories, which, when combined make the system secure:
  - Something the user knows, e.g. User ID and password
  - Something the user has, such as a smart card or token
  - Something that is part of the user, such as a thumb print or voice recognition
  

5. What the Five main types of Security Risks? Suggest one method to prevent the severity of risk.

• Human error: Provide all employees with the necessary training and standards to abide by when using the computer systems.
• Technical failure: Have a back-up system/ data recovery system in place where all data is stored and can be recovered
• Natural disaster: Have an off-site back-up where copies of the data are kept in an off-site location
• Deliberate act: This can be caused by viruses or by a disgruntled employee. Have anti-virus systems on all information and data systems
• Management failure: Ensure managers receive training on how to correctly use information systems. An IT professional may be hired to manage these systems to keep data files in tact.