1. Explain the ethical issues surrounding information technology.
A.
When information technology is used in a business it faces many of the same ethical issues as the rest of the business, including privacy, accurate data records and property. However they do need to be put into an information technology realm. Examples of ethical issues involving information systems include; Intellectual property, where an employee designs and develops an idea or product for a company, who owns the intellectual property of the idea? It also includes the monitoring of employees while at work to make sure that only properly licensed software is being used by the company, or if they are using someone else's intellectual property there are proper ways for the use to be reported. This monitoring of employees can however cause problems with employee privacy.
2. Describe the relationship between an 'email privacy policy' and 'internet use policy'
A.
A privacy policy that a company has in place describes how certain systems are to be used and the right of the company to have access to your information at work. A clear example of this would be the policy a company has in place in regard to emails at work, for example a companies policy may outline that they have the right to check your emails at anytime, although it will not be done unless suspicion has been raised. The policy may also go into details such as forbidding employees from using internal mail lists for spam emails, for things such as goods for sale.
The 'internet use policy' on the other hand regulates the way in which employees use the internet while they are at work. This policy may forbid employees from looking at non-work related websites or from using social networking websites for personal use. The policy may also go into detail forbidding employees from using the internet at work to run their own online business.
3. Summarise the five steps to creating an information security plan.
A.
- Develop the information security policies
Identifies who is responsible and accountable for designing and implementing the organisation's information security policies. This can include implementing rules such as mandatory logging off for breaks or putting in an automatic sign off after 5 minutes of inactivity.
- Communicate the information security policies.
Train all employees on the policies and establish clear expectations for following the polices. An example of this can be the issuing reprimands to employees who leave computers unsecure.
- Identify critical information assets and risks.
Require the use of user IDs, passwords and anti-virus software on all systems. Also have necessary firewalls on all computers that have external links. The inclusion of intrusion detection software allows for attacks to be identified quickly and responded to.
- Test and re-evaluate risks.
Continually perform security reviews, audits, background checks and security assessments. This testing can be done by a third party company, who can then continue with the on-going maintenance of the system.
- Obtain stakeholder support
Gain the approval and support of the information security policies from the board of directors and all stakeholders.
4. What do the terms; authentication and authorization mean, how do they differ, provide some examples of each term.
A.
Authentication refers to proving who you are. It can be either something the user is such as facial recognition or retina scans, something the user knows such as a user ID and password or something that the user has such a smart card or token card.
Authorization is concerned with the level of access you have once you are within the system. Once you have authenticated who you are then you will have a level of authorization which determines what you are allowed to have access to. Examples of this would be those that are not in the accounting department may not have authorization to have access to he financial records.
5. What are the Five main types of Security Risks, suggest one method to prevent the severity of the risk?
A.
- Human error.
To minimise the damage that can be done from this risk a company should put in the necessary training programs for all employees that could possibly use the system.
- Technical failure.
Where a technical failure occurs have adequately trained professionals on hand to deal with the problem. This will minimise the time the system is down and decrease the cost as well as the amount of time the system is unprotected.
- Natural disaster.
Where an unforeseeable natural disaster occurs a company should have the necessary back ups and disaster recovery systems in place to minimise the damage.
- Deliberate act.
This is caused by spam, spyware or sabotage by an employee. This can be dealt with by giving employees the necessary training on how to handle spam and spyware on their computer. Companies can try to avoid sabotage by employees by running background checks as well on-going monitoring of employee activities.
- Management failure.
By enforcing that all the necessary training is done down the management hierarchy, it will limit the damage that will be done by management failure. By also having an adequate reporting system to clearly show when the necessary training has been done.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment