bs3909 week 9 1 information systems – week 9 l last week »information systems security and...
TRANSCRIPT
BS3909 Week 9 1
Information Systems – Week 9
Last Week» Information Systems Security and Control
(see DTI reference on the website)» Still to cover – Wireless networking
This week: Ethical & Social impact of Information Systems» Based on lecture by Prof. Graham Wright» Reading: Laudon & Laudon Ch 5 (7th ed Ch 15)» http://www.bized.ac.uk/fme/6-12.htm
Discussion of Case Study for Exam
BS3909 Week 9 2
Security and Wireless Networking
Hot new technology – interesting new exposures! Wireless LANs
» IEEE 802.11b is 11Mbps local area networking at 2.4GHz (802.11g raises this to 54Mbps)
» Access point may be built into router or ADSL modem» Range is 100m (can be more for eavesdropping)» Access point name is broadcast (unless you stop it)
Other wireless technologies» Point-to-point (e.g. Bluetooth)
– Vulnerable to eavesdropping, and can interfere with 802.11x
» Wireless WAN and satellite – OK if encrypted– potential route for broadband to remote communities
BS3909 Week 9 3
Protecting Wireless LANs
Select “Wired Equivalent Protection” (WEP) » Security isn’t activated by default – need to turn it on » Use the 128 bit key – “64 bit” really only uses 40 bits
Don’t broadcast your network identifier Restrict MAC addresses of cards that can access
» Not foolproof, as these can be spoofed
IEEE 802.11i coming soon – better security» Security activated by default» Part of key changes with time» http://www.embedded.com/showArticle.jhtml?articleID=34400002
BS3909 Week 9 4
So Why Take the Risk?
With adequate countermeasures, need not compromise security
Supports mobile workforce – bring authorized laptop on site and it is automatically connected
Facilitates “hot desking” Avoids need to butcher buildings to install LANs
(particularly valuable in older buildings) Can be lowest cost solution
BS3909 Week 9 5
Data Security – Summary
Security is mainly about Risk Management Need to understand what your assets are Analyse their vulnerabilities
» People – error, fraud, sabotage» Technical – failure, broadcast
Devise countermeasures to» Minimize risk
(virus check, physical security, no single points of failure)» Recover when the worst happens
(back-ups, journals, disaster recovery plan) Audit security on a continuing basis
» Ensure understanding and “buy-in” by staff
84% of companies suffered a security
breach in 2003
BS3909 Week 9 6
Ethics: Management Challenges
Understand Moral Risks of New Technology
Include Information Systems Issues in Ethics Policies
Ensure compliance with moral and legal guidance
Ethics:
Principles of right and wrong
used by individualsas free moral agents
to guide behavior
BS3909 Week 9 7
INDIVIDUAL
SOCIETY
POLITY
ETHICAL ISSUES
SOCIAL ISSUES
POLITICAL ISSUES
QUALITY OF LIFEQUALITY OF LIFE
INFORMATION INFORMATION RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS
PROPERTY PROPERTY RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS
ACCOUNTABILITY ACCOUNTABILITY & CONTROL& CONTROL
SYSTEM SYSTEM QUALITYQUALITY
INFORMATION INFORMATION & &
TECHNOLOGYTECHNOLOGY
Ethical, Social & Political Issues
BS3909 Week 9 8
Technology Trends & Ethical Issues
Computing power doubles every 18 months(Moore’s Law – twice as many MIPS for the $)
Advances in data storage Advances in data mining techniques
» Data can include voice recognition, DNA mapping Advances in networking lead to
» Opportunities for abusee-mail bombs, viruses…
» Invasion of privacy» Spam
BS3909 Week 9 9
Ethics in an Information Society
RESPONSIBILITY: Accepting costs, duties, obligations for decisions
ACCOUNTABILITY: Assessing responsibilities for decisions & actions
LIABILITY: Must pay for legal damages
DUE PROCESS: Ensures laws are applied properly
BS3909 Week 9 10
Ethical analysis of Information
Identify, describe facts Determine potential conflict
» Including opportunities for abuse Identify values
» Privacy, due process, etc. Who are the stakeholders? Identify options Examine potential consequences of each option Make choices
BS3909 Week 9 11
Ethical Principles
Treat others as you want to be treated If action not is right for everyone, not right for anyone
(Kant) If action is not repeatable, it is not right at any time
(Descartes) Put value on outcomes, understand consequences Incur least harm or cost No free lunch
BS3909 Week 9 12
Information Rights
PRIVACY: right to be left alone Right not to be hurt/disadvantaged by others Fair Information Practices (FIP):
» No secret personal records» Individuals can access information about themselves
and may amend erroneous records» Information to be used only with prior consent» Managers accountable for damage done by systems» Governments can intervene» Principles behind UK Data Protection Acts
BS3909 Week 9 13
UK Data Protection Acts 1984 & 1998 Anyone holding personal data has to be registered
with the Data Protection Registry They can only use the data for the purpose
permission was granted Data Subjects have a right to see and have incorrect
data corrected Holders have to ask you before they pass on data to
others
1984 Act applied only to computer data,1998 Act extended rules to data in any form
BS3909 Week 9 14
Data Protection Principles in 1998 Act
1) Data must be fairly and lawfully processed2) Data must be processed for limited purposes3) Data must be adequate, relevant and not excessive4) Data should be accurate5) Data must not be kept longer than necessary6) Data must be processed in accordance with the
data subject’s rights7) Data must be secure8) Data must not be transferred to countries without
adequate protection
BS3909 Week 9 15
Data Protection Principles I
Personal data:
1) shall be obtained & processed fairly & lawfully
2) shall be obtained only for one or more specified and lawful purposes
(1984 only) held for any purposes shall not be used or disclosed in any manner incompatible with those purposes
3) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
BS3909 Week 9 16
Data Protection Principles II
4) Personal data shall be accurate and, where necessary, kept up to date
5) Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose
6) Data must be processed in accordance with the data subject’s rights
BS3909 Week 9 17
Data Protection Principles III
7) Appropriate security measures shall be taken against unauthorised or unlawful access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data
8) Data must not be transferred to countries outside the European Economic Area without adequate protection
BS3909 Week 9 18
1984 Act Subject Rights Principle
An individual shall be entitled at reasonable intervals and without undue delay or
expense – » to be informed by any data user whether he holds
personal data of which that individual is subject; and» to access any such data held by a data user; and
where appropriate, to have such data corrected or erased
This was principle 7, but is buried in the new Act: Even so, remember it, as it impacts all system design
BS3909 Week 9 19
Additions in 1998 Data Protection Act
Paper records are now included
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data » (The USA is OK)
BS3909 Week 9 20
UK Human Rights Act 1998
Rights» to life
» to liberty and security
» to a fair trial
» to marry
» to respect for private and family life
Freedoms» of thought, conscience & religion
» of expression
» of Assembly and Association
Prohibitions» Torture» Slavery and forced labour» No punishment without law» Discrimination
NotesAbsolute rightsLimited rightsQualified rights
BS3909 Week 9 21
Human Rights Act – UK
Effectively introduced (for the first time)» a right to privacy and» protection of the right to free expression
Act may be used to challenge employers the right to pry into their employees’ private mail and email » What should policy be about looking at employees’
computer data? » Should we treat desk contents similarly?» We need to establish position contractually
BS3909 Week 9 22
last_nameWrightdelphigroup.com/026686199042944742694843459229374998*companyK
ing Alfred's College
SSMBSuperCookie%20Name%75Graham_Wright%20Company%75%20Email%[email protected]%20Address%7513_Blackwater_Close%20Address2%75Oakley%20City
%75Basingstoke%20State%75Hampshire%20Zip%75Rg23_7AS%20Country%75England%20Phone
%7501256_780195%20Comments%75
Cookies, Spyware and Privacy
Some outdated information… (not in handout)
BS3909 Week 9 23
Kent Anderson
Intrusions: International Patterns
“Close examination of the motivation behind intrusions shows several important international differences: » In Europe, organized groups often have a political
or environmental motive, while in the USA a more ‘anti-establishment’ attitude is common, as well as simple vandalism.
» In recent years, there appears to be a growth in industrial espionage in Europe while the USA is seeing an increase in criminal (fraud) motives.”
These differences are now fading
BS3909 Week 9 24
Council of Europe
In view of the convergence of information technology and telecommunications: » Law pertaining to technical surveillance for the purpose
of criminal investigations, such as interception of telecommunications, should be reviewed and amended, where necessary, to ensure their applicability.
» The law should permit investigating authorities to avail themselves of all necessary technical measures that enable the collection of traffic data in the investigation of crimes
This is basis of UK’s “Regulation of Investigatory Powers Act 2003” (RIPA)
BS3909 Week 9 25
Regulation of Investigatory Powers
Data Protection Act 1984 gave government investigators access to all records except» Certain privileged communication with lawyers» Medical records
Also made it offence for Data User to tell Subject about any such access
RIPA adds new powers, e.g. to» force ISPs and phone companies to keep records» oblige people to provide encryption keys on demand
(onus of proof is on you to prove you’ve forgotten it!)
BS3909 Week 9 26
Hacking, Cracking and Viruses
Creator of “the Cornell worm” was successfully prosecuted in USA
Christopher Pile (aka The Black Baron)» Charged with (and ultimately convicted of) unlawfully
accessing, as well as damaging, computer systems and data by releasing a virus into a series of networks
» Sentence was 18 months, handed down in Nov 1995 » Pile is reportedly the first virus author ever convicted
under the Computer Misuse Act
BS3909 Week 9 27
“It’s an issue where if we move too quickly to ban the tools used by hackers, we may also ban the tools used by investigators”
John Patrick, vice president for Internet technology at IBM.
Not obvious how to halt abuse
BS3909 Week 9 28
Viruses
Urban Myth? Was the first virus released by a well known software house to stop people copying their software?
Is it right to sack an employee who introduces a virus into a company system?
Who needs bombs for economic terrorism?» Just get your victim to run a program that comes with
e-Mail – how Bugbear was carried» Think how many viruses the College system intercepts
BS3909 Week 9 29
Intellectual Property
Intellectual Property is intangible creations protected by law» Trade Secret: intellectual work or product belonging to
business, not in public domain
» Copyright: statutory grant protecting creator of intellectual property from copying or exploitation by others
» Trade mark: legally registered mark, device, or name to distinguish one’s goods
» Patent: gives owner exclusive monopoly to exploit invention for a period
BS3909 Week 9 30
Accountability, Liability & Control
Ethical issues: who is morally responsible for consequences of use of Information system?
Social issues: what should society expect and allow?
Political issues: to what extent should government intervene, protect?
BS3909 Week 9 31
Data Quality & System Errors
Ethical issues: when is a system or service ready for release?
Social issues: can people trust quality of software, services, data?
Political issues: should legislature or industry develop quality standards for software, hardware, data?
BS3909 Week 9 32
IS and the Quality of Life EMPLOYMENT: trickle-down technology
» Job losses from re-engineering» IT and telecomms makes it easy to send jobs offshore
EQUITY & ACCESS: increasing divisions» Remains an inhibitor to e-Government initiatives
HEALTH RISKS » Repetitive stress injury (RSI)» Carpal tunnel syndrome (CTS)» Computer vision syndrome (CVS)» TechnoStress: Irritation, hostility, enervation, fear» VDU Radiation; microwave devices
BS3909 Week 9 33
Summary: A Corporate Code of Ethics
Information rights & obligations Property rights & obligations Accountability & control System quality Quality of life Anything else you want to add?
BS3909 Week 9 34
BS3909 Assessment
Your assignment (50%) includes an individual element consisting of:» Your individual contribution to the assignment
presentation, » plus a few questions to check that it’s really your work
The other 50% of the module mark is a formal exam in the assessment period» 66% – two questions out of four, based on the Ganesh
and Security Case study» 34% – short questions on the rest of the module