ethics, accountability & regulation iact 418/918 autumn 2005 gene awyzio sitacs university of...
Post on 20-Dec-2015
216 views
TRANSCRIPT
Ethics, Accountability & Regulation
IACT 418/918 Autumn 2005
Gene Awyzio
SITACS University of Wollongong
2
Overview
• As economics continue to move towards the Information Age
– Issues such as the privacy and security of information for which organisations are responsible
– Emerge as an integral part of the network & telecommunications management role
• A non-legal discussion of the issues as they apply to Network Management
3
Ethics
• Definitions of Ethics
– The science of morals (1602)
– Science of human duty in the widest extent (1690)
– From Greek, ethos, meaning character & manners
• Modern context:
– Nowadays often seen as the self-regulating Codes of Conduct of professional bodies
• Eg: The medical professions’ HYPOCRATIC OATH
4
A recent case• AFP sues Google over copyright
– Washington
– March 21, 2005 - 11:01AM• Agence France-Presse has sued Google Inc. for copyright
infringement, alleging that the Internet search engine included AFP headlines, news summaries and photographs published without permission.– In a suit filed in a Washington court, AFP sought damages and
interest of at least $US17.5 million (€13.1 million) and an interdiction on the publication of its text and photos without prior agreement.
– In Paris, the AFP management declined comment.
– AFP, which has its headquarters in Paris and bureaus around the world, is one of the major global news agencies, and supplies its news services to various kinds of media, including electronic. It has 600 online clients.
5
Ethics in Telecommunications
• Codes of Conducteg: from the West Australian Internet Association:
– (1) I, as an internet provider, shall not:
• (b) knowingly permit a user to engage in criminal activity using access to my system, provided that such activity is identified by competent law enforcement authorities.
– (2) I, as an internet provider shall:
• (a) attempt to establish the name and age of all users with accounts on my system by reference to proof of name and address on application
• (c) attempt to safeguard the privacy of my users and their data in all respects subject to reasonable actions necessary to ensure proper operation of my system and compliance with this Code.
6
Problems with ethical codes
knowingly permit a user to engage in criminal activity using access to my system …
attempt to establish the name and age of all users …
And also …
Attempt to safeguard the privacy of my users and their data …
A German court found the CEO of CompuServe (Germany) guilty of distributing child pornography
Are these conflicting goals?
Sometimes it is impossible to achieve all the aims of a Code of Conduct equally without making compromises
7
Problems with ethical codes• All rules, such as ethical codes, are systems• ALL structured systems lend themselves to
maximisation … – eg: basketball attracts tall players
– Lawyers are trained and paid to influence the interpretation of rules systems, to find the most convenient meanings for their clients
• Most industry codes are self-regulating
8
Issues
• Privacy
• Security
• Responsibility - Accountability
• These are inter-related and must NOT be considered in isolation from each other.
9
Privacy
• The state or quality of being private
– The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; freedom from interference or intrusion
– Also attrib., designating that which affords a privacy of this kind
10
Privacy
• Personal Privacy
– We believe we have a right to privacy
– We expect governments, institutions, corporations and individuals to respect our privacy
– We expect that we have a right to examine any information held about ourselves
• medical records, credit references etc.
11
Privacy
• Who holds what sort of data about you?• Australian Federal Government debate over
regulating corporate access to private details- will it destroy the telemarketing industry?
• Government bodies are not allowed to collate their databases, but private organisations may, there is no law against it.
• Governments are outsourcing their administrative functions to private groups
12
Privacy
• Do Governments need access to private data to enforce the law?
– National security
– Organised crime
– Drug trafficking
– Child pornography etc.
• Is that why governments don’t like people using the best encryption systems?
13
The Corporate Scenario
• Corporations vs. Customers
– Market surveys
– Demographics
– Telemarketing databases
– Leaving your digiprints behind
– “Intelligent Agents” on websites
• Eg: Amazon & buying trends
Would the level & quality of service, suffer if corporations could NOT collect customer data and follow trends?
14
The Corporate Scenario
• Employers vs. Employees– Several court cases (esp. in USA) upheld the right of the
employer to invade the privacy of the employee …
• Searching employee cars, desks
• Enforcing “lifestyle rules”
– Trade Unions & employee rights: good or bad?
• Video surveillance, phone recording
• Loss prevention, OH&S, training purposes
Are ‘management softwares’ that monitor & track employee computer use an invasion of privacy or a necessary tool?
15
Contradictions
• From the AOL Privacy Policy:
– Section B (iii) …“[AOL] do not release Members’ telephone numbers, credit card numbers, or checking account numbers (or other Individual Information, such as navigational or transactional information…”
– Section C (i) …“We may collect and store certain navigational and transactional information, such as data on the choices you make from the range of available services or merchandise, and the times and ways you use AOL and the internet…”
16
Security• The condition of being secure
– The condition of being protected from or not exposed to danger; safety.
– The safety or safeguarding of
• the interests of a state, organization, person, etc., against danger, esp. from espionage or theft
• the exercise of measures to this end
• (the maintenance of) secrecy about military movements or diplomatic negotiations
• in espionage, the maintenance of cover
– Hence, a department (in government service, etc.) charged with ensuring this. (This sense tends towards ‘the condition of making secure’.)
17
Security
• Increase in use of public domain networks within organisations
– intranets, extranets, VPN
• Moves towards end-user services, such as
– Provision of government information
– Full scale e-commerce & I-commerce
• B2B is the biggest growth area in the Internet
18
Security• Physical Security
– Ensure that the physical elements of the network are protected. Includes routers, switches, servers, computer rooms etc.
• Network Security– Ensure that access to the network is controlled
and the network protected from unauthorised access
• Content Security– Ensure the integrity and confidentiality of the
contents on the network, both stored and message traffic
19
Security - Physical
• Most network violations come from insider attack
– recent CERT statistics show this may be changing
• A substantial proportion of enterprises’ information assets reside on users desktop computers
• After their initial creation, networks often evolve outside the knowledge of network management
20
Security - Network
• Most users leave their computers ‘logged-in’ all day
• Procedures which involve users changing passwords every n-days are unpopular
– Especially among senior management
– Often result in simplistic passwords
21
Security – Contents
• Many network traffic monitoring tools permit access to the content of messages
• Encryption makes many problems
– Needs universal adoption
– Governments do not encourage top-end encryption systems in private hands
• Data encryption by individuals is actually illegal in some countries
• Security/privacy/ethics are interlinked
22
Network Management Responsibilities
• Ensuring the information assets of the organisation are protected from unlawful activity
• Ensuring that the integrity of the recorded data are maintained
• Compliance with governmental regulation
• Protection of intellectual property rights• Protection of individual privacy
23
Network Management Responsibilities
• Password administration• Monitor network/internet usage• Training & mentoring (skills assessment)• Email monitoring
– Offensive or illegal language, material
– Protection of corporate secrets
• Pressure from senior management• Documentation vs. Privacy
– Eg: fault reporting & operator identification
24
Responsibility vs. Accountability
• Self Regulation, can it work?• Responsibility:
– A trust or obligation or duty
• Accountability
– Being answerable or liable
• BUT, are those held accountable always the same as those who are responsible?
– Beware of scapegoating
25
Hypotheticals• A User asks you to suggest a good password?• Emergency access to a Users files whilst they are
away on leave and cannot be contacted• Management asks you to identify “problem users” –
with highest error rates or lowest skills• The employees union decides that server-side virus
checking of incoming emails invades their privacy• Marketing section requests full User details for their
database• A User refuses to clear low-priority emails from their
inbox but the system is becoming congested
27
Overview
• Shapes are defined by their borders• The balloon analogy:
– The shape of the balloon is a balance between :
• The INTERNAL forces pushing out, and
• The EXTERNAL forces pushing inwards
28
The Strategic Network Plan
• In order to plan effectively, you need as much information as possible
• You need to know the SHAPE of your environment
• You need to know the forces and influences acting on you
29
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
30
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
• Vision• Driving Force• Mission
31
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
• Values• Climate• Culture
32
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
• Strengths• Weaknesses• Opportunities• Threats• Competition• Constraints
33
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
• Strategy
34
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
• Tactics• Resources
35
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
GAPANALYSIS
36
The Crouch Diagram
Why are we in business?
How do we do business?
Where are we now?
Where do we want to be?
How do we get there?
How will we know we’ve arrived?
• Co-Ordination• Budgets• Controls• Reports• Milestones
37
The Crouch Diagram
• For network management, I believe the most important questions from Crouch are:
Where are we now?
How will we know we’ve arrived?
You need information:SWOT, Constraints & Reports
WHAT INFLUENCES ARE SHAPING YOU?
= How are things now?
= Are we going where we want?
38
You can’t have it all
• Consider: QUALITY, SPEED, COST
– You can achieve any one or two of these,~ But never all three at the same time!
Speed
Quality
Cost
What other tri-valued equalities can you think of …?
39
External Influences
• Government
– Regulations
– Deregulation
– Taxation
– Ownership
• Standards
– DeJure vs. DeFacto
– Open vs. Proprietary
– Interoperability & Compatability
40
External Influences
• Customers
– Market trends – track, adapt & serve
– Perceived vs. Actual needs
• Enemies
– Theft & Vandalism
– Hackers & Corporate Crime
– Competition
– Malfunction / Accident / Disaster
41
External Influences
• The Economy
– Stock prices & Currency fluctuation
– Investor’s agendas
• Vendors
– Support levels
– Tech compatibility, expandability
– Contract control
– Devaluation / Obsolescence
– Lease vs. Buy ?
42
Internal Influences
• Management
– Style - hierarchies
– Policies
• Staff
– Skill levels
– Functions/tasks – different needs
– Physical locations
– Interrelations, interaction & interdependence
– Industrial relations
43
Internal Influences
• Physical factors
– Building infrastructure (partially external)
– Physical Security
• Users (your staff are clients of the network)
– A kind of “internal customer”
– Needs
– Expectations
44
Internal Influences
• Support systems
– Help-desk
– Standardised Procedures
– Documentation
– Skills assessment
– Training
– Incentives
45
Impact of Influences
• You could drive anywhere it it wasn’t for:
– Petrol & Running costs
– Road rules – Police!
– Hills, Curves, Gravity … blah blah blah
• Influences are quite often seen as CONSTRAINTS & THREATS
46
Impact of Influences
• You would have a boring car if it wasn’t for:
– Technological improvement
– Road maintenance
– Market forces pushing new designs … etc
• Influences can also provide you with OPPORTUNITIES !
47
Internal vs. External
• What control do you have over influences?
• Which is more important
– Internal or
– External?
• Both are important as BOTH act to determine the size, shape and position of your network/organisation.
48
Dynamic Forces
• Influences are constantly changing
• The forces acting on your network are dynamic, constantly changing
• You must stay aware of the vectors
• If you assume there will be no change you will not to be ready when change comes
49
The Analogy
• Remember the Balloon?
– If the forces are balanced,the balloon stays static
– Usually however, we will undergo changes in size, shape &/or position
– These changes may not be to your liking !
• So be aware of the influences acting on you and your network/organisation !