ETHICAL, PRIVACY,

AND
SECURITY ISSUES

Glenn A. Asuncion
MSIT
W HAT I S E THICS ?

Ethics is a set of beliefs about right and

wrong behavior. Ethical behavior conforms
to generally accepted social norms—many
of which are almost universally accepted.
Improving Corporate Ethics

Many organizations today recognize the

need to take action to ensure that their
employees operate in an ethical manner
when using technology and in the general
course of business.
 Ethical Standards Set by Board of
Directors

Directors of the company are expected to

conduct themselves according to the highest
standards of personal and professional
integrity. Directors also are expected to set
the standard for company-wide ethical
conduct and ensure compliance with laws
and regulations.
Appointing a Corporate Ethics Officer
Corporate ethics can be defined broadly to include ethical
conduct, legal compliance, and corporate social
responsibility.
The primary functions of a corporate ethics policy are
setting standards, building awareness, and handling internal
reports—tasks that are neither consolidated nor handled well
in many organizations.
The corporate ethics officer is a senior-level manager
who provides vision and direction in the area of business
conduct. The role includes “integrating their organization’s
ethics and values initiatives, compliance activities, and
business conduct practices into the decision-making
processes at all levels of the organization.”
 Intel’s Five Principles of
Conduct
• Intel conducts business with honesty and
integrity.
• Intel follows the letter and spirit of the law.
• Intel employees treat each other fairly.
• Intel employees act in the best interests of
Intel and avoid conflicts of interest.
• Intel employees protect the company’s assets
and reputation.
Requiring Employees to Take Ethics
Training
The ancient Greek philosophers believed that
personal convictions about right and wrong
behavior could be improved through education.

Thus, a company’s code of ethics must be

promoted and continually communicated within
the organization, from top to bottom.
Organizations should show employees examples
of how to apply the code of ethics in real life.
Including Ethical Criteria in Employee
Appraisals

Employees are increasingly evaluated on

their demonstration of qualities and
characteristics that are highlighted in the
corporate code of ethics.
PR IVACY
Often the use of information about people
(employees, customers, business partners, etc.) in
business requires balancing the needs of those who
use the information against the rights and desires of
the people whose information may be used.
On the one hand, information about people is
gathered, stored, analyzed, and reported because
organizations can use it to make better decisions.
Some of these decisions can affect people’s lives
profoundly—whether or not to extend credit to a new
customer, to hire one job candidate or another, to offer
a scholarship or not.
Right to Privacy
Treating Customer Data Responsibly
When dealing with customer data, strong measures are required to avoid
customer relationship problems. One widely accepted approach to
treating customer data responsibly is for a company to adopt the Code of
Fair Information Practices and the 1980 Organization for Economic
Cooperation and Development (OECD) privacy guidelines.

The code of Fair Information Practices defines five widely accepted

core principles concerning fair information
practices of privacy protection:
(1)Notice/Awareness;
(2)Choice/Consent;
(3)Access/Participation;
(4)Integrity/Security; and
(5)Enforcement/Redress.
 There are several tasks critical to
establishing an effective data privacy
program, including:
● Conduct a thorough assessment to document what sensitive information your
organization is collecting, where it is stored, how long it is kept, who has access to it,
and how your organization is using this data.

● Define a comprehensive data privacy program that encompasses the development

of a set of data privacy policies that meet or exceed industry and government
requirements; addresses ongoing employee education and compliance; and provides
for regular updates to suppliers, customers, contractors, and employees.

● Assign a high level executive to implement and monitor the data privacy program.

● Develop a data breach response plan to be implemented in the event of such

an incident.

● Track ongoing changes to regulatory and legal requirements and make necessary
changes to your data privacy program.
Workplace Monitoring
Many organizations have developed a policy
on the use of information technology to
protect against employee abuses that reduce
worker productivity or that could expose the
employer to harassment lawsuits. The
institution and communication of such an IT
usage policy establishes boundaries of
acceptable behavior and enables
management to take action against violators.
CYBERCRIME AND
COMPUTER SECURITY
Cybercrime refers to criminal activity in which
a computer or a computer network is used as a
tool to commit a crime or is the target of
criminal activity.

Electronic fraud is a broad class of cybercrime

that involves the use of computer hardware,
software, or networks to misrepresent facts for
the purpose of causing someone to do or refrain
from doing something that causes loss.
Types of Attacks
Viruses

“Computer virus” has become an umbrella term for

many types of malicious code. Technically, a virus
is a piece of programming code, usually disguised
as something innocuous that causes some
unexpected and usually undesirable event. Often, a
virus is attached to a file so that when the infected
file is opened, the virus executes. Other viruses sit
in a computer’s memory and infect files as the
computer opens, modifies, or creates the files.
Worms
Worms are harmful computer programs that reside in the active
memory of the computer. They differ from viruses in that they
can propagate over a network without human intervention,
sending copies of themselves to other computers by e-mail or
Internet Relay Chat (IRC).

• Distributed Denial-of-Service Attack (DDOS)

A distributed denial-of-service attack is one in which a
malicious hacker takes over computers connected to the
Internet and causes them to flood a target site with demands for
data and other small tasks. A distributed denial-of-service attack
does not involve taking over the targeted system. Instead, it
keeps the target site so busy responding to a stream of
automated requests that legitimate users cannot get in—the
Internet equivalent of dialing a phone number repeatedly so that
all other callers hear a busy signal
 Perpetrators
Classification of perpetrators of computer crime

Type of Perpetrator Typical Objectives

Hacker Test limits of system and/or gain publicity
Cracker Cause problems, steal data, and corrupt

systems
Insider Gain financially and/or disrupt company’s

information systems
Industrial spy Capture trade secrets and gain competitive
advantage
Cybercriminal Gain financially
Hacktivist Promote political ideology
Cyberterrorist Destroy infrastructure components of

financial institutions, utilities, and

emergency response units.
Defensive Measures
The security of any system or network is a combination of
technology, policy, and people, and it requires a wide range
of activities to be effective. In addition to elements designed
to prevent, detect, and respond to security incidents, a
strong security program must include preliminary defensive
measures, such as an overall security assessment.
Assessment includes evaluating threats to the organization’s
computers and network, examining those threats in relation
to the organization’s ability to meet key business objectives,
taking actions to address the most serious threats in a cost-
effective manner, and educating end users about the risks
and the actions they must take to help prevent a security
incident.
 Risk Assessment
A risk assessment is an organization’s review of
potential threats to its computers and networks along
with an analysis of the probability that these will occur
and prevent the organization from meeting key business
objectives. The goal of risk assessment is to identify
which investments of time and resources will best protect
the organization from its most likely and serious threats.

The concept of reasonable assurance recognizes that

managers must use their judgment to ensure that the cost
of control does not exceed the system’s benefits or the
risks involved.
Establishing a Security Policy
A security policy defines an
organization’s security requirements as
well as the controls and sanctions needed
to meet those requirements. A good
security policy delineates responsibilities
and the behavior expected of members of
the organization.
 Educating Employees, Contractors, and
Part-Time Workers

Employees, contractors, and part-time

workers must be educated about the
importance of security, so they will be
motivated to understand and follow the
security policies.
Prevention
No organization can ever be completely
secure from attack. The key is to implement
a layered security solution to make
computer break-ins so difficult that an
attacker eventually gives up. In a layered
solution, if an attacker breaks through one
layer of security, there is another layer to
overcome.
Installing a Corporate Firewall
Installation of a corporate firewall is the most
common security precaution taken by businesses.
A firewall stands guard between your
organization’s internal network and the Internet,
and limits network access based on the
organization’s access policy.
Firewalls can be established through the use of
software, hardware, or a combination of both.
Any Internet traffic that is not permitted explicitly
into the internal network is denied entry.
Intrusion Prevention Systems
Intrusion prevention systems (IPSs)
work to prevent an attack by blocking
viruses, malformed packets, and other
threats from getting into the company
network. The IPS sits directly behind the
firewall and examines all the traffic
passing through it. A firewall and a
network IPS are complementary.
 Installing Antivirus Software on Personal
Computers
Antivirus software should be installed on each
user’s personal computer to scan a computer’s
memory and disk drives regularly for viruses.

Antivirus software scans for a specific sequence

of bytes, known as a virus signature. If it finds
a virus, the antivirus software informs the user
and may clean, delete, or quarantine any files,
directories, or disks affected by the malicious
code.
Implementing Safeguards Against Attacks
by Malicious Insiders

User accounts that remain active after

employees leave the company are potential
security risks. To reduce the threat of attack
by malicious insiders, IT staff must delete
promptly the computer accounts, login IDs,
and passwords of departing employees.
Addressing the Most Critical Internet
Security Threats
The overwhelming majority of successful
computer attacks are made possible by
taking advantage of well-known
vulnerabilities. Computer attackers know
that many organizations are slow to fix
problems, which makes scanning the
Internet for vulnerable systems an effective
attack strategy.
Conducting Periodic IT Security Audits

Another important prevention tool is a

security audit that evaluates whether an
organization has a well-considered
security policy in place and if it is being
followed.
Detection
Even when preventive measures are
implemented, no organization is completely
secure from a determined attack. Thus,
organizations should implement detection
systems to catch intruders in the act.
Organizations often employ an intrusion
detection system to minimize the impact of
intruders.
 Intrusion Detection Systems
 An intrusion detection system is software and/or hardware that monitors
system and network resources and activities, and notifies network security
personnel when it identifies possible intrusions from outside the organization or
misuse from within the organization.

Two fundamentally different approaches to intrusion detection

 Knowledge-based intrusion detection systems contain information about

specific attacks and system vulnerabilities and watch for attempts to exploit
these vulnerabilities, such as repeated failed login attempts or recurring
attempts to download a program to a server. When such an attempt is detected,
an alarm is triggered.

A behavior-based intrusion detection system models normal behavior of a

system and its users from reference information collected by various means.
The intrusion detection system compares current activity to this model and
generates an alarm if it finds a deviation.
Response
An organization should be prepared for
the worst—a successful attack that defeats
all or some of a system’s defenses and
damages data and information systems. A
response plan should be developed well in
advance of any incident and be approved
by both the organization’s legal
department and senior management.
Incident Notification
A key element of any response plan is to
define who to notify and who not to
notify.

Most security experts recommend against

giving out specific information about a
compromise in public forums, such as
news reports, conferences, professional
meetings, and online discussion groups.
Protecting Evidence and Activity Logs

An organization should document all

details of a security incident as it works to
resolve the incident. Documentation
captures valuable evidence for a future
prosecution and provides data to help
during the incident eradication and follow-
up phases.
Incident Containment
Often, it is necessary to act quickly to
contain an attack and to keep a bad
situation from becoming even worse. The
response plan should define clearly the
process for deciding if an attack is
dangerous enough to warrant shutting
down or disconnecting critical systems
from the network.
 Eradication
Before the IT security group begins the
eradication effort, it must collect and log all
possible criminal evidence from the system,
and then verify that all necessary backups
are current, complete, and free of any virus.
Incident Follow-up
A review should be conducted after an
incident to determine exactly what
happened and to evaluate how the
organization responded.
 Thank
You!!!
Prepared by: Glenn A. Asuncion