Internet Security: Privacy and Confidentiality - Research Paper Example

Internet Security: Privacy and Confidentiality ABSTRACT This paper is an attempt to analyze the present concerns regarding privacy and confidentiality issues as applicable to human resource departments in organizations and government offices which use Web-based applications. Beginning with a review of the concepts of privacy and confidentiality, the paper discusses the evolution of the Human Resource functions to internet-based applications, the implications of consequent present-day vulnerabilities like hacker attacks, and the ever increasing rates of cyber crimes. Recent developments in the field of encryption of data and other forms of securing privacy of information are also discussed. The paper ends with conclusions and recommendations to be adopted to ensure confidentiality of private data in Web-based human resource functions. INTRODUCTION The Development Education Program of the World Bank (2004) states that Human Resource is “the total quantity and quality of human effort available to produce goods and services. The muscle power and brain power of human beings. Human resources can be viewed as consisting of raw labor- determined mostly by the number of people in a country's labor force- combined with human capital.” Till the 1990s, human resource functions were entirely based on paper based documented means of communication and storage of information of the staff and personnel of the organization concerned. But gone are the days of paper-based data storage and retrieval, which characterized HR functions, forever. The browser-based HR portal technology of the present times has replaced the paper based system of the bygone decades. In these days of outsourcing and off shoring, personal information pertaining to a staff or employee of a globally operating company can be retrieved and communicated from one part of the world to another in a matter of seconds, by means of Web-based human resources portals. Friedman (2006, p.243) maintains that the IT giant HP has today well over 150,000 employees in at least 170 countries. Thus, if an employee of HP is to be deputed from one of these 170 countries to another, the present-day HR managers of HP are not bound down by antiquated paper-based procedures, while seeking out information about that employee. The HR Managers just have to click their mouse and all the relevant information regarding the employee flows freely to their PC desktops. Thus there is a great advantage in terms of time and even monetary expenses since an appropriate decision on whether the concerned employee is suitable for the deputation can be taken quickly with just a click of the mouse. The information is shared through the intranet or the extranet of the company’s Web-based portal within seconds. However, maintaining and operating the HR information portals mentioned above are beset with major concerns of security and confidentiality since the privacy of the employees concerned can be compromised at any moment, either deliberately or inadvertently. This is due mainly to the fact that these HR portals provide information not only from inside the organization, but also from outside the organization through the internet. Thus, while simplifying the job of HR mangers, the Web-based portals they use have also heightened the issues of privacy and confidentiality of employees which seems endangered if the management of the organization does not remain vigilant enough and updated to the ever changing technical possibilities of cyber crimes of our times increasingly ventured into by global terrorist networks. BACKGROUND In this age of Internet and World Wide Web, there will hardly be anyone who has not been a victim of invasion to his or her own online privacy. We all receive unsolicited e-mails from sources to which we never divulged our e-mail identity. We may not be aware that data is being collected about us through ‘cookies’ planted on our personal computers or how these data will be employed. Registering your name with a Web site may enable that site to keep track of your internet browsing preferences, without your knowledge or consent. (Kelly &Grant) Privacy can be defined as freedom from unauthorized and unwarranted intrusion. (The NIH Private Eye, March 2008).Privacy is the ability of individuals to determine for themselves when, how and to what extent information about them is communicated to others. (H.silistre, 2009) On the other hand, confidentiality is the obligation of a second party to not reveal private information about an individual to a third party without permission of the person concerned (Wylie and Mineau 2003). Ever since the World Wide Web –a system for creating, organizing and linking documents so that they could be easily browsed over the internet-came into being in 1991, privacy of individuals has come to be at risk, globally. Friedman (2006, p.61) points out that the Internet is a network of computers and cables through which packets of information can be sent around to any part of the globe whereas the World Wide Web consists of programs in and through an imaginary space which facilitate communication between computers on the Internet. One does not require a superhuman imagination to realize that the spread of the Internet and the growth of the Web in an increasingly electronic world have made all those documents which are posted there, vulnerable to unauthorized access, the more so as more of these are stored digitally, and the more the number of individuals accessing these documents. There are always some people out there eager to try their hand at hacking. It may be a disgruntled employee or just a computer savvy teenager trying to prove his newly acquired technical capabilities. In fact, Bidgoli (n.d., p.5) has come out with the startling finding of a study conducted in England which established that 70% of the 200 workers approached at the subway stations verbally gave their passwords to a stranger in exchange for a candy bar. Bidgoli has further suggested that the malicious insiders can range from disgruntled employees who act out of anger and revenge to actual “moles” planted to conduct industrial espionage on behalf of a competitor or a foreign enemy country. H.silistre (2009) opines that privacy issues have assumed all the more importance recently because employee information as well as information pertaining to the organization are recorded on computers, and because of the fact that a typical organization today transacts business over the Internet through an informational home page or by Internet retailing. The impact of Internet is felt in every aspect of our lives and consequently, security issues affect various topics and take various forms. H.silistre further predicts that new security and privacy issues will appear in the future and quotes the IBM to state that the Internet revolution is only less than 10% complete. In the aftermath of the 9/11 the FBI has identified its top three priorities as counterterrorism, counterintelligence and cyber security. (Mueller 2002). The concerns felt by law enforcement agencies world-wide are reflected in the following words of Pollit (2002) of the FBI quoted by Commander Etter, predicting that, law needs to be oriented towards digital evidence in the coming years. “Computer technology has propelled business to operate in “Internet time”. Likewise, government has been struggling to catch up. Law enforcement is also struggling. The only people who aren’t struggling are the criminals. Computers have provided not only new tools, but also new opportunities for criminals in the digital world. Many of those opportunities cross national boundaries. A central feature in the law enforcement’s twenty-first century struggle against crime will continue to be digital evidence”. (Etter,2002,p.2) It is clear that the issue of privacy and confidentiality of Web-based HR functions is all set to become more and more of a global concern in the years to come. It is in this background that this paper is written. METHODOLOGY This paper will first analyze the main published books and papers on the subject “Web-based Human Resources-Privacy and Confidentiality issues” and form a conclusion on the status quo of privacy and security issues pertaining to the subject. The main characteristics of a Web-based HR portal would also be identified in this step. Secondly, the cause and types of security risk which result in loss of privacy and confidentiality concerns would be identified. Thirdly, the recommendations of experts in the field would be studied. As a last step, the paper would conclude with recommendations for ensuring privacy and security in the Web-based HR applications. LITERATURE REVIEW 1)Kelly and McKenzie has published a Tutorial article on Web-Page titled “Security, privacy and confidentiality issues on the Internet” in the Journal of Medical Internet Research,Vol4,No.2, (2002). Though primarily intended for addressing the data security needs of patients, this article discusses topics like the internet, intranet, virtual private networks, authentication, message encryption, browser encryption and digital signature. (Kelly G, McKenzie B, Security, privacy, and confidentiality issues on the Internet, J Med Internet Res 2002; 4(2):e12, 2) H.silistre has published a blog article entitled “Internet Security: Human Resource Management Implications” on blog Appsic at URL: http://www.appsic.com/?p=9 which gives an overall picture of the current trends on the subject with emphasis on security implications. 3)Bidgoli has published a three volume Hand book on Information Security of which the Volume 3 is accessible from URL: http://books.google.co.in/books?id=0RfANAwOUdIC&printsec=frontcover&source=gbs_summary_s&cad=0#PPR9,M1. This volume gives detailed information on the problem of insider hacking , as well as security threats posed by criminals, spies and terrorists. The book details hacking techniques and other misappropriation of human resources which pose privacy or confidentiality implications. 4) Bidgoli has also published the Internet Encyclopedia Vol 1 available from URLhttp://books.google.co.in/books?id=ACfBmYiNaTcC&dq=risk+to+confidentiality+of+information+posted+on+extranet&source=gbs_navlinks_s wherein a detailed discussion of extranet used in Web –based applications is provided. 5) Khosrowpour has discussed the intranet in his publication Titled “ Challenges of Information Technology Management” which is accessible as a related book in the Google page displaying Bidgoli’s Handbook on Information Security. 6) Simmons has published a paper titled “Hacking Techniques: Web Application Security” which discusses about programs that can keep hackers from disrupting Web-based systems available at URL http://74.125.153.132/search?q=cache:wmhyY6Iuh0MJ:www.infosecwriters.com/text_resources/pdf/HackingTechniques_WebApplicationSecurity.pdf+Handbook+of+Information+Security-Threats,+Vulnerabilities,+Prevention,+Detection+and+Mangement+Volume-1+by+Hossein+Bidgoli&cd=63&hl=en&ct=clnk&gl=in 7) Walker has published “Web-based human resources: the technologies and trends that are transforming HR” which discusses the evolution of Web-based HR application through the past decades and right up to its present level of technological advancement. 8) Reber has published a PowerPoint presentation in the internet discussing the State and federal laws pertaining to Confidentiality agreements for System Administration,Database Administration, Operations and Applications Security. 9) “NIH Private Eye” publications of the National Institute of Health, U.S. Department of Health and Human Services available at URL http://hr.od.nih.gov/About/InfoSecurity/default.htm discuss various issues of privacy. 10) Privacy Right Clearing House has published “My Social Security Number: How Secure It Is” at URL< http://www.privacyrights.org/fs/fs10-ssn.htm> which gives information on legislation to combat identity theft and this growing menace. 11) Jakob Nielsen's Alertbox for September 15, 1997: has published Web Page “intranet vs. Internet design which is very informative on the subject at URL: http://www.useit.com/alertbox/9709b.html 12) Etter has published paper titled “CRITICAL ISSUES IN HI-TECH CRIME” which dicusses hitech cyber crimes in the aftermath of 9/11 available from URL: http://74.125.153.132/search?q=cache:xcJHhuFo0lMJ:www.acpr.gov.au/pdf/Presentations/CIinHi-tech.pdf+Tanase+articles+by,+on+hr+information+Hacking+vulnerability&cd=1&hl=en&ct=clnk&gl=in 13) Web Page “Employee Web Use and Misuse” discusses implications of this menace at URLhttp://www.webbuyersguide.com/resource/brief.aspx?id=13134&sitename=webbuyersguide&kc=contmod_rl&src=contmod_rl 14) National Institute of Standards and Technology has discussed Information security standards at its E-Gov Washington power point presentation on its Web site 15) National Institute of Standards and Technology has discussed various issues like Security Technology, Personal Identity Verification of its employees and contractors, Cryptography, concerning security and privacy available from following URLs: http://csrc.nist.gov/groups/ST/index.html URL:http://csrc.nist.gov/groups/ST/crypto_apps_infra/index.html http://csrc.nist.gov/groups/ST/crypto_apps_infra/crypto_enabled.html http://csrc.nist.gov/groups/SNS/piv/index.html 16) TechRepublic has published article titled “Protect government databases with data encryption” at http://articles.techrepublic.com.com/5100-10878_11-5690230.html 17) AFP, August 2005 has published article titled “Cyber-terrorists using hacking methods to target governments :US Official” This is available from URL: http://findarticles.com/p/articles/mi_kmafp/is_200508/ai_n14846717/?tag=content;col1 18) Database and Network Journal April 2004 has published article titled “Only 8% of Web applications secured against common hacking” This is available at URL: http://findarticles.com/p/articles/mi_hb3234/is_2_34/ai_n29090099/?tag=content;col1 19) Security Management, February 2003, has published article titled “Can you hack it? Penetration testing gives companies a way to find their vulnerabilities before hackers use them to break in and ca use harm”. This is available at URL: http://findarticles.com/p/articles/mi_hb6380/is_200302/ai_n25625696/?tag=content;col1 EVIDENCE Human Resource Portals According to Walker (2001), an HR(Human Resource) information portal is a set of applications that provide users with a single gateway to customized information, personal information and employee self-service Present-day HR systems evolved gradually from the client/server systems of the early 1990s. Walker explains that these client/server systems based on separate computers were an advancement from earlier paper-based systems. The individual computer-based systems were soon replaced by the improved ERP systems using computers connected in tandem and with a single set of data bases. The ERP systems are being replaced by Web-based systems which are easier to build, implement and operate . A Typical Web-based HR portal and self-service network provides employees access to the company’s Human Resources information database system. Many HR functions including payroll staffing and benefits& disability management are potentially capable of being outsourced . The HR portals are associated with reduction in HR delivery costs and hold competitive advantages. (Walker,2001) Web- based applications like HR portals can be hosted through INTERNET, EXTRANET, INTRANET (Nielsen, Jakob) or may avail of the services offered by VIRTUAL PRIVATE NETWORKS(Kelly & McKenzie). 1) INTERNET: Web-based Human resource applications necessitate linking up of computers to enable mutual access to data between the computers thus connected together. When a computer connects to the internet, any potential advantages of such a connection are coupled with the risk of loss of privacy to one’s own employees’ personal and private data stored on that computer to other unknown users of the internet.(Kelly & McKenzie) The main users of a company’s Internet site will be its customers and not its employees. Typically, the internet site will not have much HR applications and will be promotional in outlook.( Nielsen) 2) EXTRANET: The extranet is a combination of the public Internet and the closed intranet. It will be accessible to a limited extent by outsiders from other organizations or by the general public. The employees will have to use the extranet as a day-to-day activity of their job. Besides, the customers, contractors or clients of the company also will be using the extranet to do business with the company. 3) INTRANET: The intranet users will be the employees of the company. Human resource portals will generally be a part of the intranet. In addition it will have draft reports, progress reports, and other specialized information. It will be typically ten to hundred times bigger than the internet Web site of the company. (Nielsen).Information which should not be accessible to the public will be available in the intranet. Organizations which use the intranet for Web-based HR applications may be complacent with a misplaced sense of security based on the belief that information on the intranet computers linked together by internal networking will not be accessible to outsiders or through the internet, since only company employees will use the intranet. The truth will, however, be far from this, unless such intranets be properly secured which in turn necessitates the use of locked rooms for terminals, physical verification checks for terminal access, pressurized cables to detect cable tappings etc.(Kelly & McKenzie). 4) Virtual Private Networks (VPN): These private service networks provide to their clients the public network of Internet to send private data for which they assure protection by Tunnelling Protocols and through Encryption. However, the fact is that the clients do not have any control over the network used and have to be at the mercy of the VPN service provider, with no guarantee of service.(Kelly & McKenzie). Security Issues of Web- based Portals such as HR applications from Employees Bidgoli (n.d.) argues that threats of breaches of security and confidentiality emanating from employees internal to the organization are the most serious threats faced globally by industries equipped with IT infrastructure systems. 1)Disgruntled Employee accessing private information Bidgoli (n.d. pp.5-16) has discussed in detail about the different types of employee threats to privacy and confidentiality of Web-based and database information held by their organizations. It is the unethically motivated employees themselves who can pose the greatest risks to an organization as far as issues of breach of security are concerned. Attacks targeting the security of Web-based portals cause great financial loss to the company. Bidgoli cites an FBI study to support his argument that insider attacks ,though less in volume have far greater economic impact on the organization. The FBI study concluded that the average cost for an outsider attack was $56,000 whereas the cost from insider attack was $2.5 million. Bidgoli comes out with statistics from the Computer Crime and Intellectual Property Section of the U.S.Department of Justice which reveal that five cases of breach of confidentiality of data from disgruntled employees were reported between 2000 and 2004 with total losses of more than $13 million. He further cites a study by Information Technology Association which reported that 90% of workers would disclose to a stranger their company password in return for a pen as a reward. Bidgoli has further cited from a study conducted by Shah et al.(1998) which discovered the following common risk factors to individuals interested in computer and IT related functions, (such as Web based HR applications), which pose security concerns and consequent privacy and confidentiality issues: 1. They are introverts 2. They have problems with interpersonal skills 3. They are prone to become addicted to technology 4. They have loose ethics and poor sense of loyalty 5. Their sense of entitlement is out of proportion 6. They do not empathize with others 7. They are prone to get angry with their official superiors. The study has identified that employee attacks on cyber portals of a company are a complex combination of the above risk factors of individual employees, together with insecure IT infrastructure and poor management practices, stress factors and monetary problems. Greed for financial gain, corporate espionage and prior knowledge of location of sensitive information also contributes to cyber attacks from disgruntled insiders or employees of a company. The insider employee already has some authority and can get through security barriers without evoking undue suspicion. He is familiar with the working of the system and hence is in a position to access vital personal or sensitive information. The disgruntled employee typically plans the attack in premeditated manner and possesses time to gather personal data of his victims during his office hours. Due to the financial crisis, a majority of IT employees are disgruntled, uncertainty looms ahead for their future and some are being fired from their jobs. Hence this results in more potential for cyber-attacks by such employees for gaining sensitive personal data. 2) Hacker employees Bidgoli states that typically, an employee who disdains authority, has abundant curiosity, disregard for others’ property, and believes in sharing of information with the others can resort to hacking just to satisfy his ego. He is not after any monetary benefit but wants to show off to the world outside that he can do wonders. In this process, he deliberately or inadvertently exposes personal information causing loss of privacy and confidentiality. He may even invite unauthorized fellow outsider hackers online to his company’s internal network systems whom he will try to impress with his “skills”. Such individuals act alone or in groups to leak sensitive personal information of other third parties also using company’s infrastructure, causing legal liability to the organization, whose equipments they use. 3) Employees with Criminal Propensities According to Bidgoli, two distinct types of employees with criminal tendencies can be found in any organization-Petty Criminals and Professional Criminals. A petty criminals employee is a regular employee who has a tendency to take advantage of opportunities like lax security to make some extra money whenever possible. If opportunity presents itself, he does not have any qualms about stealing personal data of others and selling it outside for a few extra dollars. On the other hand, professional criminals join an organization intentionally and earn their livelihood mainly through income derived from criminal activities. They make use of Web-based data and the vast opportunities presented by the Internet to perpetuate their criminal activities. They masquerade as employees and are intent on committing criminal activities like fraud, embezzlement and murder. Professional criminals join organizations to steal money, credit card PIN numbers, intellectual property and personal information of other employees and customers. If such a criminal manages to attach himself to an Human Resources department of a company, he can cause unimaginable havoc to privacy of individuals and confidentiality of sensitive information of the company which employs him(Bidgoli, n.d.). Bidgoli argues that organized crime which utilize new technological advancements is a reality in many corporate companies. He states that the links between employees in IT sector to organized crime groups have already been discussed by the U.S. National Counterintelligence Executive, which heads counterintelligence activities in the USA. 4) Espionage Spies sponsored by Corporate and government sector also cause loss of privacy to personal information available to web-portals such as the HR Department of a company. Motivation for espionage may arise be from patriotic, financial or from feelings of revenge. Employees who have access to intellectual property and trade secrets of a company sometimes steal such information when they leave the company and pass it on to a competitor company which they join for better prospects(Bidgoli n.d.). 5) Threat from Terrorist groups Terrorist groups are known to have won the support of many an employee whom they use to obtain strategic personal information and sensitive data of their adversaries. Insiders sympathetic to their cause may unwittingly disclose vital and confidential private information compromising privacy of individuals and the company they work with. (Bidgoli) It has been observed from statistics that disgruntled employees constitute the majority of cases of breach of security and confidentiality. Prevention of Confidentiality Breaches and Protection of Data A detailed discussion of successful strategies to mitigate confidentiality breaches from employees is beyond the scope of this paper. However, Bidgoli(n.d.) has discussed this issue at length. Such a strategy should encompass preventive action at four levels or domains namely, Operational/Administrative domain, Environmental/Physical domain, Technical/Logical domain and Educational/Training/Awareness domain. Operational/Administrative: Human Resource Department has a vital role to play by conducting thorough background checks of job applicants before offering them a job in the company. A majority of employees who made breaches of security have a history of similar track record with their previous employers. Many employees resort to such breaches of security to gain confidential information as a panacea for their problems caused by drug abuse, alcoholism and gambling debts. Bidgoli suggests that a proper screening procedure before issuing the offer of employment by the HR department at the time of recruitment followed by periodic criminal record checks can go a long way towards solving the problem of such individuals being recruited and over time turning into hackers exposing private and confidential information of the company from company’s internal Web-portals. Environmental/Physical: Systems should be provided with basic physical security controls so as to minimize opportunities for breach of security by insider employees as well as from outsiders. Servers, Switches, Routers and Access control Systems should be placed in secure areas and not in common areas or open cubicles. Any system with physical access is more vulnerable than one which is secured. Encrypted and authenticated logging systems ensure traceability and accountability of employees who log into the system and will act as deterrents to security and confidentiality breaches. Period review and monitoring of logging history are required to minimize unauthorized logging incidents in the system. No system should be left unattended without password or after opening with the password, since errant employees can take advantage of unattended systems of colleagues to extract private confidential information. Bidgoli(n.d.) recommends the following preventive steps for implementation in systems: 1) Access to business critical/business sensitive systems should be minimized. 2) Group systems physically based on the criticality and sensitivity of information they carry. 3) Bios and screen-saver passwords should be enabled on all workstations. 4) Frequent Physical Security Checks should be conducted regularly. 5) Prevent inadvertent disclosure of information by implementing tight security controls on hard copies. Technical/Logical: Traditionally, companies have a tendency to setup firewalls and security intrusion detection systems outward anticipating intrusion from outside. They tend to ignore insider employee intrusion. Security should be set up in such a way that if prevention fails, the chances of detection of intrusions should be increased. A proper risk-management strategy should be set up before implementing additional controls. The following technical and logging strategies are recommended by Bidgoli (n.d.): 1) Audit and Event logging should be enabled on key systems. 2) event data should be monitored and audited daily. 3) Intrusion detection systems should use a combination of host-and network based systems. 4) The network should be separated into different trust domains 5) Identity management systems should be implemented to control access and privileges. 6) Role based access control should be implemented 7) Virtual Private Networks should be used to communicate and access domains of higher trust. 8) Antivirus software should be installed on all systems, ensuring automatic updation of engine and signatures. 9) Use two-factor authentication of passwords. 10) Sensitive data both should be encrypted in both transit and in storage. 11) Frequently review user accounts to eliminate unnecessary accounts. 12) Periodic internal security reviews should be conducted Educational/Training/Awareness: The breaches of security and confidentiality committed by inside employees are basically problems of Human Resource management and are not exactly technical problems that can be fixed by trouble shooting or tightening security. Once an insider decides to steal some sensitive information, it generally is a matter of time before he achieves his objective. Hence educational/training/awareness programs aimed at modifying the behavior of employees are useful in addressing the HR factor of this problem. Different programs tailored to update technical awareness of HR, Administrative and technical employees depending on their hierarchy and privileges should be administered by the HR department so as to educate employees on their responsibilities, give them a sense of belonging and to de-motivate them from committing any potential breaches of security and confidentiality(Bidgoli n.d.). CONCLUSIONS/RECOMMENDATIONS 1) This study conducted on issues of Privacy and Confidentiality in major organizations’ Web-based Human Resource departments reveals that disgruntled employees of an organization have the maximum potential to cause financial losses to the organization by resorting to breaches of privacy and confidentiality, compared to hackers from outside the organization.(Bidgoli). A disgruntled employee can easily vandalize the organization’s Web-site (H.silistre) 2) Although the disgruntled employee may be driven by greed, anger, frustration, ego problems or ideology, the consequent breaches of confidential of personal data from the data base of an organization can result in inadvertent fraud and embezzlement overlapping to organized crime sectors which may or may not be linked to international terrorist groups who may take advantage of the situation (Bidgoli). 3) The problem of breaches of privacy and confidentiality are present in all companies and government organizations with IT infrastructures and is growing globally (Bidgoli).The insider employee based breaches are basically Human Resources problem. But organizations are reluctant to report breaches of confidentiality of information to avoid alarming their shareholders or public concern (H.silistre) 4) An effective strategy to mitigate the problem of breaches of privacy and confidentiality, requires that the company should undertake a holistic approach to the problem encompassing Administrative, Physical, Technical and Educational approach.(Bidgoli) 5) Prior screening of job applicants for their past criminal history, periodic on-the-job verification screening of employees coupled with use of advanced encryption procedures in transmission and storage of data will vastly minimize the chances of resorting to breaches of confidentiality of information by employees of that company.(Bidgoli) 6) A report by the National Institute of Standards and Technology provides a framework for determining a security program to ensure confidentiality of database information(H.silistre). 7) A study conducted by Nebula Security Limited reveals that only 8% of Web applications are secured against common hacking and that 92% of Web-applications are vulnerable to hacker attacks.( From URL: http://findarticles.com/p/articles/mi_hb3234/is_2_34/ai_n29090099/?tag=content;col1 ) 8) Penetration Testing by ethical hackers are employed by companies to check how vulnerable their networks and Web-pages are to hacker attacks. (From URL:http://findarticles.com/p/articles/mi_hb6380/is_200302/ai_n25625696/?tag=content;col1) 9) Enhanced global connectivity through the internet has brought along with it chances of havocs happening in a matter of seconds at different parts of the world by criminal elements through denial of service(DoS) attacks, Viruses, Worms, Trojans, unauthorized entry, cyber-stalking and Information Tampering which has the potential to pose serious threats to national and international security.(Etter,2002) 10) International Criminals and Terrorists lurk in the World Wide Web using the Internet necessitating our strict compliance with the following basic rules in Information Security Planning: (i) Identify internal and external risks to security (ii)Design and implement safeguards to control the risks thus identified. (iii) Periodically monitor and test the safeguards (iv) Adjust the security plan according to feed back from the testing (v) Oversee the information handling practices of service providers and business partners.(Simmons, 2005) REFERENCES 1. The World Bank Group DEP web (2004): Beyond Economic Growth, Glossary [online] available from [18June2009] 2.Friedman, Thomas L (2006) The World is Flat- the globalized World in the Twenty-First Century. London: Penguin Books 3. Bidgoli, Hossein (n.d.) Handbook of Information Security-Threats, Vulnerabilities, Prevention, Detection and Management, Volume 3 . [online] available from 4. (2008) ‘De-Mystifying Privacy Lingo’ THE NIH PRIVATE EYE 1,(1)1 available from [15June 2009] 5. Wylie,J. and Mineau,G. (2003) Biomedical databases: protecting privacy and promoting research. Trends in Biotechnology 21: 113-116 6. H. silistre in Appsic (2009) Internet Security:Human Resource Management Implications[online] available from < http://www.appsic.com/?p=9> [19June 2009] 7. Mueller, R. S. 2002, Statement for the Record of Robert S. Mueller, III Director Federal Bureau of Investigation on A New FBI Focus Before the Senate Committee on the Judiciary Washington, DC, 6 June, available from [13 June 2002.] 8. Pollitt, FBI, at the Transnational Organised Crime Conference held in Hong Kong from 18-21 March 2002 , quoted by Etter, Commander Barbara,(2002,p.2) CRITICAL ISSUES IN HIGH-TECH CRIME, Commonwealth Investigations Conference 10 Sept 2002,Australia. Available from URL: < http://74.125.153.132/search?q=cache:xcJHhuFo0lMJ:www.acpr.gov.au/pdf/Presentations/CIinHi-tech.pdf+Tanase+articles+by,+on+hr+information+Hacking+vulnerability&cd=1&hl=en&ct=clnk&gl=in> 9. Kelly G, McKenzie B, Security, privacy, and confidentiality issues on the Internet, J Med Internet Res 2002; 4(2):e12, 10. Walker, Alfred J,(2001) Web-based Human Resources: The Technologies and Trends that are transforming HR :McGraw –Hill Professional 11. “NIH Private Eye” publications of the National Institute of Health, U.S. Department of Health and Human Services available at URL : 12. Jakob Nielsen's Alertbox (1997): “intranet vs. Internet design”[online] available from URL: http://www.useit.com/alertbox/9709b.html [18June 2009] 13. Database and Network Journal ( 2004) “Only 8% of Web applications secured against common hacking” [online]available from URL: http://findarticles.com/p/articles/mi_hb3234/is_2_34/ai_n29090099/?tag=content;col1 [18June 2009] 14 ) Security Management, (2003) “Can you hack it? Penetration testing gives companies a way to find their vulnerabilities before hackers use them to break in and cause harm”.[online] Available from URL: http://findarticles.com/p/articles/mi_hb6380/is_200302/ai_n25625696/?tag=content;col1 [18June 2009] 15. ) Simmons, Shynlie (2005) “Hacking Techniques: Web Application Security”[online] available from URL http://74.125.153.132/search?q=cache:wmhyY6Iuh0MJ:www.infosecwriters.com/text_resources/pdf/HackingTechniques_WebApplicationSecurity.pdf+Handbook+of+Information+Security-Threats,+Vulnerabilities,+Prevention,+Detection+and+Mangement+Volume-1+by+Hossein+Bidgoli&cd=63&hl=en&ct=clnk&gl=in [18June 2009] Read More