Study of Web Use and E-Mail Based on Ethics, Policy and Law in Information Security - Report Example

Student Name: Topic: Monitoring of employees’ Web use and e-mail based on ethics, policy and law in information security Course: Computers Tutor: Department and the Institution: Date Due: Abstract In this era, the most common issues of privacy are; digital security, identity theft, spyware, phishing, Internet pornography and spam are very common. These issues are expensive in terms of time and money which has drawn our concerns. Having an intention of protecting citizens from harm and organizations from economic loss and civil or criminal lawsuits, State and federal privacy and security legislation is evolving. Organizations, dealing with information systems professionals in organizations, are required to deal with the issues and control the institute so as to minimize the risk. This paper will look at the rising issue of malicious digital risks basing on a legal and ethical perspective. We shall explore how the risks relate to the central values and ethical conduct of the information systems professionals in our organizations. A cost-benefit approach will be used to confer the effect of legislation on organizations and society at large. Finally, ways of addressing the issues will be suggested Introduction The aspect of information ethics in an organization and information is management depends on the ethics possessed by the people in the organization. Information use depends on personal ethics and beliefs of members of the organization, especially the organization’s leadership. Information is an important resource in an organizational that must be safeguarded and managed effectively just as other organizational resources. People have become more technologically savvy; due to the significantly increased range of information available through the Internet, easy accessibility to information, and an increase in computer literacy; information security and individual’s privacy have become areas of significant concern. Security, privacy and ethical dilemmas dominate our daily lives. Personal concerns and fears, due to the rapid increase in theft of personal information, has resulted in to organizations developing / or revising codes of ethical conduct. Our government agencies have simultaneously enacted laws and legislation that are specifically related to provision of privacy and security of information and individuals. Objectives To address information security component in terms of policies, Ethics or Laws To come up with technologies or research solutions. Ethics Individual’s ethical values toward each other are an indicator of our civilization which is determined by information use. A wide spectrum is covered by ethical issues, thus most organizations have developed a broad framework that managers can immediately apply to issues as they occur. One such general framework is derived from articles. Four areas of critical concern for managers have been identified. The issues are; privacy, accuracy, property, and accessibility (PAPA). A code of ethical conduct is a framework that has emerged as a standard in many organizations. Codes of ethical conduct are published by professional organizations whereby most organizations have published organizational codes of conduct. The most popular professional code of conduct for information systems professionals is the one published by the Association for Computing Machinery (ACM). The possible types of ethical issues that are common to information system organizations covered by policies in organizations are policies on ethical computer use, privacy of information, acceptable use, email, Internet, and an anti-spam policy. Involvement of managers in monitoring outward activities of the business is important because customers’ privacy is affected when there are outward breaches. Internal issues like internal surveillance and monitoring activities are equally important because they affect employees in an organization. Internet, instant messaging and email are so prevalent in current organizations, thus, a number of software scrutiny products have been developed and are being implemented. Increase in the need for privacy protection, security insurance and control, the privacy of information monitoring and surveillance have increased. However, using the products and practices has often created ethical dilemmas, thus proper communication must be made to employees for proper implementation (Harold and Micki, 2007: 67). Organizational Issues The accounting scandals noted by ENRON, TYCO, and WorldCom rocked the monetary world and corporate community. The Scandals emphasized on the absence of individual’s ethical conduct and the amount of financial ruin that could result. However, the field of technology has been overtaken by other types of behavior that can affect any technology user. The intention of Computer virus and hacker attacks is to destroy data and software so as to interrupt computer services. More than 7,000 computer viruses were reported in 2002. Phishing attacks target specific groups of people with an intention to secure personal information in relation to finance, from innocent and unsuspecting responders. Criminals are always interested in acquiring social personal identity numbers, bank account information, credit card numbers and other monetary data to help them in stealing identities or money from unsuspecting customers. External hackers have been reported as the major risk to companies, but the origin of a lot of harm and threats to cyber security are insiders, especially disgruntled insiders. The most serious computer security threats come from persons thought to be trusted members of the organization particularly the discontented and terminated employees. Although resignation or termination notice given in two weeks remains fashionable, terminating all network access after termination of employment notice is the most effective method. Programs commonly referred to as “spyware” or “adware” have become very widespread. These programs are able to monitor users’ online behavior that threatens compliance efforts and intellectual property, trouble shoot for computer users and IT administrators. A clean-up of spyware or adware has been reported as an expensive challenge. Some of the troubles that prevail due to spyware are slow computer processing speeds and pop-ups taking over. Research has shown adware and spyware bundling agreements are lucrative, even for companies not in favor of inclusion. Spyware can be avoided by installation of anti-spyware software and switching from a more susceptible Microsoft programs. Personality theft is the stealing of someone else’s identity to commit fraud or theft. The possibilities of prevention of identity theft in the future involves biometric technology like fingerprints or voice scans used to confirm the identity of credit applicants. This is generally looked at as being an expensive cure that is more than the problem that is to be solved. However, the penalties of identity theft are considerable, where the financial impacts exceed billions of dollars each year. The casualty is subject to loss of money or other property, a stained credit history, a probable criminal record, complexity in securing employment, and an incapability to obtain goods and services. Identity theft is a crisis affecting both individuals and organizations, thus precautions must be taken. After Y2K it is apparent that security and privacy issues require attention. There is Prevalence of viruses, leading to an increase in application vulnerabilities in operating system and an alarming increase in computer security breaches. The organization’s first line of defense was the installation of firewall because it could be easily be installed and maintained and it didn’t disrupt regular business applications. However, there was no security given by early firewalls. There was a staggering cost of repairing damage from Internet attacks. Information security was perceived as an expense to an organization. It remains imperative that firewalls, while being effective, must also be easy to manage. Basing on the scenarios above, it is understandable that organizations were forced to drastically vary their processes with regard to privacy and security. In addition to the organizational measures to safeguard privacy and security, there has been an introduction of new laws and legislation to assist in reducing the magnitude of privacy and security breaches (Haag, Paige and Amy, 2006: 89). Legislation and Compliance Requirements Internally, organizations have not been meeting expectations and privacy concerns in the late 1990’s and early 2000’s. Government agencies have realized that they are facing a new and monumental problem. This has brought about new legislation and laws to protect personal privacy and information security. A summary of some enacted legislation is shown below. Established information Related Laws Privacy Act – 1974: Restricts information that can be collected by the government where permission is required to disclose the information linked to the name which facilitates accessibility/correction of information. Cable Communications Act – 1984: Requires permission of the viewer for cable providers to release their viewing preferences Electronic Communications Privacy Act – 1986: which denies employees to have privacy rights on firm computers Computer Scam and Abuse Act -1986: Requires formal access to computers used in financial institutions, US government, or international trade The Bork Bill (Video Privacy Protection Act - 1988): A consumer's video leasing information can only be used for marketing directly towards him/her Communications support for Law Enforcement Act – 1994: government agents are required to intercept all forms of communication, and caller-ID information Freedom to Information Act - 1967,1975, 1994, & 1998: anyone is allowed to examine government records unless it's an invasion of privacy Identity Theft and Assumption Deterrence Act – 1998: ID Theft was made to be a federal crime and a central federal service for victims was established Homeland Security Act – 2002: Limits Freedom of Information Act; where government agencies are allowed to mine data on one's emails and web site visits Sarbanes-Oxley Act 2002: Provides investors with accurate and reliable corporate disclosures Fair and Accurate Credit Transactions Act – 2003: Consumers ' right to a free credit report; full credit card number cannot be on a receipt; requires credit agencies to take proactive measures CAN-Spam Act 2003: Penalizes businesses for sending unsolicited e-mails to consumers Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act): Protect consumers’ individual financial information held by financial institutions In 2005, June 1, a new Federal Trade Commission rule went into effect as part of a congressional crackdown on identity theft. Basically the law requires that any personal information that businesses obtain from credit bureaus and other agencies be destroyed so it cannot be stolen or misused. On December 4, 2003 the Fair Accurate Credit Transactions Act (FACTA) became a law whose intention was to thwart the growth of consumer fraud and identity theft. For example, the FACTA disposal rule requires all employers to dispose off any electronic or paper documents or face federal fines of $2,500 per violation and state fines up to $1,000 per violation. Credit bureaus are obliged to block the reporting of any information based on the transaction of an identity thief once the consumer provides specific information. FACTA also addresses numerous specific aspects of identity theft including compulsory credit card number truncation on receipts, mandates to credit issuers to investigate address changes and new card requests, fraud alert requirements for credit reporting agencies, compulsory blocking of identity theft connected information about credit reports and free annual credit reports (Simmers and Murugan, 2002: 78). Another act that is intended to reduce the amount of unwanted spam is the Federal Trade Commission’s controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). Although CAN-SPAM has not yet had a significant impact on email problems, a recent report indicated that spam accounted for 67% of email messages during the first eight months of 2005, and this figure represented a 9% decrease in the same period in 2004. The Act has also helped reduce the amount of world spam created in the US from 46% of world spam in 2004 to 26% in 2005. At the same time, however, world spam is up, with China and South Korea leading the way. Federal legislation like the Sarbanes-Oxley Act and Gramm-Leach-Bliley Act emphasize the importance of identity management. Managers must be aware of how information is being used, maintained, and provided and also how it can be effectively protected and updated to meet business needs while, at the same time, complying with audit and privacy regulations. The piece of legislation that warrants special consideration for IT professionals is the Sarbanes- Oxley Act of 2002 (SOX). This legislation has a far-reaching impact on publicly traded companies. Financial health and regulatory visibility and accountability of public companies were its original aim, but the act has also significantly impacted IT departments. Particularly Section 404 of the act requires that auditors certify the underlying controls and processes used to compile financial results. Officers are held personally responsible for financial information reported, and penalties range from fines to a five to 30 year jail term. SOX Section 404 public companies are required to demonstrate the effectiveness of internal annual controls. SOX stresses that upper management has ultimate responsibility to ensure that sufficient controls are in place throughout the organization. Although SOX was originally targeted at accounting, IT is critical in ensuring the accuracy of accounting data. Therefore, it is essential for IT professionals to become “well-versed in internal control theory and performance to meet the act requirements (Brennan and Victoria 2004: 200). Although the focus of SOX is on financial controls, many auditors required IT managers to extend their attention to organizational controls and risks in business processes. Some companies have created new IT positions to deal with compliance challenges. Conclusions and Recommendations It can be concluded that the inter-related issues of personal and organizational ethics, privacy, information security, and protective legislation have formed a rather complex web that must be understood by technology managers. Spyware, adware, and phishing attempts have grown in sophistication and prominence. Identity theft is a threat that must seriously be taken by all members of our society. Organizations have taken preventative actions through enactment of ethics and conduct codes. Government agencies have responded with legislation to protect data integrity and individuals privacy. Educators are aware of the growing complexity of information security and the ethical issues that revolve around the multitude of possible breaches. Some may contend that it is difficult to teach ethics and values, but, educators, have a responsibility of developing a sense of awareness of the issues. In that connection, colleges and universities are offering ethics courses. The problems facing information security may be solved by: • Organizations offering courses in information ethics that examine the types of ethical dilemmas likely to be encountered by their employees. • Enlightening employees on professional codes of conduct for example, the Association for Computing Machinery Code of Ethical Conduct. • Detailed information on the range of issues related to identity theft. • Emphasis on system security controls. • Comprehensive coverage of laws and legislation to develop of a sense of awareness of compliance requirements that affect information security. • Specific discussion and familiarization with Section 404 of the Sarbanes-Oxley Act. Cited Works Brennan, L.L and E.J Victoria. Social, ethical and policy implications of information technology. London: Information Science publishing, 2004. Haag, S., B. Paige and P. Amy. Business Driven Technology. New York: McGraw-Hill, 2006. Harold, F.T and K Micki. Information Security Management Handbook, Sixth Edition. Boca Raton: Auerbach Publications, 2007. Simmers, C.A and A Murugan. Managing Web Usage in the Workplace: A Social, Ethical and Legal Perspective. London: IRM Press, 2002. Read More