Chapter 3

Provide an IT example that relates to the ethical issues for the ideas of privacy, accuracy, property, and accessibility.

- Increasing amounts of data are being stored at decreasing cost, this means that the organisation can store more information for longer periods of time on their information systems. Computer networks, particularly the internet, enable organisations to collect, integrate, and distribute enormous amounts of information on individuals, groups and institutions. As a result ethical problems can arise about the appropriate use of customer information, personal privacy, and the protection of intellectual property.

What are the 5 general types of IT threats? Provide an example for each one

- Unintentional acts – those acts without maliciouis intent, there are three types, these are human error, deviations in quality of service by service providers, and environmental hazards. Out of all three types, human errors are the most serious threats to information security.
- Natural disasters - these include floods, earthquakes and fires. In many cases thuis may result inlosses of information and other company data. For this reason the company must engage in proper planning for backup and recovery of information systems and data.
- Technical failures – include problems with hardware and software. The most common hardware problem is the crash of a hard disk drive. The most common software problem is errors – called bugs – in computer programs. Software bugs are so common that entire websites are dedicated to documenting them.
- Management failures – involve lack of funding for information security efforts and a lack of interest in those efforts. Such lack of leadership will cause the information security of the organisation to suffer.
- Deliberate acts – deliberate acts by organisational employees (i.e, insiders) account for a large number of information security breaches.

- Malicious behaviour

- Malicious code: virus, spam, phishing

- Management security negligence – through incorrect procedure and recovery established within workplace

Describe/discuss three types of software attack and a problem that may result from them.

- Virus – segment of a computer code that performs malicious actions by attaching to another computer program
- Worm – segment of computer code that performs malicious actions and will replicate, or spread by itself (does not require another computer program)
- Trojan horse – software programs that hide in other computer programs and reveal their designed behaviour only when they are activated

Describe of security controls in relation to protecting information systems.the four major types

- Physical controls – no one can physically go to the server and see it. (there are physical barriers which those that do not have the authorisation to cross, cannot cross
- Access controls
· Administration – setting people user names and passwords to ensure the right level of access to the right areas.
· Authentication and authorisation
· Knowing who you are – works in a few diff ways , something that you know or the system wants to know who you are, biometrics. Or authenticated on something that you have e.g proximity card.
· What are you authorised to access – the directory of the organisation is split into different functional areas and the people in certain areas are only authorised to see things in their area
- Communications controls – secures the movement of data across networks
- Application controls – security counter-measures that protect specific applications

What is information system auditing?

- Companies implement security controls to ensure that information systems work properly. These controls can be installed in the original system, or they can be added after a system is in operation. Independent and unbiased observers perform the task of information system auditing. it involves the regular check-up on files and servers to ensure that those people that should have access to the different files of the business do have access to the different files of the business and ensure that those who are not authorised do not have access to such files.

What is the difference between authentication and authorization?

Authentification determines the identity of the person that requires access, whereas authorisation determines which actions, rights, or privelages the person has, based on verified identity. organisations may use many methods to identify authorised personnel: something a user is, something a user has, something a user does, and something the user knows.