管理信息系统十一单元.ppt

INFORMATION ETHICS AND SECURITY 1 Organizational Fundamentals Info Ethics and Security Info ethics and security are two fundamental building blocks that organizations must base their businesses on to be successful In recent years, such events as the Enron ($62.8 billion) and WorldCom ($1038 billion, second largest long-distance carrier), along with 9/11 have shed new light on the meaning of info ethics and security Sarbanes-Oxley Act: No less than five years 2 Overview INFO ETHICS Information Ethics Developing Information Management Policies Info Ethics in the Workplace INFO SECURITY The First Line of Defense - People The Second Line of Defense - Technology 3 INFO ETHICS SECTION 4.1 4 INFO ETHICS IT poses new challenges for our ethics. Consider the following examples: Pirated software Is this ethical? “人肉搜索” Is this ethical? 5 INFO ETHICS Intellectual property/copyright For: respect and value knowledge so more knowledge can be created. Against: knowledge sharing has positive benefits, providing access to broader audience and creating new knowledge What do you think? 6 INFO ETHICS Privacy is a major ethical issue What is privacy? Do you worry your privacy? Why? 7 INFO ETHICS Privacy the right to be left alone when you want to be, to have control over your own personal possessions (including information), and not to be observed without your consent Confidentiality the assurance that messages and information are available only to those who are authorized to view them 8 INFO ETHICS One of the main ingredients in trust is privacy 9 INFO ETHICS 虽然我国法律没有对隐私权做出明确直接的保护 性规定，但却间接地从其他方面对公民的隐私权 不容侵犯给予了确认（宪法、刑法、民法和程序 法）。 10 INFO ETHICS 根据我国法律规定，下列行为属于侵犯隐私权： 未经公民许可，公开其姓名、肖像、住址和电话号码。 非法侵入、搜查他人住宅，或以其他方式破坏他人居住安宁。 非法跟踪他人，监视他人住所，安装窃听设备，私拍他人私生活 镜头，窥探他人室内情况。 非法刺探他人财产状况或未经本人允许公布其财产状况。 私拆他人信件，偷看他人日记，刺探他人私人文件内容，以及将 他们公开。 调查、刺探他人社会关系并非法公诸于众。 干扰他人夫妻性生活或对其进行调查、公布。 将他人婚外性生活向社会公布。 泄露公民的个人材料或公诸于众或扩大公开范围。 收集公民不愿向社会公开的纯属个人的情况。 资料来源：百度知道社会民生法律 11 案例 2010年8月5日，上海浦东法院对一起特大非法获取公民 个人信息罪案作出一审判决。10名被告中，非法获取公 民个人信息最多的达3000余万条。 本案中，余某、陈某两人利用在招聘公司、人才公司工 作的机会，私自复制公司内部的客户资料。余某还在免 费的招聘网站上，发布虚假招聘广告，吸引求职者主动“ 上钩”，骗取求职者个人简历，之后每条简历以1角钱至5 角钱的价格出售。 经过审理，法庭作出一审判决，10名被告人均犯非法获 取公民个人信息罪，周某、李某等9人被分别判处有期徒 刑两年至拘役6个月缓刑6个月不等，罚金4万元至1万元 不等，另有余某一人被免予刑事处罚。 12 如何保护个人信息？ 首先要意识到个人信息被泄露或非法利用的可能后果， 在日常生活中不能轻易向他人提供个人信息。在被要求 提供个人信息时，要仔细判断是否必需，对身份证号码 、手机号码、银行账户等重要个人信息更需格外慎重。 当发现个人信息被泄露，要争取查明泄露个人信息的主 体，注意保留证据。如果因此受到人身或者财产损害， 可向有关部门投诉，或通过民事诉讼途径获得赔偿，情 节严重的可向公安机关报案。 13 INFO ETHICS Ethical dilemmas usually arise not in simple, clear-cut situations but out of clash between competing goals, responsibilities, and loyalties. Inevitably, the decision process has more than one socially acceptable “correct” decisions. 14 Information Has No Ethics Information does not care how it is used Information will not stop itself from sending spam, viruses, or highly-sensitive information Information cannot delete or preserve itself 15 INFORMATION ETHICS Individuals form the only ethical component of IT Individuals copy, use , and distribute software Search organizational databases for sensitive and personal information Individuals create and spread viruses Individuals hack into computer systems to steal information Employees destroy and steal information 16 DEVELOPING INFORMATION MANAGEMENT POLICIES Organizations should develop written policies establishing employee guidelines on how to use IT and information. These policies set employee expectations on information ethics. These policies should be understandable and implementable. 17 DEVELOPING INFORMATION MANAGEMENT POLICIES Typically include: Ethical computer use policy Information privacy policy Email privacy policy Anti-spam policy 18 Ethical Computer Use Policy Ethical computer use policy contains general principles to guide computer user behavior What uses are not permitted? If violated, what consequences? The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules 19 Information Privacy Policy The purpose: protecting personal information privacy at the same time considering organizational needs. The unethical use of information typically occurs “unintentionally” when it is used for new purposes 20 Information Privacy Policy Information privacy policy guidelines 1. Notice and disclosure What info is gathered? How will be it used? 2. Choice and consent 3. Information security 4. Information quality 21 Email Privacy Policy Professional workers identified email as their preferred means of corporate communications. Trends also show a dramatic increase in the adoption rate of instant message (IM) in the workplace. One of the major problems with email is that the users false assumption that email privacy protection exists somehow analogous to that of traditional post mails. NOT TRUE! 22 Email Privacy Policy 23 Email Privacy Policy The organization that owns the email system can operate the system as openly or as privately as it wishes. If the organization wants to read everyones email, it can do so. However, the organization must inform the user about how much email it is going to read. Email privacy policy details the extent to which email messages may be read by others 24 Email Privacy Policy 1. Should compliment ethical computer use policy 2. Defines who are legitimate email users 3. Identifies backup procedures (if deleted, still on the backup tapes) 4. Explains legitimate grounds for reading user email and organizational procedures to do so 25 Email Privacy Policy 5. Informs email control (no control outside the organization) 6. Explains ramifications of leaving 7. Asks employees to be careful when posting organizational information. 26 Anti-Spam Policy The time is worth $350 to $600 per an hour 300 to 500 spam messages CTO, Matt Kesner engineered a spam blocking, 5,000 to 7,000 spam messages trapped per day 27 Anti-Spam Policy Spam unsolicited email Spam accounts for 40% to 60% of most organizations email and cost U.S. businesses over $14 billion in 2005 Waste time Clog the net