C841 Task 2 Template (IHP4)

docx

School

Maseno University *

*We aren’t endorsed by this school

Course

FINANCIAL

Subject

Information Systems

Date

Nov 24, 2024

Type

docx

Pages

9

Uploaded by CountLapwingMaster1516

Report
Western Governor’s University Legal Issues in Information Security C841 [ Your Name here ]
IHP4 Task 2: Ethics and Cybersecurity IHP4 Task 2: Ethics and Cybersecurity A1/A1a. Ethical Guidelines Related to Information Security The International Information Systems Security Certification Consortium (ISC)2 is one organization that exemplifies an information security ethics code. A particular code of ethics that they have is the "Security of Information" principle, which emphasizes the obligation to safeguard and value information. This ethical criterion denotes the obligation to protect secret information and uphold its availability, integrity, and confidentiality. The investigation's findings about illegal access and possible client information leakage could have been avoided by putting in place appropriate data segregation, access restrictions, and defined protocols for managing sensitive data. The Certified Information Systems Auditor (CISA) Code of Professional Ethics has another important ethical rule pertaining to information security. The need to safeguard confidential
information and stop its unlawful exposure is emphasized by the notion of "confidentiality". This ethical guideline emphasizes the need of using discretion while handling information and making sure that only authorized parties can access private information for legal purposes. The case study highlights significant violations of the "Confidentiality" principle, including improper information segregation, uncontrolled access within the BI Unit, and unlawful surveillance actions. Had TechFite followed this recommendation, their would have been strict controls and access limitations in place to protect the privacy of sensitive customer data. The examination revealed that there may have been a considerable reduction in the illegal access and possible leaking of private client information by putting in place thorough access control mechanisms and rigorous monitoring. A2. Unethical Practices Potential information breaches and unethical surveillance operations were made possible by Carl Jaspers, the leader of TechFite's Applications Division, creating unauthorized user accounts and using them continuously for more than a year after the related employees departed the organization. This conduct made it possible to obtain private information and to carry out covert surveillance operations against different businesses, including "trash surveillance" and "dumpster diving." Jaspers' actions jeopardized the confidentiality and integrity of material belonging to other organizations by allowing illegal access and creating an atmosphere that encouraged unethical intelligence-gathering activities. Carl Jaspers' Applications Division at TechFite's lack of separation between the Business Intelligence (BI) Unit and other divisions allowed for illegal access to confidential files from the legal, human resources, and finance departments. Employees of the BI Unit, in particular Sarah
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Miller, Megan Rogers, and Jack Hudson, were able to improperly access and examine private data as a result. A3. Factors The observed factor contributing to lax ethical behavior within TechFite is the absence of clear policies or guidelines regarding employee relationships and conflicts of interest. The case study highlighted the close social relationship between IT Security Analyst Nadia Johnson and Carl Jaspers, the head of the Applications Division. The lack of a policy prohibiting social relationships between supervising staff and those they oversee potentially led to favoritism and biased oversight. Johnson received positive recommendations and substantial raises from Jaspers, potentially influencing the oversight of the division. This factor allowed for an environment where favoritism and biased evaluations could occur, potentially impacting ethical oversight, leading to compromised decisions and behaviors within the company. Additionally, the absence of proper internal oversight and controls, particularly within the Business Intelligence (BI) Unit of TechFite's Applications Division, contributed significantly to lax ethical behavior. The insufficient monitoring and lack of specific protocols for auditing, data segregation, and access control allowed for unchecked and unauthorized access to sensitive information. This deficiency created an environment where employees like Sarah Miller, Megan Rogers, and Jack Hudson engaged in unauthorized surveillance and information gathering activities against other companies, breaching ethical and potentially legal boundaries. B1. Information Security Policies
A particular information security policy that could have lessened risks to intellectual property is the "Data Loss Prevention (DLP) Policy." In accordance with this policy, sensitive data must be monitored and controlled to avoid unauthorized access, use, or transmission of private data. In the case study, a lack of a strong DLP strategy permitted careless and illegal actions, including possible data leaks from TechFite's BI Unit and illegal access. Due to this absence, staff members were able to obtain information about other businesses and conduct unauthorized surveillance, which may have compromised confidential intellectual property. A well-executed DLP policy might have stopped or lessened unlawful access to and transmission of private data, hence preventing possible intellectual property leaks to unapproved parties. Another important information security policy that could have lessened risks to intellectual property is the "Access Control Policy." Only authorized users will have the proper access levels thanks to the regulation and management of access rights to systems, networks, and data provided by this policy. In the case study, a lack of a strong access control policy resulted in careless and illegal actions, like illegal access to private information in TechFite's BI Unit. This absence created the possibility of important intellectual property being compromised since unauthorized employees were able to circumvent access rules and enter other departments including legal, HR, and finance. The violation of intellectual property would have been avoided or at least lessened with a well-executed access control policy that restricted or eliminated illegal access to sensitive information and important departments. B2. SATE Components Clearly outlining the consequences for non-compliance is one element of the company's Security Awareness and Training Education (SATE) program that I would suggest adding. It would be
imperative to establish a Security Compliance Officer or a committee to oversee and manage the program. This person or group would be in charge of making sure the SATE program is successfully deployed, overseen, and maintained across the whole organization. Regardless of their position, all staff members must to be required to take part in the SATE program. This might be included in regular training for current staff members and added to the onboarding process for new hires. All personnel should be informed of the clear consequences for non- compliance. This can entail corrective measures, retraining, or other sanctions in accordance with the company's guidelines. The creation of a varied and interesting training delivery system is another essential element of the Security Awareness and Training Education (SATE) program. The training should be given in a variety of ways, including interactive workshops, seminars, online modules, and exercises based on actual scenarios, to guarantee optimal efficacy. To deliver these varied training sessions, the organization can choose internal security specialists or work with outside cybersecurity- focused training providers. It should be mandatory for all employees, from entry-level workers to top management, to attend these training sessions. To guarantee that every employee receives pertinent and understandable training, the content and delivery techniques should be adjusted to fit various work functions and technical proficiency levels. B2a. SATE Program Communication In order to notify staff members about the recently implemented Security Awareness and Training Education (SATE) Program, it would be prudent to use a more sophisticated and authoritative communication strategy via official business channels. The CEO or a senior executive might send an email outlining the program's existence, importance, and the need for all staff members to participate. This could be followed by an all-hands meeting or webinar. With
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
this strategy, information is guaranteed to be clear, credible, and widely disseminated, enabling staff members to comprehend the significance of the program and their required participation. This promotes a security-aware and compliant culture throughout the company. B2b. SATE Program Justification . One of the undesired behaviors stated in part A is that Carl Jaspers, the head of TechFite's Applications Division, created unauthorized user accounts and continued to use them for unauthorized monitoring and maybe illegal intelligence-gathering activities. This calls for the Security Awareness and Training Education (SATE) program to include particular training modules on ethical behavior and proper account management. Employees, particularly managers like Jaspers, would learn from this training how important it is to abide by business policies, moral principles, and legal requirements when it comes to account creation, access control, and surveillance procedures. This training component seeks to foster a culture of responsible and ethical behavior by highlighting the moral and legal ramifications of unauthorized access and surveillance. The leader of TechFite's Applications Division, Carl Jaspers, created unauthorized user accounts, and he continued to utilize these accounts for illegal intelligence gathering and unauthorized monitoring, which was one of the unwanted behaviors that were noticed. This calls for specialized training modules on effective account management and ethical conduct to be included in the Security Awareness and Training Education (SATE) program. Employees would learn the value of abiding by corporate policies, moral principles, and legal requirements with regard to account creation, access control, and surveillance techniques(Bada et al., 2019). This training aspect attempts to develop a culture of responsible and ethical behavior by highlighting
the ethical implications and legal ramifications of unauthorized access and monitoring, hence reducing the formation and usage of unauthorized accounts. C. Ethics Issues and Mitigation Summary for Management In the examined case, several ethical issues were identified within TechFite's Applications Division. One key issue was the creation and continuous use of unauthorized user accounts by leadership, fostering unethical surveillance and potential information breaches. To mitigate this behavior, the recommended Security Awareness and Training Education (SATE) program should include modules on proper account management, emphasizing ethical conduct, and compliance with company policies regarding account creation and access control. Another significant issue was the lack of segregation between the Business Intelligence (BI) Unit and other departments, resulting in unauthorized access to sensitive data. To address this, the SATE program should focus on comprehensive training regarding data access controls and the importance of information segregation, emphasizing respect for departmental boundaries and the significance of proper data access and controls.
References Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?. arXiv preprint arXiv:1901.02672 .
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

SITXHRM003_Student_Assessment_Tasks_08_07_20_95ee7d0a472b77c292103a0d7749ab8e.docx.pdf (2 files merg
APPLE INC PROJECT.docx
_wgu_course_c838___managing_cloud_security_exam-299.pdf
Information Technology Systems.docx
_wgu_course_c838___managing_cloud_security_exam-46.pdf
ITT 340 Legal Ethical Issues of Social Engineering.docx
Banff National Park of Canada Energy Conservation.edited.edited.docx
Signature Assignment.docx
BSBWHS411 - Assessment Task 1 v1.2 (1).docx
Business_Intelligence_and_Dashboards_assessment_202324_-_Tagged.pdf
LX20231119-1986.docx
Revanth ML 2.docx