IHP4 TASK 2- ETHICS AND CYBERSECURITY
docx
keyboard_arrow_up
School
Western Governors University *
*We aren’t endorsed by this school
Course
C841
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
4
Uploaded by UltraOxideGoldfish30
A. Address ethical issues for cybersecurity by doing the following:
1. Discuss the ethical guidelines or standards relating to information security that should apply to the case study.
Ethical guidelines and standards that relate to this case study are the Information
Systems Security Association (ISSA) and International Information Systems Security Certification Consortium (ISC
²
). Both associations have developed industry leading ethical standards, such as ISSA Code of Ethics and ISC
² Code of Ethics. If applied TechFite could have been talked about in a different light. a.
Justify your reasoning.
The primary goal of ISSA is to promote practices that will ensure the
confidentiality, integrity, and availability of organizational information resources.
ISSA Code of Ethics highlights:
I.
refraining from any activities that which might constitute a conflict of
interest or otherwise damage the reputation of or is detrimental to
employers. II.
perform all professional activities and duties in accordance with all
applicable laws and the highest ethical principles. III.
maintain appropriate confidentiality of proprietary or otherwise sensitive
information encountered in the course of professional activities. Moving on to ISC
². ISC²
looks to
promote the safety and welfare of society and
the common good, duty to our principals, and to each other, requiring adherence
to the highest ethical standards or behavior. ISC²
Code of Ethics highlights:
I.
The protection of society, the common good, necessary public trust and
confidence, and the infrastructure. II.
Act honorably, honestly, justly, responsibly, and legally.
III.
Provide diligent and competent service principals.
2. Identify the behaviors, or omission of behaviors, of the people who fostered the unethical practices.
Referencing ISSA ethic code III. Carl Jaspers seemingly violates the NDA put in place more than once for the furtherance of his company. NDAs were put into place with companies Orange Leaf and Union City Electronic Ventures. TechFite was provided with technical, sensitive, and proprietary information via questionnaires, which it used to its advantage to one up its competitors. This is behavior is viewed as both unethical, immoral, and illegal. Referencing ISSA ethic code I. The social relationship between IT Security Analyst Nadia Johnson and Carl Jaspers appears to violate this code of ethics. Johnson frequented and displayed her attendance to Carl Jaspers led evented. Even, made
social media post thanking Jaspers for a birthday gift she received. After, background checks raised concerns. Johnson regularly received praises and positive recommendations from Jaspers, which resulted in ample raises for Johnson. Said relationship appeared to affect the duties of Johnson as she fails to perform her job duties.
Referencing ISC² ethic code II & III. Nadia Johnson fails the display the necessary internal oversight needed for a person of her position. There were no audits of user accounts, checks for escalation privileges, no enforcement of data loss prevention on sensitive documents, and no surveillance of internal network traffic
and activity.
3. Discuss what factors at TechFite led to lax ethical behavior.
In my opinion from the discovery, the main factors that led to lax ethical
behaviors were the contributions from the Business Intelligence unit (BI), Carl
Jaspers, and Nadia Johnson. Within, the BI unit the principles of least privilege and
separation of duties were not enforced. Every workstation and computer had full
admin rights. Carl Jaspers requested to have two dummy accounts created for
former employees that had not worked for TechFite in over a year. Those,
accounts were in constant use, sending emails referring to unethical and illegal
acts. Finally, Nadia Johnson’s lack of client list database audits. Had audits been
ran 3 faulty companies would have been caught.
B. Describe ways to mitigate problems and build security awareness by doing the following:
1. Describe
two
information security policies that may have prevented or reduced the criminal activity, deterred the negligent acts, and decreased the threats to intellectual property.
Two policies I find that would prevent negligence and decrease threats to
intellectual property are separation of duties and the Chinese wall methodology.
With separation of duties in place this would have eliminated the full visibility and
access between multiple units and divisions. Both, sales/marketing unit and BI
unit wouldn’t have had the privileges to create clients, report sales, and post
sales to teams. Chinese Wall methodology does a great job protecting IP by
implementing a virtual privacy barrier. Proprietary information collected from
Orange Leaf and Union City could have stayed within TechFite with no issues.
However, that proprietary data made its way to the Applications Division which,
then landed with two competitors. Chinese Wall methodology specifically targets
this issue with its whole procedures of preventing information obtained while
representing a client from being disclosed to employees in the same firm, who
represent outside client that could potentially profit of the information received.
2. Describe the key components of a Security Awareness Training and Education (SATE) program that could be implemented at TechFite.
The initiatives of SATE should be utilized to bring cybersecurity training and
awareness to its users at TechFite. There was a significant amount of user error
identified at TechFite keeping the company high risk for security breaches. SATE
program should be implemented to avoid and reduce these risks posed by
internal or external users.
a.
Explain how the SATE program will be communicated to TechFite employees.
Through the implantation of SATE program current and future employee should
complete cybersecurity trainings at least semi-annually to stay educated on the
latest security compliance standards. This can be done online like most security
trainings today. Communicate can come from various outlets, the most visible
maybe newsletters throughout the building, banners on the TechFite intranet site,
and emails classifying them as urgent. b.
Justify the SATE program’s relevance to mitigating the undesirable behaviors at
TechFite.
SATE finds its relevance through a few ways at TechFite. Here are two instances
where I believe SATE would mitigate undesirable behaviors. Unproper access and
dummy accounts created for former employees and full visibility between the BI
and sales/marketing unit. The cybersecurity awareness and training learned
courtesy of SATE would likely have prevented these behaviors from occurring.
C. Prepare a summary directed to senior management (
suggested length of 1–2 paragraphs
) that states TechFite’s ethical issues from Part A and the related mitigation strategies from Part B.
Code of ethics was a key highlight in part A. The lack of having an ethics code allowed for NDAs to be violated, zero separation of duties, little to no internal oversight, proprietary information mishandling and theft, fraud, and unethical social relationships to take place. TechFite should compile its own Code of Ethics in collaboration with ethics code industry standards of ISC² and ISSA. This should then be acknowledged, signed, and followed by all current and future employees of TechFite. Having a SATE program creates an opportunity to promote cybersecurity through awareness and training exercises. Mitigating the major concerns of ethics, user errors & risks. Ethics that are discussed in part A are simply awareness and training issues that TechFite did not have in place. Creating a culture where employees understand the penalties and infractions of violating said ethics and polices will in return create a compliant and secure TechFite.
D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
“Chinese Wall Law and Legal Definition | USLegal, Inc.”
Definitions.uslegal.com
, definitions.uslegal.com/c/chinese-wall/.
Fegarty , Karen. “Security Awareness Training: What It Is and Why You Need It.”
Mariner
, 30 Jan. 2023, marinerinnovations.com/security-awareness-training-
what-it-is-and-why-you-need-it/.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
“Issa Code of Ethics.” Edited by Information Systems,
ISSA International
, 19 Aug. 2022, www.issa.org/issa-code-of-ethics/.
Security Certification, Information Systems. “Code of Ethics: Complaint Procedures.”
Code of Ethics | Complaint Procedures
, www.isc2.org/Ethics. Accessed 9 June 2023.
E. Demonstrate professional communication in the content and presentation of your submission.