Definitions And Concepts Of Ethics

Published Date: 02 Nov 2017

Abstract: Today it is essential for information security management not only to understand the technical issues that are an essential part of their functional role but also the management of security among staff in organization based on the principles and practices. This paper examines information security from various perspectives.Within this framework the paper defines information security, its concept, recommendation and several recommendations towards better security management within organization. This term paper presents personal experience, observation and literature methodology

Keywords: Organizational Ethics,Information Security,Practices.

Introduction

Security technology is an essential element of all networked activity. Without security technology there would be no commerce on the Internet, there would be no confidentiality for any form of communication, and attackers would be able to disrupt every network. In today’s information and technology environment, information security absolutely plays a vital role for the most organization. This is because information security act as the protecting the assets of an organization from various aspect. Protecting the assets can be bring many scope such as the secure resources,hardware,information and etc.For example as the students do we alert the security as we should run weekly virus scans to protect our computer as contain very important information.

Security not only involve only for hardware or tool but also areas such as executive protection,international security,trade protection,industrial security,background investigation,IT security,computer forensics, and cyber security.According to smith (2010) the information security management enables information to be shared while ensuring protection of that information and its associated information technology equipment including the network over the information travel.

As the definition we can see that the meaning is broad not only for the purpose of the care of the valuable asset but also consisting the overall practices. This shown that it’s the best practices to overall security information management to implement to neither individual or organizational to avoid any threats that we might unconscious for example cyber threat through online card fraud that occur in recently in United States that reported Company Barnes & Noble discovered on or about 14 September that the card readers had been implanted with malware that allowed a group of cyber thieves to intercept credit and debit card data. (Wired Times,2012)

Methodology

While completing this term paper several method are be used to gain sources from various side. The first method is by observation through electronic medium and Media Massa in terms of current issue regarding cyber threats or cyberism all around the world. Apart from that to tighten more understanding of information security is by making any reference to any literature review through various journals and also through websites. Besides that another method we used is discussing with members to exchange our view regarding information security besides making reference to printed book.

Definitions and concepts of Ethics

There are various definitions of information security. According website security.com stated that information security is not limited to the physical hardware but also wider which is that he field of security management involves work in areas such as counter-terrorism, executive protection, international security, trade protection, industrial security, background investigation, IT security, computer forensics, and cyber security.

A security information management system (SIMS) act as automates that practice.Although there are different view but the meaning still not only limited to certain asset but also overall management or practices of the protecting information.

There are three main goal of information security consists of confidentiality, integrity, and availability. The first concept is confidentiality which can be defined as the information is unavailable or disclosed to unauthorized individual or also known without permission owner (Hostland,Enstad,Eilertsen etc,2010).In short this definition is reflect to such this situation where information is read or copied by someone not authorized to do so .For some types of information, confidentiality is a very vital attributes. Example is data or medical record for certain person. Once the medical record is out it is not allowed to spread to another person without the permission of the owner. It keeps as the confidential as long as it supposed to be. Another example is in certain cases there may be a legal obligation to secure the privacy of individuals. This is particularly true for banks and loan companies or customers or issue credit.

Apart from that, the goal is integrity which is defined as the property of safeguarding the accuracy and completeness of assets(Hostland,Enstad,Eilertsenetc,2010).Information can be error when it is available on an insecure network. It also becomes loss of integrity once it modified in unexpected ways. This means that unauthorized changes are made to information, whether by human error or intentional occur. Several activities such as electronic funds transfers, air traffic, and financial accounting. are important for critical safety and financial data .

The meaning of the loss of the availability is reflect to situation where information can be erased or become inaccessible. This is opposite to the availability concept. This caused that people who are allowed to access to get information cannot get what they need. Availability is often the most important attribute in service-oriented businesses that depend on information. For example passengers who wish to check their airline schedules. This shown that they really need to access or dependable to current information at the right time. Besides that availability of the network itself is important to anyone such as students whose relies on a network connection. When student cannot access the network for the registration purpose or specific services provided on the network, they experience or faced a denial of service. From my understanding this is known as loss of availability.

4.0 Cyber Crimes

CYBER DEFAMATION Criminal sends emails containing defamatory matters to all concerned of the victim or post the defamatory matters on a website

PHISHING technique of pulling out confidential information from the bank

NET EXTORTION Copying the company’s confidential data in order to extort said company for huge amount

CREDIT CARD FRAU

Hackers who can misuse this card by impersonating the credit card owner.

IRC CRIME

Internet Relay Chat

servers have chat rooms in which people from anywhere the world can come together and chat with each other criminals

SOFTWARE PIRACY

Theft of software through the

illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original

VIRUS DISSEMINATION Malicious software that attaches itself to other software

DENIAL OF SERVICE ATTACK

Criminal,who floods the band width of the victim’s network or fills his e-mail box with spam mail

HACKING

Illegal intrusion into a computer system without the

permission of the computer owner/user.

TYPES OF CYBER CRIMES

Figure 1: Types of cyber crimes diagram

5.0 Standard for Information Security

According to information security standard journal (2008) state that Organisation for Standardisation(ISO),established in 1947,is a non-governmental international body that collaborates with the International Electrotechnical Commission (IEC)3 and the International Telecommunication Union (ITU)4 on information and communications technology (ICT) standards.The are seceral standart that are commonly referenced ISO security standards

ISO/IEC 27002:2005 (Code of Practice for Information Security Management)

This code is an international standard that was originally laid down by the British Standards Institute (BSI). ISO/IEC 27002:2005 refers to a code of practice for information security management, and is intended as a common basis and practical guideline for developing organizational security standards and effective management practices. This code several guidelines and best practices recommendations for these 10 security domains consists of security policy,organisation of information security,asset management,human resources physical and environment,operation and management and etc.

ISO/IEC 27001:2005 (Information Security Management System - Requirements)

The international standard ISO/IEC 27001:2005 has its roots in the technical content. This code more specifies the requirements for establishing,implementing,operating,monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS)an organization including business enterprises, government agencies and so on. It is designed to ensure the selection of sufficient enough and balance security controls to protect information assets.

ISO/IEC 13335 (IT Security Management)15

ISO/IEC 13335 was initially a Technical Report (TR) before becoming a full ISO/IEC standard. It consists of a series of guidelines for technical security control measures.

a) ISO/IEC 13335-1:2004 documents the concepts and models for information and communications technology security management.

b) ISO/IEC TR 13335-3:1998 documents the techniques for the management of IT security. This is under review and may be superseded by ISO/IEC 27005.

c) ISO/IEC TR 13335-4:2000 covers the selection of safeguards (i.e. technical security controls). This is under review and may be superseded by ISO/IEC 27005.

d) ISO/IEC TR 13335-5:2001 covers management guidance on network security. This is also under review, and may be merged into ISO/IEC 18028-1, and ISO/IEC 27033.

6.0 Challenges in Information Security in Organizational/individual

Some of the current security challenges have been recognize in the security information environment. These security challenges could be seen such this field like privacy, security and privacy in the cloud and internet, forensics and security standards.

6.1 Security and privacy in the cloud and Internet.

The first challenges that have been recognized is security and privacy in the cloud and Internet. Normally corporations and individuals are often concerned about how security and compliance integrity can be maintained in this new environment as it bring many significant benefit in the leverage of cloud computing. From the various advantage of the benefits of cloud computing that is offered at least of which is the significant savings in costs, cloud computing without a serious consideration of the security implications.

6.2 Privacy

Privacy is already a prime concern in today's information society. The challenge now is to design pervasive computing systems that include effective privacy protection mechanisms.The controls focus on information privacy as a value that is different from, but is highly interrelated with, information security. Organizations cannot have effective privacy without a solid foundation of information security. However, privacy is more than security and confidentiality, and also includes the principles of, for example, transparency, notice and choice (secure state.com, 2011)

6.3 Digital forensics

Another challenge is digital forensics which is defined according to the (Francia, 2005) as a scientifically proven method for the investigation of computers and other digital devices believed to be involved in criminal activities. The usage of digital forensics is a act as the evidence to be admissible in a court of law. So it should be follow proper digital forensic procedures or process in order to respect the ethics also. Work in digital forensics covers a wide variety of areas such as law enforcement needs to produce the compelling and legally recognized evidence.For example military intelligence needs might require quick action based on a limited amount of information.

6.4 Security Standard

Securing information system resources is extremely important in ensuring that the resources are well protected unleak important data. Information security is not just a simple matter of having usernames and passwords. Cannot be denied that some proposals for information security management already exist all of them created by international organizations for standardization as a guidelines of misuse of information right. The protection of personal data takes on a particularly special relevance in sectors such as the health sector

7.0 Recommendations to Address the Challenges in Secure Information in Organizational /Individual

In response to these challenges, several recommendations are proposed as follows in making good improvement of better adopting information security within organizational.

7.1 Considerations About Policy

Policy is an vital elements within an organization.Statement of policy’s to providing sufficient information for the implementation the actual conditions.So it’s being applied by all the staff within an organization during their work. It should be alert that every person are responsible to involved in the management and operation of an information system, including a business officer, a system administrator, and also customer of the system.

Policy is established to as a written statement of basic procedures or guidelines under certain management such as information security are maintained. The information assets to be secured from the risk if being unconscious exposed (unauthorized access, and destruction, extraction and leakage of data and other malicious actions) should be specified.

In brief there are several recommendation regarding the implementation of related general policy of information security within an organization

The top management are responsible to ensure that the information security policy, as well as guidelines and standards, are utilized and acted upon.

Top management ensure the availability of sufficient training and information material for all users, in order to enable the users to protect organization’s data and information systems.

The security policy shall be reviewed and updated annually or when necessary, in accordance with principles described in ISO/IEC 27001.

All important changes to any organizational activities, and other external changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security training.

7.2 Training

An effective information security awareness training program is a best part of defense in- depth and staff in organization strong information security posture. Its purpose is to educate and train one of the weakest links in information security posture. It is the good to any organization to form of awareness training for employees or end users to handle the valuable assets. So it the best practice to implement such a program. There are several types security training program that were held and staff in the organization should be joining such these programme to broaden knowledge on information security.

Laws-Protection of create awareness training to inform personnel, including contractors and other staff or customer of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce any problem

Regulations/Industry Requirements-The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices (secure state.com,2011).

Frameworks-In organization on behalf management that act as the educate and train customer satisfies the needed of IT by effectively and efficiently using several applications and technology and make sure obey to policies and procedures

7.3 Protection against malicious code

Software and associated controls must be implemented to any organizational to prevent and detect the introduction of malicious code. The introduction of malicious code, such as a virus, network worm program or Trojan horse, can cause serious damage to networks, workstations and business data. Staff or Users must be made aware of the dangers of unauthorized or malicious code. Security method must be implement controls to detect and prevent a virus from being introduced to the work environment within organization and the virus scanning must be updated actively to avoid any data crime.

7.4 System security checking

System and services that conducted within organization must undergo technical security review to ensure compliance with implementation standards and for vulnerabilities to subsequently discovered threats. Reviews of system and services that are essential to supporting a critical security of information within organization function must be conducted at least once every year. Once the report have been done it must be reported to IT personnel and corrected immediately to improve the level of security management beside keep secure the data or information

7.5 Management of risk

Staff within the organizational should be prepared themselves with the several knowledge regarding several information backup or recovery plan.This is to ensure that everything business organizational are well planned and run smoothly and if have certain mistake or error during conducting the business they might know how to handle it.This is also the management skill of risk that should know in order adopt with any immediate changes by readily have backup plan on if system error or misuse of information to unauthorized person.

7.0 Conclusion

As a conclusion the since the internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer host and can reach any point on the internet without regard to national or geographic boundaries or time of day but we should be alert that all these convenience access to information come risks. So its a good practice by applying good information security management as its practices overall securing information and the standard that we use as referred. Apart from that we as students and employee to be should be prepared with the knowledge regarding security information so that could be adopt with the challenges one future day.

8.0 References

Hostland,K.,Enstand,P,Eilerstsen,O,Boe,G.(2010).Information system security:best document practices.Retrieved 25 April 2013 from http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-ufs107.pdf

Pesante.L(2008)Introduction to Information Security,Carnegie Mellon University

Secure State.com(2011).Information security policy.Retrieved 25 April 2013 from http://blog.securestate.com/people-are-people-implementing-information-security-policy-to-address-weakness-in-human-nature/

Smith D,T.(2003)Information security policy.Retrieved 23 April 2013 from h http://www.cyber-security-policy-v3.pdf.

n.d.(2008).Overview of the information standard,Retrieved 25 April from http://www.networkworld.com/news/2006/030706-government-cio-survey.html