Paper Example on Legal Issue in Information Security

Introduction

Information in this information age is what defines us. It is the output of the human intellectual ventures. The development of a new society is based on information which is exchanged between different users. Information society has implications in human operations, individuals, collective responsibility in addition to the environment. Information has effects on human life and has led to the emergence of new technologies and has revolutionized people live and communicate with others. Despite the inherent benefits of information technology, it is important to ensure it follows the necessary ethics to prevent harm to others. It is, therefore, necessary to promote security that ensures the information is trustworthy and technologies employed have integrity (Nemati 2007). This will promote ethical application of information. It, therefore, means that information security and its ethical utilization should be evaluated in synergy. From this description, information security and ethics entails activities necessary to safeguard information and systems to ensure ethical utilization. This paper entails the examination of information security and ethical use as it relates to the InfoSec. There will be an evaluation of ethical issues for cyber-security as they relate to events of InfoSec in which information confidentiality, integrity, and availability were compromised.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Ethical Issues for Cyber-Security

Ethical Guidelines or Standards

Information security has three primary objectives which involve ensuring confidentiality, integrity, and availability. This introduces the issue of an ethical approach to privacy protection of data or information. Ensuring privacy and security is based on trust. Violation of privacy entails a risk which translates to a security threat (Lee 2016). There is the provision of solutions by law when ethics becomes shot. The breach of security means trust is eroded resulting in the risk of security reduction or loose. It is viewed as a disregard to law and breach of ethical principles. Information privacy concerns various factors such as access, use, and collection of information.

Justification of Standards or Guidelines

The use of information technology should be in the context that those using the tools and information should be held accountable for their actions. This based on ensuring information confidentiality, integrity, and availability and hence privacy of information ("Guide to Securing Personal Information," 2018). The utilization of information security guidelines or standards ensures that information is safeguarded from breach and ethics are upheld. Various organizations have taken ethical obligations to implement guidelines to ensure information security. For instance, Massachusetts law has implemented measures that obligate individuals who are collecting personal information to use information security measures (Dimov 2017). Such measures include encryption of transmitted information and necessity of people collecting the information to used encryptions. Another example Vodafone Hutchison Australia which was investigated and it was established that there is a lack of control over information despite the use of measures such as shared logins ("Guide to Securing Personal Information", 2018). The company decided to improve its security systems by ensuring that there is the use of IDs and passwords by everyone.

Description of Unethical Behaviors

In this situation, the unethical practices were as a result of behaviors, or omission of behaviors by key employees. This was despite the execution of a non-disclosure agreement with the client. The key people that fostered this case include:

Chief Information Security Officer (CISO): The officers failed to institute documentation on internal oversight. This meant there was no evidence of audits concerning user accounts, evaluation of privilege escalation, and data loss prevention on sensitive documents strategies. The officer also did not adopt surveillance on internal network traffic and activities. This meant that information security was compromised.

Carl Jasper (head of application division): He was most involved behaviors or omission of behaviors that resulted in unethical practices. The made relationships with competitors organizations, and he would give them access to information. Additionally, he made recommendations for promotion to promote social relationships. He was involved in the creation of accounts that was a conduit to transfer of money.

Marketing/sales Unit: The group has not implemented means that ensure IT segmentation of two units. It, therefore, means there accountability on who uses the client information due to complete visibility and access.

Sarah Miller: Who is senior analyst was involved in unethical behavior by conducting unauthorized surveillance on others employees, departments and companies.

IT Security Analyst, Nadia Johnson: There existence an unethical relationship between with Jasper who was the head of Application Division. It is not appropriate to have social relationships between Nadia who is an IT security staff and those that they perform oversight such as Jasper.

Factors to Lax Ethical Behavior

The core factors at TechFite that promoted negligent ethical behavior. These factors include:

Lack of oversight: There was a lack of oversight and especially concerning the documentation on internal oversight. The company failed to keep evidence of events of audits on user accounts; there was no data loss prevention concerning sensitive information and assessment of privilege increase. This increases the possibility of the alleged abuse.

Lack of measures to safeguard sensitive information: The Company lacked appropriate practices to prevent a threat to existing clients, potential clients and previous clients' sensitive and proprietary information.

Lack of a policy to control social relationship: TechFite lacks a policy that controls social relationships between employees. For instance, there is an inappropriate relationship between auditors and those they are supposed to audit.

Lack of strategies to control access and security of information: This meant some employees in increased privileges could access information both internally and externally without official authorization.

Mitigation of Problems and Building Security Awareness

Information Security Policies

The information provided by TechFite case study presents a case of threats to intellectual activity, criminal activity, and negligent acts. Information security policies can be implemented to prevent these instances. These include:

The education of staff on security policies, information security, and security threats: It entails prevention by educating employees on security policies and procedures. Compulsory training of employees is a critical step in the reduction and prevention of such threats (Todev 2018).

Protection of the infrastructure: The protection from intellectual activity, criminal activity, and negligent acts entail the emphasis on protection of IT infrastructure. This can be accomplished through implementation of a 5-phase process which includes identifying, preventing, controlling, detecting, and incident response to information technology threats.

Implementation of audits on operating activities and efficiency of controls: It entails an assessment of the effectiveness of controls to mitigate threats (Todev 2018). The company needs to develop process and policies to prevent such cases continuously.

SATE Key Components

An effective SATE Communication entails the development of an information technology security policy that caters for business needs and information stakeholders in their IT responsibilities (Wilson & Hash 2003). It also involves the establishment of the process necessary to monitor and review the program at TechFite. The components of this program include:

Awareness: It does not involve training but focuses on attention to security. It intends to allow employees to gain the ability to determine security concerns and respond appropriately.

Training: The program involves the production of necessary and required security skills and expertise.

Education: It incorporates the various security skills and expertise provided by various specialties into a common unit. The objective is developing specialists and professionals in the organization that can respond actively (Wilson & Hash 2003).

SATE Communication

To implement the program successfully, it is essential to ensure effective communication to the employees to gain their support. It entails an explanation of the expectations of employees and the expected outcomes and benefits of the program (Wilson & Hash 2003). The centralized program model communication model can be implemented at TechFile to ensure communication. In this model, the IT security manager formulates the company's security awareness and training policy. Strategy and program plan is formulated and then implemented. After the program is approved by senior management, it is communicated to various units within the organization. The unit managers are given the mandate to communicate the program to the staff.

SATE Relevance

The essence of a SATE program in mitigation of undesirable behaviors at TechFite is essential. This is because it helps in the development of critical competencies, new methods, and techniques to enable the company to address present and potential information technology issues (Alou 2012). The implementation of SATE program introduces a level of maturity in incident response context and enhances the IT infrastructure of the company. Such a program significantly enhances the IT security risk status of the organization.

References

Aloul, F. (2012). The Need for Effective Information Security Awareness. Journal Of Advances In Information Technology, 3(3). doi: 10.4304/jait.3.3.176-183

Dimov, D. (2017). Cybersecurity as an ethical obligation. Retrieved from https://resources.infosecinstitute.com/cybersecurity-ethical-obligation/

Guide to securing personal information| Office of the Australian Information Commissioner - OAIC. (2018). Retrieved from https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information

Lee, W. (2016). An Ethical Approach to Data Privacy Protection. Retrieved from https://www.isaca.org/Journal/archives/2016/volume-6/Pages/an-ethical-approach-to-data-privacy-protection.aspx

Nemati, H. (2007). Information Security and Ethics: Concepts, Methodologies, Tools, and Applications. Retrieved from https://www.researchgate.net/publication/237344283_Information_Security_and_Ethics_Concepts_Methodologies_Tools_and_Applications

Todev, N. (2018). 3 Solutions to Protect Against Insider Threats in Cybersecurity. Retrieved from https://www.onr.com/blog/insider-threat-solutions-in-cybersecurity/

Wilson, M., & Hash, J. (2003). Building an Information Technology Security Awareness and Training Program. Retrieved from https://www.gpo.gov/fdsys/pkg/GOVPUB-C13-4d26ff2feda06aad73faa751e4b5de78/pdf/GOVPUB-C13-4d26ff2feda06aad73faa751e4b5de78.pdf