Secure
- 1. Ron Briggs UT-Dallas
Ethics and Security in
Information Management
• You run the Dallas County office of DHS. Its Monday
morning of the week before you take-off on a two week
vacation.You are reading your mail. There is a letter from the
Information Systems division of the Office of the State
Auditor. They will be visiting you three weeks from today to:
“review policies and procedures with respect to information security and ethics”
• do you break into a cold sweat, or say ‘no sweat, we are in
good shape’
• what needs to be in place in order for you to enjoy a care
free vacation!?
- 2. Ron Briggs UT-Dallas
The Ethical Issues in IT
• responsibility, accountability, and liability
– snow storm, roof collapses, people lose money
• privacy and open records
– is gov. e-mail private or a public record?
• intellectual property: trade secrets, copyright, patents
– more than controlling software copying
• appropriate use and ethical behavior
– avoid even the appearance of inpropriety
• equity, access, and social impact
– the digital divide: is IT widening social and economic divisions?
• personal protection and health
– safety hazards in the workplace
Security is central to at least the first three.
Ethics is fundamental to the second three.
- 3. Ron Briggs UT-Dallas
Security Problem Areas
Its not a question of if, but of when!
– disasters strike (17%--includes equipment)
» external natural/manmade disasters
– disks, etc. fail
» internal equipment failures
– staff screw-up (50%)
– employees abuse (14%)
– hackers/viruses attack (5%)
– criminals conspire (14%--mostly internal)
– somebody sues
(Numbers refer to one estimate of losses, by source)
- 4. Ron Briggs UT-Dallas
The Response
• prevention, prevention, prevention
• detection
• prosecution/suing
The majority of problems are internal not external!
Your biggest problem is trusted staff messing up!
Prosecution & suing are after the fact. They won’t
prevent the problem (or save your job)!
It’s not luck, its planning!
- 5. Ron Briggs UT-Dallas
Basic Concepts:
responsibility, accountability, liability
Responsibility: the personal issue
accepting the inherent costs and obligations of the
decisions you make
Accountability: the institutional issue
the ability to determine who took the responsible (or
irresponsible!) action
Liability: the legal issue
the ability to recover for the damage done to
individuals or organizations through a system of due
process
- 6. Ron Briggs UT-Dallas
The Three Dimensions of Security
• Confidentiality
– assuring that legally protected data is not disclosed to the
public
• Integrity
– assuring that info. is correct and protected from
unauthorized alteration
• Availability
– assuring that data is available to support the agency’s
mission and operations
» information recoverable
» operations continuable
- 7. Ron Briggs UT-Dallas
Strategies for Security
• security policy/procedures
– physical security:
» people: locks, cameras,
exit/entry monitoring,
» water: basement, pipes
» electricity: surge, UPS
» structures: no prefabs!
– system access control : logon
– database security systems and
record/attribute level control
– data management policies
(which must be known and
followed)
» data ownership and
responsibility assignation
» data classification:
confidential, sensitive, public
• error control
– program development:
independent user testing
– data entry
» one time input/automated source
capture
» validation rules
» duplicate data entry for verification
– journalling: tracking all accesses
and changes by userID, date, time,
etc. (audit trail)
– hardware/network/database
monitoring: spotting trouble ahead
of time. (alarm)
– data audits
• disaster recovery
– back-ups: on-site & off-site
– mirroring/fault tolerant systems
– hot sites/cold sites
- 8. Ron Briggs UT-Dallas
Computer Systems v. Manual System
Is vulnerability increased?
• information is more highly concentrated, easier to gather
and more difficult to control
• potentially accessed by many more people.
• tools simplify and speed up copy/deletion of large
quantities
��� no paper back-up; cannot be replicated manually.
• complex and invisible: difficult to test, audit or detect
change.
• more processing steps therefore more error possibilities.
- 9. Ron Briggs UT-Dallas
Trade-offs
• security versus information access
» internal v. external
» need-to-know
» data as power
• security versus convenience
» diminishing returns
• security versus service: risk assessment
» probabilty of occurrence
» institutional impact/cost of failure
Decisions for upper management, not IT folks!
- 10. 1Ron Briggs UT-Dallas
Ethics and Appropriate Use
Dealing with personal business (e-mail, phones, etc.)
• No financial gain or commercial purpose
• direct costs re-imbursed (e.g. long distance charges)
• does not impeded agency operations (e.g tie up scare dial-in
ports or slow response time)
• consumes incidental amounts of employee time (the coffee
break test)
Dealing with vendors
• no personal gain, incl. family and friends (the tee shirt test)
• all have the opportunity to be included
• follow required procedures e.g. open bidding
For the public sector, it’s a matter of law. For the private
sector, it’s determined by policy.
- 11. 1Ron Briggs UT-Dallas
Network Security: Needs
applications
– e-mail
– e-forms (internal business)
– edi (eletronic data interchange: external business)
management needs
– minimum manual
intervention
– audit trails
– status and alarms
– immediate and
comprehensive
revocation
user needs
– access control
– user
transparency
data needs
– confidentiality (secret)
– integrity
(secure: no change)
– authenticity
(sender known)
– non-repudiation
(delivery confirmed)
Security
concerns
intensify.
- 12. 1Ron Briggs UT-Dallas
Network Security: Methods
Network
– closed network
– perimeter security (firewalls)
– object protection
User Access
– passwords (n times)
– smart cards (one time)
– user identification (fingerprint; eyeballs)
User exchange
– encryption (for confidentiality and integrity)
» clipper chip / back door
– public/private keys (for authenticity)
- 13. 1Ron Briggs UT-Dallas
The Special Case of Telecom Security
Telephone Fraud--$2 billion plus per year
Examples:
• card sharps
• shoulder surfing
• dumpster diving
• sweet talk
codes/lines
• hacking
• internal trouble
Do you even know it?
Personal use
•illegal for gov.
•costly for private
sector
Watch out for:
•international
•1-900