Ethics, Privacy, and Information Security Chapter 3 Introduction to Information System Marcello Singadji (singadji@gmail.com)

Learning Objectives Describe the major ethical issues related to information technology and identify situations in which they occur. Identify the many threats to information security. Understand the various defense mechanisms used to protect information systems. Explain IT auditing and planning for disaster recovery.

Topic Ethical Issues Threats to Information Security Protecting Information Resources

Ethical Issues

Kasus Tahun 2001, duplikasi klikbca.com Tahun 2004, data KPU yang acak-acak Tahun 2013, ATM dibobol oleh kakak- beradik

Ethical Issues Ethics Code of Ethics Etika mengacu pada prinsip-prinsip benar dan salah yang digunakan untuk membuat suatu pilihan dalam berperilaku Kode etik adalah sekumpulan prinsip yang digunakan untuk memandu pengambilan keputusan oleh anggota organisasi

Fundamental Tenets of Ethics Responsibility Accountability Liability Prinsip dasar Etika Responsibility berarti bahwa Anda menerima konsekuensi dari keputusan dan tindakan Accountability mengacu pada penentuan siapa yang bertanggung jawab atas tindakan yang diambil Liability Konsep hukum yang memberikan hak bagi seseorang untuk memperbaiki apa yang telah terjadi (pemulihan nama baik)

Unethical vs Illegal What is unethical is not necessarily illegal Haruskah organisasi memonitor karyawannya menggunakan web dan e-mail? Jika organisasi menjual informasi pelanggan kepada perusahaan lain? Jika komputer organisasi menggunakan perangkat lunak bajakan dan terdapat film dan musik hasil download?

The Four Categories of Ethical Issues Privacy issues collecting, storing, and disseminating information about individuals. Accuracy issues the authenticity, fidelity, and accuracy of information that is collected and processed Property issues the ownership and value of information Accessibility issues revolve around who should have access to information and whether they should have to pay for this access

Threats to Information Security

Factor Increasing the Treats to Information Security Today’s interconnected, interdependent, wirelessly networked business environment Government legislation Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a computer hacker International organized crime taking over cyber- crime Downstream liability Increased employee use of unmanaged devices Lack of management support Faktor meningkatnya kejahatan terhadap aset informasi pada suatu organisasi: Adanya jaringan yang menghubungkan setiap organisasi Peraturan pemerintah Teknologi komputer yang semakin canggih Penurunan keterampilan yang diperlukan untuk menjadi seorang hacker komputer Adanya kejahatan yang terorganisir Meningkatnya penggunaan perangkat IT yang tidak terkontrol Kurangnya dukungan manajemen

Key Information Security Terms Threat Exposure Vulnerability Risk Information systems controls Organisasi memiliki banyak sumber daya informasi (misalnya, komputer dan informasi, sistem informasi dan aplikasi, database, dan sebagainya). Sumber daya ini rentaan terhadap ancaman. Ancaman Pemaparan informasi Rentan terhadap ancaman Risiko adalah kemungkinan bahwa ancaman akan terjadi. adalah prosedur, atau perangkat lunak yang bertujuan untuk mencegah ancaman pada sistem

Security Threats

Categories of Threats to Information Systems - Whitman and Mattord (2003) Unintentional acts Human Errors Natural disasters Technical failures Technical failures include problems with hardware and software Management failures Management failures involve a lack of funding for information security efforts and a lack of interest in those efforts. Deliberate acts Software attacks Identity theft Kesalahan yang tidak disengaja Kesalahan manusia Bencana alam Kesalahan teknis h/w & s/w error Kesalahan manajemen Kurangnya dana dan tidak ada upaya untuk meningkatkan keamanan informasi Disengaja Virus hacking

Protecting Information Resources

Risk!! There is always risk!

Risk Management Risk analysis Risk mitigation Controls evaluation Risk acceptance Risk limitation Risk transference Controls evaluation

Controls Physical Controls Access Controls Communications Controls

Physical Controls

Access Controls Authentication

Access Controls Authorization Privilege Least privilege Istimewa dan paling istimewa

Communications Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Intrusion Detection Systems Encryption.

Firewall

Encryption

Digital Certificates

Communications & Network Controls Virtual Private Networking Secure Socket Layer (SSL) Vulnerability Management Systems Employee Monitoring Systems A virtual private network (VPN) is a private network that uses a public network (usually the Internet) to connect users. As such, VPNs integrate the global connectivity of the Internet with the security of a private network and thereby extend the reach of the organization’s networks. Secure socket layer, now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking. TLS is indicated by a URL that begins with https rather than http, and it often has a small padlock icon in the browser’s status bar. TLS encrypts and decrypts data between a Web server and a browser end to end. Users need access to their organization’s network from any location and at any time. To accommodate these needs, vulnerability management systems, also called security on demand, extend the security perimeter that exists for the organization’s managed devices. That is, vulnerability management systems handle security vulnerabilities on unmanaged remote devices. Recall that we discussed the dangers inherent in using unmanaged devices earlier. Vendors of vulnerability management software include Symantec (www.symantec.com), Trend Micro (www.trendmicro.com), McAfee (www.mcafee.com), and Qualys (www.qualys.com).

Business Continuity Planning, Backup, and Recovery Hot site fully configured computer facility, with all services, communications links, and physical plant operations Warm site does include computing equipment such as servers, but it often does not include user work stations

Information Systems Auditing Auditors & Audits Types Internal External

How Is Auditing Executed How Is Auditing Executed? Auditing around the computer Auditing through the computer Auditing with the computer Auditing sekitar komputer Auditing melalui komputer Auditing dengan komputer Auditing around the computer means verifying processing by checking for known outputs using specific inputs. This approach is best used in systems with limited outputs. In auditing through the computer, inputs, outputs, and processing are checked. Auditors review program logic and test data. Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware. This approach allows the auditor to perform tasks such as simulating payroll program logic using live data.

Referensi Introduction to Information Systems, Third Edition, R. Kelly Rainer Jr, Casey G. Cegielski, Wiley