What does it mean for an individual to act ethically?
It means that individual is acting in accordance with the code of behavior defined by the group to which the individual belongs.
What does it mean for an organization to act ethically?
It means that the organization is overall acting in accordance with the code of behavior defined by the group for every individual within.
morality
social conventions about right and wrong that are so widely shared that they become the basis for an established consensus
Five Step Decision Making Process
- Define the problem
- Identify alternatives
- Choose an alternative
- Implement the decision
- Monitor the results
ethics
a set of beliefs about right and wrong behavior within a society
virtues
habits of acceptable behavior
code of principles
a person who acts with integrity acts in accordance with a personal what?
morals
one's personal beliefs about right and wrong
Corporate Social Responsibility
the concept that an organization should act ethically by taking responsibility for the impact of its actions on the environment, the community, and the welfare of its employees
Supply Chain Sustainability
focuses on developing and maintaining a supply chain that meets the needs of the present without compromising the ability of future generations to meet their needs
reputation
The public ___ of an organization strongly influences the value of its stock, how consumers regard its products and services, the degree of oversight it receives from government agencies, and the amount of support and cooperation it receives from its busi
corporate ethics officer
provides the organization with vision and leadership in the area of business conduct
law
system of rules that tells us what we can and cannot do
Section 406 of the Sarbanes-Oxley Act
requires public companies to disclose whether they have codes of ethics and disclose any waiver to their code of ethics for certain members of senior management
Sarbanes-Oxley Act
Federal legislation passed in 2002 that sets higher ethical standards for public corporations and accounting firms. Key provisions limit conflict-of-interest issues and require financial officers and CEOs to certify the validity of their financial stateme
Mission Statement
highlights an organization's key ethical issues and identifies the overarching values and principles that are important to the organization and its decision-making process
social audit
enables an organization to review how well it is meeting its ethical and social responsibility goals, and communicate new goals for the upcoming year
problem definition
makes employees more aware of a company's code of ethics and how to apply it, as well as demonstrates that the company intends to operate in an ethical manner
most important part of the decision making process
development of a problem statement
common good approach
the approach to ethical decision making is based on a vision of society as a community whose members work together to achieve a common set of values and goals
problem statement
clear, concise description of the issue that needs to be addressed
vice
habit of unacceptable behavior
A professional is someone who:
- requires advanced training and experience
- must exercise discretion and judgment in the course of his or her work
- does work that cannot be standardized
the mission of the Business Software Alliance
stop the unauthorized copying of software produced by its members
whistle-blowing
an effort by an employee to attract attention to a negligent, illegal, unethical, abusive, or dangerous act by a company that threatens the public interest
fraud
the crime of obtaining goods, services, or property through deception or trickery
compliance
means to be in accordance with established policies, guidelines, specifications, or legislation
Society expects professionals to act in a way that:
- causes no harm to society
- provides significant benefits
- establishes and maintains professional standards that protect the public
internal audit
most organizations have a team with primary responsibilities to determine that internal systems and controls are adequate and effective
certification
a process that one undertakes voluntarily to prove competency in a set of skills
Senior management (including members of the audit committee) has the option of ignoring or suppressing recommendations of the internal audit committee. True or False?
true
negligence
has been defined as not doing something that a reasonable person would do, or doing something that a reasonable person would not do
professional code of ethics
states the principles and core values that are essential to the work of a particular occupational group
Software & Information Industry Association (SIIA)
promotes the common interests of the software and digital content industries
BSA | The Software Alliance
funded through member companies' dues and through settlements from companies that commit piracy
trade secret
information that a company has taken strong measures to keep confidential
conflict of interest
a conflict between the IT worker's (or the IT firm's) self-interest and the client's interests
Misrepresentation
The misstatement or incomplete statement of a material fact.
breach of contract
occurs when one party fails to meet the terms of a contract
material breach of contract
occurs when a party fails to perform certain obligations, thus, impairing or destroying the essence of the contract
bribery
the act of providing money, property, or favors to obtain a business advantage
internal control
the process established to provide reasonable assurance for the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations
separation of duties
the act of ensuring that different aspects of processes involving financial transactions are handled by different people
Foreign Corrupt Practices Act (FCPA)
makes it a crime to bribe a foreign official, a foreign political party official, or a candidate for foreign political office
resume inflation
lying on a resume about one's qualifications
government license
permission to engage in an activity or to operate a business
body of knowledge
for a given profession--outlines an agreed-upon set of skills and abilities that all licensed professionals must possess
duty of care
the obligation to protect people against unreasonable harm or risk
reasonable person standard
a standard used by courts to evaluate how an objective, careful, and conscientious person would have acted in the same circumstances
reasonable professional standard
used to measure the actions of professionals who have particular expertise or competence
breach of the duty of care
the failure to act as a reasonable person would act
professional malpractice
the liability of professionals who breach the duty of care, resulting in negligent care and injuries
firewall
hardware or software that serves as the first line of defense between an organization's network and the Internet; also limits access to the company's network based on an Internet-usage policy
malware infection
most common security incident
Computer security incidents occur around the world, with personal computer users in developing countries being exposed to the greatest risk of their computers being infected by malware. True or False?
true
exploit
an attack on an information system that takes advantage of a vulnerability
virtualization software
operates in a software layer that runs on top of the operating system and enables multiple virtual machines each with their own operating system to run on a single computer
The number of new software vulnerabilities identified has steadily increased year since 2006. True or False?
true
zero-day attack
Takes place before the security community or software developer knows about the vulnerability or has been able to repair it
CAPTCHA
software that generates and grades tests that humans can pass but that all but the most sophisticated computer programs cannot
ransomware
a form of malware that, if a user unknowingly downloads it to his or her smartphone, takes control of the device and its data until the owner agrees to pay a ransom to the attacker
distributed denial of service
attack in which a malicious hacker takes over computers via the Internet and causes them to flood a target site with demands for data and other small tasks
trojan horse
malicious code hidden inside a seemingly harmless program
botnet
a large group of computers controlled from one or more remote locations by hackers, without the knowledge or consent of their owners
risk assessment
the process of assessing security-related risks from both internal and external threats to an organization's computers and networks
IT security audit
an overview of an organization's security policy or security standards
trustworthy computing
a method of computing that delivers secure, private, and reliable computing experiences
security policy
the written statement that defines an organization's security requirements as well as the controls and sanctions used to meet those requirements
Implementation of a strong firewall provides adequate security for almost any network
false
In a security incident, the primary goal must be to monitor and catch the intruder
false
Bring your own device (BYOD)
business policy that permits employees to use their own mobile devices to access company computing resources
virus
a piece of programming code, disguised as something else, that causes a computer to behave in an unexpected and usually undesirable manner
logic bomb
executes when triggered by a specific event
blended threat
an attack that combines the features of a virus, worm, Trojan horse, and other malicious code into a single payload
spam
the use of email systems to send unsolicited email to large numbers of people
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
makes spam legal with certain restrictions--the email must include: a real return address, a label specifying that it is an ad or solicitation, and a way for recipients to opt out of future emails
rootkit
a set of programs that enables its user to gain administrator-level access to a computer without the end user's consent or knowledge
Advanced persistent threat (APT)
an attack in which an intruder gains access to a network and stays there--undetected--with the intention of stealing data over a period of weeks or months
phishing
the act of fraudulently using email to try to get the recipient to reveal personal data
spear phishing
a variation of phishing in which the phisher sends fraudulent emails to an organization's employees
smishing
a variation of phishing in which the victims receive a legitimate-looking text message telling them to call a specific phone number or log on to a website
vishing
a variation of phishing in which the victims receive a voice-mail message telling them to call a phone number or access a website
cyberespionage
the deployment of malware that steals data from government agencies, military contractors, political organizations, or manufacturing firms
cyberterrorism
the intimidation of a government or a civilian population by using IT to disable critical national infrastructure
Department of Homeland Security (DHS)
a federal agency whose goal is to provide for a safer, more secure America, resilient against terrorism and other potential threats
U.S. Computer Emergency Readiness Team (US-CERT)
a DHS and public/private sector partnership; serves as a clearinghouse for information on new security threats
CIA security triad
the confidentiality, integrity, and availability of systems and data
disaster recovery plan
a documented process for recovering an organization's business information system assets--including hardware, software, data, networks, and facilities--in the event of a disaster
mission-critical processes
business processes that are more pivotal to continued operations and goal attainment than others
next-generation firewall (NGFW)
a hardware or software based network security system that blocks attacks by filtering network traffic based on packet contents
router
a networking device that connects multiple networks and transmits data packets between networks
encryption
the process of scrambling messages or data in such a way that only authorized parties can read it
encryption key
a value that is applied to unencrypted text to produce encrypted text that is unreadable by those without the encryption key
Transport Layer Security (TLS)
a communications protocol that ensures privacy between communicating applications and their users on the Internet
proxy server
acts as an intermediary between a web browser and another server on the Internet
Virtual Private Network (VPN)
enables remote users to securely access an organization's computing resources and share data by transmitting and receiving encrypted data over public networks, such as the Internet
Intrusion detection system (IDS)
software and/or hardware that monitors system resources and activities and issues an alert when it detects network traffic attempting to circumvent security measures
virus signature
a specific sequence of bytes that indicates the presence of a previously identified virus
managed security service provider (MSSP)
a company that monitors, manages, and maintains computer and network security for other organizations
computer forensics
combines elements of law and computer science to collect, examine, and preserve data from computer devices and networks in a manner that preserves the integrity of the data gathered so it is admissible as evidence in court
Bill of Rights
purpose was to identify additional rights of individuals
discovery
part of the pretrial phase of a lawsuit in which each party can obtain evidence from the other part by various means
Like many other countries, the United States has developed a single, overarching national data privacy policy.
false
Fair Credit Reporting Act
enforced by the FTC and is designed to ensure the accuracy, fairness, and privacy of information in the files of credit-reporting companies and to check those systems that gather and sell information about people
The Fair and Accurate Credit Transactions Act allows consumers to request and obtain a free credit report once each year from each of the three primary consumer credit reporting companies.
true
HIPAA
under its provisions, healthcare providers must obtain written consent from patients prior to disclosing any information in their medical records
Children's Online Privacy Protection Act
a Web site that caters to children must:
- offer comprehensive privacy policies
- notify parents or guardians about its data collection practices
- receive parental consent before collecting any personal information from preteens
FERPA Act
a federal law that assigns certain rights to parents regarding their children's educational records
Kats v. United States
a famous court ruling that helped form the basis for the requirement that there be a reasonable expectation of privacy for the Fourth Amendment to apply
Foreign Intelligence Surveillance Act
describes procedures for the electronic surveillance and collection of foreign intelligence information in communications between foreign powers and agents of foreign powers. it also created a special court which meets in secret to hear applications for o
pen register
identifies the numbers dialed for outgoing calls
In 2011, the Department of Justice submitted 1,745 applications for electronic surveillance to the FISA court and none of those applications were denied.
true
USA PATRIOT Act
gave sweeping new powers both to domestic law enforcement and U.S. international intelligence agencies, including increasing the ability of law enforcement to search telephone, email, medical, financial, and other records
The European philosophy of addressing privacy concerns employs strict government regulation, including enforcement by a set of commissioners; it differs greatly from the U.S. philosophy of having no federal privacy policy
true
Fair Information Practices
a term for a set of guidelines that govern the collection and use of personal data
Nearly half the cost of a data breach is a result of lost business opportunity associated with customers whose patronage is lost due to the incident.
true
cookies
a text file that a Web site can download to a visitor's hard drive to identify visitors on subsequent visits
FTC
that agency that is responsible for protecting the privacy of U.S. consumers
right of privacy
the right to be left alone
information privacy
The combination of communications privacy and data privacy
Right to Financial Privacy Act
protects the records of financial institution customers from unauthorized scrutiny by the federal government
Gramm-Leach-Bliley Act (GLBA)
bank deregulation law that includes three personal privacy rules: financial privacy rule, safeguards rule, pretexting rule
opt out
customers can refuse to give institution the right to share personal data with third parties
opt in
customers who do not take action to opt out automatically opt in
Fair and Accurate Credit Transactions Act
allows consumers to obtain a free credit report once each year from each of the three primary consumer credit reporting companies (Equifax, Experian, and TransUnion)
American Recovery and Reinvestment Act
Includes provisions related to electronic health records (EHRs):
- Bans the sale of health information
- Promotes the use of audit trails and encryption
- Provides rights of access for patients
Title III of the Omnibus Crime Control and Safe Streets Act
regulates the interception of wire and oral communications
Executive Order 12333
identifies the various U.S. governmental intelligence-gathering agencies, and defines what information can be collected, retained, and disseminated by these agencies
Electronic Communications Privacy Act (ECPA)
law passed as an amendment to Title III of the Omnibus Crime Control and Safe Streets Act
National Security Letter (NSL)
issued by the FBI director to an ISP; requires the ISP to provide various data and records about a service subscriber
NSL gag provision
prohibits NSL recipients from revealing that the government has requested an individual's records
trap and trace
a device that records the originating number of incoming calls for a particular phone number
Communications Assistance for Law Enforcement Act (CALEA)
required the telecommunications industry to build tools into its products for use by federal investigators, after obtaining a court order, to intercept communications
Foreign Intelligence Surveillance Act Amendments Act
Authorized intelligence gathering on individuals not affiliated with any known terrorist organization (so-called lone wolves)
Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008
Granted NSA expanded authority to collect international communications as they flow through U.S. telecom network equipment and facilities
PATRIOT Sunsets Extension Act of 2011
Law that granted a four-year extension of roving wiretaps and searches of business records; also extended authorized intelligence gathering on "lone wolves
USA Freedom Act
Law passed following revelations by Edward Snowden of secret NSA surveillance programs
Fair information practices
a set of guidelines that govern the collection and use of personal data
transborder data flow
the flow of personal data across national boundaries
European Union Data Protection Directive
ensures that data transferred to non-European Union countries is protected
Freedom of Information Act (FOIA)
grants citizens the right to access certain information and records of federal, state, and local governments upon request
Privacy Act
sets rules for the collection, use, and dissemination of personal data kept by federal agencies
data breach
the unintended release of sensitive data or the access of sensitive data by unauthorized individuals
Electronic Discovery (e-discovery)
The collection, preparation, review, and production of electronically stored information for use in criminal and civil legal actions and proceedings.
Electronically Stored Information (ESI)
Any form of digital information stored on any form of electronic storage device
predictive coding
a process that couples human guidance with computer-driven concept searching in order to "train" document review software to recognize relevant documents
cyberloafing
using the Internet for purposes unrelated to work, such as posting to Facebook, sending personal emails or texts, or shopping online
Vehicle event data recorder (EDR)
a device that records vehicle and occupant data for a few seconds before, during, and after any vehicle crash severe enough to deploy the vehicle's air bags
Stalking app
software that can be loaded onto a cell phone or smartphone