Module 4 Use It
Ricky: I hadn't thought about that. We might need to talk to Karla because I heard Bo bragging about how he got some free software off the Web and installed it on his work computer. You: Oh, that's dangerous. There's a one-in-three chance that unlicensed software like that carries malware. Yes, let's also check in with Karla about developing a(n) _______ to keep that from happening again.
An Internet use policy can detail permissions and restrictions for how employees can use the Internet.
Casey is working on a new virtual reality game that gives players a fully immersive experience in a war zone scenario. Players working in teams use simulated weapons to fire at enemy combatants while navigating around various battlefield scenes, complete with innocent casualties and explosive booby traps.
Thou shalt think about the social consequences of the program you write. (Casey is developing a virtual reality game that, due to its fully immersive experience of violent scenes and actions, could have a negative social impact on players and their communities. As a result, Casey should carefully consider the commandment Thou shalt think about the social consequences of the program you write.)
You're investigating a recent incident where an employee used their network account on a work computer to download pornographic material, which was saved to a company server and then inadvertently discovered by several other employees. Two of the other employees filed sexual harassment charges, and the employee being charged, Kurt, is currently on administrative leave until the investigation is complete. However, Kurt claims he wasn't involved with downloading the illicit files. He says other people in his department know his password, and someone must have used his account to download the files. What document should specify that users are not allowed to share their passwords with anyone else for any reason?
b. Acceptable use policy (An acceptable use policy (AUP) is a set of rules specifying the legal and ethical use of a system and the consequences for noncompliance. Most AUP documents will specify that the user is not allowed to share passwords with anyone else for any reason, including coworkers, vendors, friends, and family members.)
Kurt claims he was working on a last-minute project deadline at the time the files were downloaded. However, several months ago, Kurt's company deployed a security tool that prevents concurrent logins to the network. This means only one person at a time could log in using Kurt's credentials. If he was logged in to work on the project, no one else could use his password even if they knew it. What method is Kurt's company using to establish that Kurt is the responsible party for the downloaded material?
d. Nonrepudiation (Nonrepudiation is a method for binding all parties to a contract or proving that a particular person performed an operation or activity, such as when a notary validates a person's signature. By using Kurt's own testimony to confirm the identity of the person logged into the network using his credentials, the company can prove that Kurt is the only person who could have performed any activities from within his account. This method binds Kurt to the consequences of those actions, as defined by the acceptable use policy.)
When Marla signed onto her company's file server from the airport, her laptop immediately logged onto the server without her having to input her username and password. What kind of file on her computer contained the necessary information for this to happen?
Cookie (Cookies are small text files with unique ID tags that are embedded in a Web browser and saved on the user's hard drive. Whenever a user accesses the same domain, the browser sends the saved information to the Web server.)
You and your coworker, Ricky, are planning to develop a new application to track a manufacturing process at your company. You've already surveyed available applications on the market and decided that none of them offers the exact features you need, although a few of them get close. Ricky: You know, we don't necessarily have to start from scratch. Maybe we can take one of these existing apps and just make the changes we need. You: Software is protected by _____. We can't just copy it, even if we make some changes to it.
Copyright (Copyright laws protect materials such as Web pages, HTML code, computer graphics, and software code.)
As an IS worker, you must be familiar with laws that protect data privacy. These laws define details about what measures should be used to secure data and how a company must handle data breaches. Identify which data protection law is most relevant to each scenario.
FACTA = Roger's receipt shows only the last four digits of his credit card number COPPA = Branson can't sign up for Facebook until he turns 13 HIPAA = Nancy must complete a form before her son can access her health insurance records GDPR = Emma must report a data breach that has compromised account information for some of her company's European customers (HIPAA (Health Insurance Portability and Accountability Act) protects the confidentiality of a patient's medical information and establishes safeguards to protect the privacy of health information. These controls apply to health insurers' computer records. FACTA (Fair and Accurate Credit Transaction Act) protects consumers' credit information from the risks related to data theft, insuring the proper disposal of information in consumer reports and records in order to protect against unauthorized access to or use of the information. For example, printed receipts must not show the consumer's full account number. COPPA (Children's Online Privacy Protection Act) protects the privacy of children under the age of 13. For example, social media sites such as Facebook must restrict site users' access to certain kinds of content or disallow children under the age of 13 to use the site. GDPR (General Data Protection Regulation) covers a series of laws to protect EU citizens' personal data including genetic data, health, racial or ethnic origin, and religious beliefs. EU citizen users must be notified regarding any type of data breach within 72 hours of breach discovery.)
Marla is traveling across the country to meet with a client. Before she leaves her office, she prints off some of the client's proprietary information so she can study the documents on the plane. On the taxi ride to the airport, she quickly responds to an email on her phone that contains confidential information, only to realize after hitting "Send" that she used Reply All instead of Reply. While waiting for her flight at the airport, she logs onto the airport Wi-Fi with her laptop to download two additional confidential files she forgot to print at the office. Leaking confidential data isn't always done on purpose. It's easy to make careless mistakes that potentially expose private information to the public or even to attackers. How many security-related mistakes are identified in the scenario that could expose company and client information?
Four (Marla made four identifiable mistakes related to potentially exposing her company's and clients' information to attack: She printed proprietary information on documents that could easily be lost or improperly disposed of while traveling. She used her mobile device to respond to an email containing confidential information. She replied to unintended recipients when including confidential information. She used public Wi-Fi to download sensitive files.)
Mika is walking into her office building when she finds a small USB flash drive sitting on the ground next to the sidewalk. She picks it up and carries it inside. Out of curiosity, she decides to see what's on the USB drive. Unfortunately, as soon as she opens the drive in File Explorer, a virus takes over her computer and locks down her user account.
Thou shalt not snoop around in other people's files. (Mika got a virus on her computer from the flash drive because she was trying to access files that didn't belong to her on a flash drive that was likely intended as bait. Therefore, Mika fell for the trap when she violated the commandment Thou shalt not snoop around in other people's files.)
A professional code of ethics can provide guidance when you face difficult decisions while working with information technology. One example of a code of ethics used in the technology industry is the "Ten Commandments of Computer Ethics" created by the Computer Ethics Institute. Identify which commandment is most relevant to the actions of the character introduced in each scenario. Edgar slams the door to his office as he sits down at his desk in a huff. He just returned from his annual performance review with his boss, and he received some discouraging, negative feedback about his work over the past several months. Out of frustration, he vents in an email to a coworker from another department about how unfair his boss has been, and how the real problem is the other people in his department. While the details aren't entirely accurate, Edgar feels much better after blaming the problem on other people.
Thou shalt not use a computer to bear false witness. (Edgar exaggerated or lied about problems with other people in his department in order to make it look like he's not responsible for his poor work performance. Edgar violated the commandment Thou shalt not use a computer to bear false witness.)
Sami just bought a highly rated graphics application to use in her work as a marketing consultant. She installed the software on her home computer and immediately started to work on a project for a client. The next day, Sami decided to install the application on her laptop as well so she could take it with her to show the client the draft images she's developed.
Thou shalt not use or copy software for which you have not paid. (Sami paid for one copy of the software; however, she should check the license to determine whether she's allowed to install a second copy of the software. If not, then Sami violated the commandment Thou shalt not use or copy software for which you have not paid.)