PPTX
advertisement
Course - DT249/1 Subject - Information Systems in Organisations Semester 1, Week 11 REGULATION AND COMPLIANCE 1 Module Content Title From the course document, this week’s lecture refers to: Information Technology regulation and compliance 2 Textbooks? The Laudon and Laudon book, ‘Management Information Systems’ (Seventh Edition): all of Chapter 15. 3 Information Systems Management and the Law Management must understand the scope of the organisation’s legal and ethical responsibilities. To minimise liabilities/reduce risks, the person responsible for information security must: ◦ Understand the current legal environment ◦ Stay current with laws and regulations ◦ Watch for new issues that emerge 4 IS Management and the Law (2) The law is the set of rules that can be enforced in a court. There are many sets of laws and they exist in a jurisdiction. A jurisdiction is usually a geographical area controlled by government or royalty and might be, for example, a province, state, principality or country. 5 IS Management and the Law (3) The nature of organisations is such that they are subject to ‘laws of the land’ and they will also have internal rules and policies. The information systems of an organisation – because of their complexity and expense – become subject to some of these laws and policies. 6 IS Management and the Law (4) Management must differentiate between laws and ethics. They must identify the major national laws that relate to the practice of information security. They must understand the role of culture as it applies to ethics in information security. 7 Law and Ethics in Information Systems Laws: rules that mandate or prohibit certain societal behaviour. Ethics: define socially acceptable behaviour. Cultural mores: the fixed moral attitudes or customs of a particular group. (Ethics are based on these.) Laws carry the sanctions of a governing authority; ethics do not. 8 Ethics and Information Systems Ethics, in the context of information systems, will be ‘rules of conduct’ that will account for: ◦ making free choices ◦ behaviour ◦ ways of thinking Especially in situations where the developers’ /users’ choice can affect the dignity and wellbeing of others. 9 Ethics and Information Systems (2) Ethical principles: Treat others as you wish to be treated. Put value on outcomes and understand the consequences of actions. Incur the least harm or cost. Morally sensitive actions are not – or are rarely – ‘consequence-free’. If an action is not right for everyone, it is not right for anyone. 10 Ethics and Information Systems (3) Is copying software wrong? Is copying some software more wrong than others? Is ‘hacking and cracking’ (code cracking) wrong? Are these things acceptable in the case of some users but not others? What do you do if your boss asks – or tells you to do it? These questions are difficult to answer definitively. 11 Do Computer Professionals Need a ‘Code of Ethics’? Copying from the Web is not seen as a crime, but as a right by many people. Hardware and software products are frequently shipped ◦ ◦ ◦ ◦ ◦ that have bugs and defects, that are, themselves, excessive compared to need, unworkable, unsupportable, overpriced. Who must take responsibility for the above? DT249-1 Information Systems 12 Do Computer Professionals Need a ‘Code of Ethics’? (2) ‘Flaming’ and ‘spam’ are common on the internet. ◦ On the Internet, flaming is giving someone a verbal lashing in public but is also the term sometimes used to describe sending large numbers of meaningless e-mails to clog up a user’s e-mail Inbox. ◦ Spam is a form of bulk mail, usually advertisements, sent to a list of users on e-mail distribution lists that are bought for the purpose. To the user-receiver it is usually viewed as junk email. DT249-1 Information Systems 13 Do Computer Professionals Need a ‘Code of Ethics’? (3) Viruses are common on shipped software and e-mailed messages/information products. Computer ‘professionals’ are often responsible for all the above – sometimes by accident, other times by design. DT249-1 Information Systems 14 ACM Code of Conduct The ACM (Association for Computing Machinery) is an international body representing the Computing industry and is based in New York, USA. A large part of its remit is to govern the ethical practices of professionals in Computing. The organisation has a general list of imperatives. 15 ACM Code of Conduct General Moral Imperatives Contribute to society and human well-being Avoid harm to others Be honest and trustworthy Honour property rights, copyrights and patents Give credit for intellectual property Access only authorised resources Respect the privacy of others DT249-1 Information Systems 16 ACM CODE OF CONDUCT Specific Professional Responsibilities (1 of 2) Strive to achieve the highest quality, effectiveness and dignity in both the process and products of professional work. Acquire and maintain professional competence. Know and respect existing laws pertaining to professional work. Accept and provide appropriate professional review. DT249-1 Information Systems 17 ACM CODE OF CONDUCT Specific Professional Responsibilities (2 of 2) Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks. Honour contracts, agreements, and assigned responsibilities. Improve public understanding of computing and its consequences. Access computing and communication resources only when authorised to do so. 18 ACM CODE OF CONDUCT Organisational Leadership Imperatives (1 of 2) Articulate social responsibilities of members of an organisation unit and encourage full acceptance of those responsibilities. Manage personnel and resources to design and build information systems that enhance the quality of working life. Acknowledge and support proper uses of an organisations computing and communication resources. 19 ACM CODE OF CONDUCT Organisational Leadership Imperatives (2 of 2) Ensure that users and those who will be affected by a system have their needs clearly articulated. Articulate and support policies that protect the dignity of users and others affected by a computing system. Create opportunities for members of the organisation to learn the principles and limitations of computer systems. 20 Types of Law Civil Criminal Tort Private Public 21 Ireland’s Legal Areas In Ireland the laws that apply to Information and Communication Technologies (ICTs), focus on five main areas: Privacy, Data Protection, e-Commerce, Intellectual Property and Crime. 22 Ireland’s Legal Areas (2) Constitution Common law ◦ Made by a judge’s judgement ◦ Often uses a ‘precedent system’. Statute law (legislation) ◦ Oireachtas ◦ Primary legislation – Acts ◦ Secondary legislation – Regulations ◦ European Community Law 23 Privacy Privacy is one of the hottest topics in information systems and security. This type of privacy is a “state of being free from unsanctioned intrusion”. The ability to aggregate data from multiple sources allows the creation of information databases previously unheard of. 24 Privacy (2) Privacy – “the right to be left alone” Fair Information Practices (FIP): No secret personal records to be kept. Individuals should be able to access and amend information about themselves. Information to be used only with prior consent from those whom the information is kept. Managers are accountable for damage done by systems. Governments can intervene. 25 Data Protection Data protection is built around four rules: 1. 2. 3. 4. There has to be a legitimate basis for the data processing to take place; The processing has to comply with the principles of data protection; The processing has to comply with certain sectoral rules such as the prohibition on the processing of sensitive personal data; The rights of the subject, such as access and objection, have to be respected. 26 Privacy and Data Protection Act The Data Protection Acts of 1988 and 2003 - Section 2(1)(a) of the Acts requires that: "The data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed fairly". This fair obtaining principle generally requires that a person whose data are processed is aware of at least the following: The identity of the person processing the data. The purpose or purposes for which the data are processed. Any third party to whom the data may be disclosed. The existence of a right of access and a right of rectification. 27 E-Commerce The Electronic Commerce Act, 2000 relates to the creation of contracts made electronically. It codifies elements of the existing common law of contract and implements much of the EU Directive on Electronic Signatures 1999/93/EC. The Act provides that the acceptance of an offer between parties may be made by electronic means and normal contractual rules apply. There are complex provisions setting out the time and place where an electronic communication may be deemed to have been dispatched and received. 28 Intellectual Property Intellectual property is the term given to describe a number of different statutory rights: ◦ Copyright law ◦ Patent law ◦ Trade mark law 29 Intellectual Property (2) Intellectual Property: Intangible creations protected by law. Trade Secret: Intellectual work or a product belonging to a business that is not in the Public Domain. Copyright: A Statutory Grant protecting intellectual property from copying by others for ‘life of author + 50 years’. 30 Intellectual Property (3) Patent: A legal document granting the owner an exclusive monopoly on an invention for 20 years (generally). Trade Mark: A legally registered mark, device, or name to distinguish goods produced by an individual (company). Open source: Of software; ‘free-to-use’ software. 31 Crime – Cyber Crime Information systems crime: Computers can be used maliciously to damage others, what might be termed ‘hacking’ type offences; Computers can be used to communicate with victims, what might be termed ‘fraud’ type offences; Computers may be used to create, display and publish material that is criminal in nature, what might be termed ‘content’ offences; Computers may be used to organise other offences, which do not themselves involve the use of computers, this gives rise to issues of evidence. 32 Crime - Hacking Computer hacking involves identifying and exploiting vulnerabilities in others computer systems. Though there are some common law offences that might be applied to computer crime, in theory, Ireland’s computer crime laws centre upon two items of legislation: the Criminal Damage Act 1991, and the Criminal Justice (Theft and Fraud Offences) Act 2001. 33 What is Regulation? Regulation, in the context of information systems and the law in Ireland come under laws of privacy and ethical trading with e-commerce established by the European Union. There are no specific laws governing all information systems in Ireland. Regulations for technology are often associated with the Data Protection Act and trading acts. You could say that regulation in information systems comes mainly from individual contracts set up by organisations. 34 What is Compliance? Where there are regulations – either by law or company policy, compliance could be seen as observance of the official requirements of the regulation(s). The act or process of complying with a demand or recommendation that comes from regulation is usually a task for a member of management. 35 Legal Issues The laws associated with information technology have many aspects. We can look at commonly discussed legal issues related to information systems or IT: ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Contracts Outsourcing Software licencing Data protection Acceptable use Intellectual property rights Computer fraud Taxation 36 Contracts Contracts are legal documents defining the legal implications of buying, selling or becoming involved with products and services of – in this MIS context – hardware and software systems and the issues surrounding them. Contracts can take many forms – what follows is a general, basic description of a contract. 37 Contracts (2) The structure of a contract in our context is, generally: ◦ The date on which the contract was entered into ◦ The names and addresses of those entering the contract ◦ A description of what the contract is about – having titles such as ‘Background’, ‘Recitals’ or ‘Whereas’ ◦ Definitions of terms used in the contract ◦ Provisions made by one party (e.g. Supplier) ◦ What must be paid to the provider (supplier) 38 Contracts (3) Buying hardware, software and/or services (for support and maintenance, very often) often involves a contract – a contract for procurement or a contract of procurement. 39 Hardware Procurement Contract The details for a hardware procurement contract might include: ◦ ◦ ◦ ◦ ◦ ◦ ◦ A description of the hardware A warranty for the quality of the hardware Delivery dates Price Acceptance testing (description) Future maintenance description Training 40 Software Procurement Contract Software purchase is much more complex in terms of contract design. The software may be developed specifically for the organisation (bespoke) or be ready to sell ‘off-the shelf’. More of this type of contract is mentioned in the section on Software Licencing. 41 Software Procurement Contract (2) The contract for procurement is carefully drawn up to reflect what type of software will be provided, what the software is required to do, whether there is a maintenance feature to the deal, what provision there is for the cessation of the supply company and many other aspects of law surrounding the idea of ‘keeping the software working’. 42 Services (Consultation) Procurement Contract If buying consultancy services – as distinct from maintenance and support – where there is a need to consult on design and implementation, for example, the contract details might include: ◦ Definition of deliverables – what the consultant is expected to do ◦ Payment arrangements ◦ Copyright and confidentiality ◦ Insurance (professional indemnity) ◦ Key personnel listing (A list of people expected to be involved in the consultant’s interviews, questionnaires, etc.) ◦ Termination arrangements 43 Outsourcing In the context of Management Information Systems or Information Systems in Organisations, outsourcing is the supply of goods and/or services to a client – which could be an individual or an organisation. Legally, there are usually contracts involved. Types of contract are: ◦ Facilities management ◦ Business process outsourcing ◦ Application service provision 44 A Contract for Outsourcing It is difficult to specify a typical contract for product or service outsourcing, but – very generally – a contract for software services, as an example, may contain: ◦ The statement of requirements ◦ The technical solution ◦ An output specification 45 A Contract for Outsourcing (2) Similar to hardware, software and services procurement, there is often a special contract that is applied to outsourcing called a Service Level Agreement (SLA). An SLA often has the details of: ◦ Service levels to be achieved ◦ Targets for service levels ◦ Mechanisms for monitoring and reporting service levels against those targets ◦ Consequences of failure to meet targets 46 Software Licencing One might view software licencing as another form of contract. A licence should confirm that the software supplier owns the copyright in the software or has the right to licence it to the organisation. Usually, the software supplier is not selling ownership of software to an organisation but the permission to use it as they wish. This leaves the supplier able to provide copies of the software to other people or organisations. 47 Software Licencing (2) Usually a contract is drawn up – called the licence agreement, since the licence is really a legal agreement between the software supplier and a client. (The client being the organisation, for example.) There are variations in such agreements; ◦ Is the licence restricted to one office, one department, one organisation or can the software be lent to ‘sister companies’? …/ continued 48 Software Licencing (3) ◦ Is there a user restriction? Does the agreement allow up to, say 20 users? Do extra users require individual licences or another group licence? ◦ Are there time constraints? One year? Two Years? ◦ Are there any other restrictions? 49 Data Protection (Reprise) As an organisation processing data one must ensure that the processing is lawful. The data must have been obtained fairly and lawfully. When obtaining data from a third party you must inform the subject of the data that you have data pertaining to them, telling the subject why you are using the data and how you will use them. 50 Data Protection Reprise (2) Personal data must be: ◦ ◦ ◦ ◦ ◦ ◦ Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate Not kept longer than necessary Processed in accordance with the data subject’s rights ◦ Secure ◦ Not transferred to countries without adequate protection 51 Acceptable Use Employees use computers for their information work – they may also use their employer’s computers for personal matters, such as booking a cheap flight, buying books and gifts and sending e-mails to friends and family. While all of these are viewed in different terms – from ‘perks of the job’, through ‘a bit of a cheek’ to ‘an offence suitable for reprimand’ the truth is that they are not the Crime of the Century! 52 Acceptable Use (2) The view may be ‘acceptable use’ of computers through to ‘not very acceptable use’ but hardly ever make it out of the ‘grey area’ into misuse of computer systems. Misuse might be seen as an ◦ excessive waste of staff time and resources, ◦ actions exposing the organisation to claims for discrimination, harassment, defamation or worse, ◦ failure to include information that results in criminal liability. ◦ (On the employer’s side;) health and safety requirements for screens and other computer equipment must be met. 53 Acceptable Use (3) Usage policies Computer usage policies are very often established because employers can be held responsible for wrongful actions carried out by employees in the course of their employment. 54 Acceptable Use (4) Common usage problems are: ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Racial harassment Sexual harassment Downloading pornography Defamation of management, customers or competitors, Breach of confidence Copyright infringement Hacking (into systems) Breaches of the Data protection Act 55 Computer Fraud Computer fraud is common and undesirable – that is a given! Many Management Information Systems service providers see the responsibility of avoiding this fraud to belong to the organisation itself. Corporate governance is the term for the idea that an organisation ‘watches out’ for computer fraud. 56 Computer Fraud (2) Corporate governance can be, in part at least, dealt with using technical audits. The same audits as mentioned back in the IT Security notes. Internal audit activity should contribute to the organisation’s governance process though which values and goals are established, communicated and accomplished. This is the responsibility of management. 57 Computer Fraud (3) The European Confederation of Institutes of Internal Auditing (ECIIA), of which IIA - UK and Ireland are members, has, in documentation, described how the professional practice of internal auditing makes a positive contribution to achieving good corporate governance and effective risk management in organisations based in Europe and beyond. 58 Taxation E-commerce means that organisations can trade across borders. There is an Electronic Commerce Act, established by the Oireachtas in 2000. A Communications Regulations Bill (2007) amended the state law on e-commerce, giving ComReg more power in controlling data and information flow on the internet, with regard to buying and selling. 59 Taxation (2) Issues for taxation in e-commerce include: ◦ ◦ ◦ ◦ Identification of a transaction Identification of the parties to a transaction Verification of the details of the transaction Application of the correct taxing rules and remittance to the taxing authority ◦ Generation of an audit trail. ◦ The country of the supplier, generally, has the government to which the tax laws apply. 60 What Next? Next week: Interaction: (Human-Computer Interface) 61
