Embed Size (px)
Citation preview
Course - DT249/1Course - DT249/1
Subject - Information Systems in Organisations
REGULATION AND COMPLIANCE
Semester 1, Week 11
1
2
Module Content TitleModule Content Title
From the course document, this week’s lecture refers to:
Information Technology regulation and compliance
3
Textbooks?Textbooks?The Laudon and Laudon book,
‘Management Information Systems’ (Seventh Edition): all of Chapter 15.
Information Systems Information Systems Management and the LawManagement and the LawManagement must understand the scope of
the organisation’s legal and ethical responsibilities.
To minimise liabilities/reduce risks, the person responsible for information security must:
◦Understand the current legal environment
◦Stay current with laws and regulations
◦Watch for new issues that emerge
4
5
IS Management and the Law IS Management and the Law (2)(2)The law is the set of rules that can be
enforced in a court. There are many sets of laws and they exist in a jurisdiction.
A jurisdiction is usually a geographical area controlled by government or royalty and might be, for example, a province, state, principality or country.
6
IS Management and the Law IS Management and the Law (3)(3)The nature of organisations is such
that they are subject to ‘laws of the land’ and they will also have internal rules and policies.
The information systems of an organisation – because of their complexity and expense – become subject to some of these laws and policies.
IS Management and the Law IS Management and the Law (4)(4)Management must differentiate between laws and ethics.
They must identify the major national laws that relate to the practice of information security.
They must understand the role of culture as it applies to ethics in information security.
7
Law and Ethics in Information Law and Ethics in Information SystemsSystemsLaws: rules that mandate or prohibit
certain societal behaviour.
Ethics: define socially acceptable behaviour.
Cultural mores: the fixed moral attitudes or customs of a particular group. (Ethics are based on these.)
Laws carry the sanctions of a governing authority; ethics do not.
8
Ethics and Information Ethics and Information SystemsSystemsEthics, in the context of information
systems, will be ‘rules of conduct’ that will account for:◦making free choices◦behaviour ◦ways of thinking
Especially in situations where the developers’ /users’ choice can affect the dignity and well-being of others.
9
Ethics and Information Ethics and Information Systems (2)Systems (2)Ethical principles:Treat others as you wish to be treated.Put value on outcomes and
understand the consequences of actions.
Incur the least harm or cost.Morally sensitive actions are not – or
are rarely – ‘consequence-free’.If an action is not right for everyone, it
is not right for anyone.
10
Ethics and Information Ethics and Information Systems (3)Systems (3)Is copying software wrong?Is copying some software more wrong
than others?Is ‘hacking and cracking’ (code
cracking) wrong? Are these things acceptable in the case
of some users but not others?What do you do if your boss asks – or
tells - you to do it?
These questions are difficult to answer definitively.
11
DT249-1 Information Systems 12
Do Computer Professionals Need a Do Computer Professionals Need a ‘Code of Ethics’?‘Code of Ethics’?Copying from the Web is not seen as a
crime, but as a right by many people.Hardware and software products are
frequently shipped ◦ that have bugs and defects,◦ that are, themselves, excessive
compared to need,◦unworkable,◦unsupportable,◦overpriced.
Who must take responsibility for the above?
DT249-1 Information Systems 13
Do Computer Professionals Need a Do Computer Professionals Need a ‘Code of Ethics’? (2)‘Code of Ethics’? (2)‘Flaming’ and ‘spam’ are common on
the internet. ◦On the Internet, flaming is giving
someone a verbal lashing in public but is also the term sometimes used to describe sending large numbers of meaningless e-mails to clog up a user’s e-mail Inbox.
◦Spam is a form of bulk mail, usually advertisements, sent to a list of users on e-mail distribution lists that are bought for the purpose. To the user-receiver it is usually viewed as junk e-mail.
DT249-1 Information Systems 14
Do Computer Professionals Need a Do Computer Professionals Need a ‘Code of Ethics’? (3)‘Code of Ethics’? (3)Viruses are common on shipped
software and e-mailed messages/information products.
Computer ‘professionals’ are often responsible for all the above – sometimes by accident, other times by design.
ACM Code of ConductACM Code of ConductThe ACM (Association for Computing
Machinery) is an international body representing the Computing industry and is based in New York, USA.
A large part of its remit is to govern the ethical practices of professionals in Computing.
The organisation has a general list of imperatives.
15
DT249-1 Information Systems 16
ACM Code of ConductACM Code of ConductGeneral Moral ImperativesGeneral Moral ImperativesContribute to society and human well-
beingAvoid harm to othersBe honest and trustworthyHonour property rights, copyrights and
patentsGive credit for intellectual propertyAccess only authorised resourcesRespect the privacy of others
DT249-1 Information Systems 17
ACM CODE OF CONDUCTACM CODE OF CONDUCTSpecific Professional Specific Professional Responsibilities (1 of 2)Responsibilities (1 of 2)Strive to achieve the highest quality,
effectiveness and dignity in both the process and products of professional work.
Acquire and maintain professional competence.
Know and respect existing laws pertaining to professional work.
Accept and provide appropriate professional review.
ACM CODE OF CONDUCTACM CODE OF CONDUCTSpecific Professional Specific Professional Responsibilities (2 of 2)Responsibilities (2 of 2)Give comprehensive and thorough
evaluations of computer systems and their impacts, including analysis of possible risks.
Honour contracts, agreements, and assigned responsibilities.
Improve public understanding of computing and its consequences.
Access computing and communication resources only when authorised to do so.
18
ACM CODE OF CONDUCTACM CODE OF CONDUCT Organisational Leadership Organisational Leadership Imperatives (1 of 2)Imperatives (1 of 2)Articulate social responsibilities of
members of an organisation unit and encourage full acceptance of those responsibilities.
Manage personnel and resources to design and build information systems that enhance the quality of working life.
Acknowledge and support proper uses of an organisations computing and communication resources.
19
ACM CODE OF CONDUCTACM CODE OF CONDUCT Organisational Leadership Organisational Leadership Imperatives (2 of 2)Imperatives (2 of 2)Ensure that users and those who will
be affected by a system have their needs clearly articulated.
Articulate and support policies that protect the dignity of users and others affected by a computing system.
Create opportunities for members of the organisation to learn the principles and limitations of computer systems.
20
Types of LawTypes of LawCivil
Criminal
Tort
Private
Public
21
Ireland’s Legal AreasIreland’s Legal AreasIn Ireland the laws that apply to Information and Communication Technologies (ICTs), focus on five main areas:Privacy,Data Protection,e-Commerce,Intellectual Property andCrime.
22
Ireland’s Legal Areas (2)Ireland’s Legal Areas (2)Constitution Common law
◦Made by a judge’s judgement ◦Often uses a ‘precedent system’.
Statute law (legislation) ◦Oireachtas◦Primary legislation – Acts ◦Secondary legislation – Regulations◦European Community Law
23
PrivacyPrivacyPrivacy is one of the hottest topics in
information systems and security.
This type of privacy is a “state of being free from unsanctioned intrusion”.
The ability to aggregate data from multiple sources allows the creation of information databases previously unheard of.
24
Privacy (2)Privacy (2)Privacy – “the right to be left alone”Fair Information Practices (FIP):No secret personal records to be kept.Individuals should be able to access and
amend information about themselves.Information to be used only with prior
consent from those whom the information is kept.
Managers are accountable for damage done by systems.
Governments can intervene.
25
Data ProtectionData ProtectionData protection is built around four rules:1.There has to be a legitimate basis for the data processing to take place;
2.The processing has to comply with the principles of data protection;
3.The processing has to comply with certain sectoral rules such as the prohibition on the processing of sensitive personal data;
4.The rights of the subject, such as access and objection, have to be respected.
26
Privacy and Data Privacy and Data Protection ActProtection ActThe Data Protection Acts of 1988 and 2003 - Section 2(1)(a) of the Acts requires that:
"The data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed fairly".
This fair obtaining principle generally requires that a person whose data are processed is aware of at least the following:The identity of the person processing the data. The purpose or purposes for which the data are processed. Any third party to whom the data may be disclosed. The existence of a right of access and a right of rectification.
27
E-CommerceE-CommerceThe Electronic Commerce Act, 2000 relates to the creation of contracts made electronically. It codifies elements of the existing common law of contract and implements much of the EU Directive on Electronic Signatures 1999/93/EC.The Act provides that the acceptance of an offer between parties may be made by electronic means and normal contractual rules apply. There are complex provisions setting out the time and place where an electronic communication may be deemed to have been dispatched and received.
28
Intellectual PropertyIntellectual PropertyIntellectual property is the term given
to describe a number of different statutory rights:◦Copyright law◦Patent law◦Trade mark law
29
Intellectual Property (2)Intellectual Property (2)Intellectual Property: Intangible
creations protected by law.Trade Secret: Intellectual work or
a product belonging to a business that is not in the Public Domain.
Copyright: A Statutory Grant protecting intellectual property from copying by others for ‘life of author + 50 years’.
30
Intellectual Property (3)Intellectual Property (3)Patent: A legal document
granting the owner an exclusive monopoly on an invention for 20 years (generally).
Trade Mark: A legally registered mark, device, or name to distinguish goods produced by an individual (company).
Open source: Of software; ‘free-to-use’ software.
31
Crime – Cyber CrimeCrime – Cyber CrimeInformation systems crime:Computers can be used maliciously to damage others, what might be termed ‘hacking’ type offences;Computers can be used to communicate with victims, what might be termed ‘fraud’ type offences;Computers may be used to create, display and publish material that is criminal in nature, what might be termed ‘content’ offences;Computers may be used to organise other offences, which do not themselves involve the use of computers, this gives rise to issues of evidence.
32
Crime - HackingCrime - HackingComputer hacking involves identifying
and exploiting vulnerabilities in others computer systems.
Though there are some common law offences that might be applied to computer crime, in theory, Ireland’s computer crime laws centre upon two items of legislation: the Criminal Damage Act 1991, and the Criminal Justice (Theft and Fraud Offences) Act 2001.
33
34
What is Regulation?What is Regulation?Regulation, in the context of
information systems and the law in Ireland come under laws of privacy and ethical trading with e-commerce established by the European Union.
There are no specific laws governing all information systems in Ireland. Regulations for technology are often associated with the Data Protection Act and trading acts. You could say that regulation in information systems comes mainly from individual contracts set up by organisations.
35
What is Compliance?What is Compliance?Where there are regulations – either
by law or company policy, compliance could be seen as observance of the official requirements of the regulation(s).
The act or process of complying with a demand or recommendation that comes from regulation is usually a task for a member of management.
Legal IssuesLegal IssuesThe laws associated with information
technology have many aspects. We can look at commonly discussed legal issues related to information systems or IT:◦Contracts◦Outsourcing◦Software licencing◦Data protection◦Acceptable use◦Intellectual property rights◦Computer fraud◦Taxation
36
37
ContractsContractsContracts are legal documents
defining the legal implications of buying, selling or becoming involved with products and services of – in this MIS context – hardware and software systems and the issues surrounding them.
Contracts can take many forms – what follows is a general, basic description of a contract.
38
Contracts (2)Contracts (2)The structure of a contract in our context
is, generally:◦The date on which the contract was
entered into◦The names and addresses of those
entering the contract◦A description of what the contract is
about – having titles such as ‘Background’, ‘Recitals’ or ‘Whereas’
◦Definitions of terms used in the contract◦Provisions made by one party (e.g.
Supplier)◦What must be paid to the provider
(supplier)
39
Contracts (3)Contracts (3)Buying hardware, software and/or
services (for support and maintenance, very often) often involves a contract – a contract for procurement or a contract of procurement.
40
Hardware Procurement Hardware Procurement ContractContractThe details for a hardware
procurement contract might include:◦A description of the hardware◦A warranty for the quality of the
hardware◦Delivery dates◦Price◦Acceptance testing (description)◦Future maintenance description◦Training
41
Software Procurement Software Procurement ContractContractSoftware purchase is much more
complex in terms of contract design. The software may be developed specifically for the organisation (bespoke) or be ready to sell ‘off-the shelf’.
More of this type of contract is mentioned in the section on Software Licencing.
42
Software Procurement Contract Software Procurement Contract (2)(2)The contract for procurement is
carefully drawn up to reflect what type of software will be provided, what the software is required to do, whether there is a maintenance feature to the deal, what provision there is for the cessation of the supply company and many other aspects of law surrounding the idea of ‘keeping the software working’.
Services (Consultation) Services (Consultation) Procurement ContractProcurement ContractIf buying consultancy services – as distinct
from maintenance and support – where there is a need to consult on design and implementation, for example, the contract details might include:◦Definition of deliverables – what the
consultant is expected to do◦Payment arrangements◦Copyright and confidentiality◦ Insurance (professional indemnity)◦Key personnel listing (A list of people
expected to be involved in the consultant’s interviews, questionnaires, etc.)
◦Termination arrangements
43
44
OutsourcingOutsourcingIn the context of Management
Information Systems or Information Systems in Organisations, outsourcing is the supply of goods and/or services to a client – which could be an individual or an organisation. Legally, there are usually contracts involved. Types of contract are:◦Facilities management◦Business process outsourcing◦Application service provision
45
A Contract for OutsourcingA Contract for OutsourcingIt is difficult to specify a typical
contract for product or service outsourcing, but – very generally – a contract for software services, as an example, may contain:◦The statement of requirements◦The technical solution◦An output specification
46
A Contract for Outsourcing A Contract for Outsourcing (2)(2)Similar to hardware, software and
services procurement, there is often a special contract that is applied to outsourcing called a Service Level Agreement (SLA).
An SLA often has the details of:◦Service levels to be achieved◦Targets for service levels◦Mechanisms for monitoring and
reporting service levels against those targets
◦Consequences of failure to meet targets
47
Software LicencingSoftware LicencingOne might view software licencing as
another form of contract.A licence should confirm that the
software supplier owns the copyright in the software or has the right to licence it to the organisation.
Usually, the software supplier is not selling ownership of software to an organisation but the permission to use it as they wish. This leaves the supplier able to provide copies of the software to other people or organisations.
Software Licencing (2)Software Licencing (2)Usually a contract is drawn up – called
the licence agreement, since the licence is really a legal agreement between the software supplier and a client. (The client being the organisation, for example.)
There are variations in such agreements;◦ Is the licence restricted to one office, one
department, one organisation or can the software be lent to ‘sister companies’?
…/ continued
48
49
Software Licencing (3)Software Licencing (3)◦Is there a user restriction? Does the
agreement allow up to, say 20 users? Do extra users require individual licences or another group licence?
◦Are there time constraints? One year? Two Years?
◦Are there any other restrictions?
50
Data Protection (Reprise)Data Protection (Reprise)As an organisation processing data one
must ensure that the processing is lawful.
The data must have been obtained fairly and lawfully.
When obtaining data from a third party you must inform the subject of the data that you have data pertaining to them, telling the subject why you are using the data and how you will use them.
51
Data Protection Reprise Data Protection Reprise (2)(2)Personal data must be:
◦Fairly and lawfully processed◦Processed for limited purposes◦Adequate, relevant and not excessive◦Accurate◦Not kept longer than necessary◦Processed in accordance with the data
subject’s rights◦Secure◦Not transferred to countries without
adequate protection
52
Acceptable UseAcceptable UseEmployees use computers for their
information work – they may also use their employer’s computers for personal matters, such as booking a cheap flight, buying books and gifts and sending e-mails to friends and family.
While all of these are viewed in different terms – from ‘perks of the job’, through ‘a bit of a cheek’ to ‘an offence suitable for reprimand’ the truth is that they are not the Crime of the Century!
53
Acceptable Use (2)Acceptable Use (2)The view may be ‘acceptable use’ of
computers through to ‘not very acceptable use’ but hardly ever make it out of the ‘grey area’ into misuse of computer systems.
Misuse might be seen as an ◦ excessive waste of staff time and resources,◦ actions exposing the organisation to claims
for discrimination, harassment, defamation or worse,
◦ failure to include information that results in criminal liability.
◦ (On the employer’s side;) health and safety requirements for screens and other computer equipment must be met.
54
Acceptable Use (3)Acceptable Use (3)Usage policies
Computer usage policies are very often established because employers can be held responsible for wrongful actions carried out by employees in the course of their employment.
55
Acceptable Use (4)Acceptable Use (4)Common usage problems are:
◦Racial harassment◦Sexual harassment◦Downloading pornography◦Defamation of management, customers
or competitors,◦Breach of confidence◦Copyright infringement◦Hacking (into systems)◦Breaches of the Data protection Act
56
Computer FraudComputer FraudComputer fraud is common and
undesirable – that is a given!
Many Management Information Systems service providers see the responsibility of avoiding this fraud to belong to the organisation itself.
Corporate governance is the term for the idea that an organisation ‘watches out’ for computer fraud.
Computer Fraud (2)Computer Fraud (2)Corporate governance can be, in part
at least, dealt with using technical audits. The same audits as mentioned back in the IT Security notes.
Internal audit activity should contribute to the organisation’s governance process though which values and goals are established, communicated and accomplished. This is the responsibility of management.
57
58
Computer Fraud (3)Computer Fraud (3)The European Confederation of
Institutes of Internal Auditing (ECIIA), of which IIA - UK and Ireland are members, has, in documentation, described how the professional practice of internal auditing makes a positive contribution to achieving good corporate governance and effective risk management in organisations based in Europe and beyond.
59
TaxationTaxationE-commerce means that organisations
can trade across borders. There is an Electronic Commerce Act,
established by the Oireachtas in 2000.
A Communications Regulations Bill (2007) amended the state law on e-commerce, giving ComReg more power in controlling data and information flow on the internet, with regard to buying and selling.
60
Taxation (2)Taxation (2)Issues for taxation in e-commerce include:
◦ Identification of a transaction◦ Identification of the parties to a transaction◦Verification of the details of the transaction◦Application of the correct taxing rules and
remittance to the taxing authority◦Generation of an audit trail.◦The country of the supplier, generally, has
the government to which the tax laws apply.
61
What Next?What Next?
Next week:
Interaction: (Human-Computer Interface)
