CP3043 Social, Legal and Professional Aspects of Computing. Mr Graham Brown. Assessment 2

Transcription

1 CP3043 Social, Legal and Professional Aspects of Computing Mr Graham Brown Assessment 2 Colin Hopson Wednesday 16 th April 2008 i

2 Contents 1 Introduction The Bridgeway Building Society Overview of Requirements The Risk Assessment Assessment of Risks Application of Relevant Ethical Theories Analysis of Professional Codes Legal Issues and Legislation Summary and Evaluation Conclusion Appendix I: Security Overview Diagram... 6 ii

3 1 Introduction 1.1 The Bridgeway Building Society The Bridgeway Building Society is a small, financial organisation that serves the town of Aberford. It employs fifteen staff in its office and has a number of agencies with professional and financial service intermediaries. Customer information is stored on a server for a local computer network. Presently customers phone or visit the branch to conduct financial transactions. Future business plans are to implement internet banking to savers and borrowers, along with providing financial services; such as mortgage payment, insurance, etc. These are to be implemented through three phases. 1. Promotion of the business by electronic advertising. 2. Enable existing and potential customers to enquire about products and services online. 3. Enable online transactions to savings and mortgage accounts. 1.2 Overview of Requirements The requirements detailed by the Bridgeway Building Society firstly raise a number of issues. The first and main concern is the welfare of its customers, employees and agencies; secondly the finance to implement the project, and thirdly their reliance on other organisations to maintain the internet network. 2 The Risk Assessment The purpose of this assessment is to outline the risks that this project presents. The report is separated in to four different categories, but mainly concentrates on the assessment of risks. 2.1 Assessment of Risks Firstly, the Bridgeway Building Society must recognise the consequences of implementing the project, or on the other hand, analyse their situation if no progress is made. Advantages must be compared against the risks in order to justify the best course of action. There are numerous advantages for going ahead with the project. Primarily the organisation will benefit from introducing new products and expanding current services, as these will stride the company ahead of competitors and produce future revenue. Choosing not to implement the new technology may leave the organisation uncompetitive and may even effect its future survival. However, if the company only serves local town residents, is there any threat from competition in that area? Another influential factor is comparing financial cost against financial gain. As the company currently serves just a small community, can the rewards justify the expenditure risk that the project may entail? Failure to provide a consistent business practice during installation could effect company reputation and raise legal issues. It will not only require the purchase and maintenance of resources, but involves 1

4 upholding a high level of security for customers and to its employees. The level of external threats will be significantly increased by the introduction of internet connectivity, leaving data more vulnerable to misuse or corruption. It is therefore important that employees are educated about, and become aware of, internal security measures. This is likely to impose more pressure on management in order to administer and organise staff accordingly. It will no doubt require that staff adhere to increased safety and security constraints which will probably require extra training and compliance. This in itself may impose problems with employees, as they may feel enforced to comply with new rules and regulations. Employees may become segregated and/or feel dejected, whereas others may be promoted by the action. The necessity of employee training may also effect staff moral and productivity, plus test their loyalty to the organisation. The organisation will notably become reliant on supplies and services provided by external companies, especially those responsible for internet telecommunications plus computer hardware and software. As these companies will be required to provide advice and consultation, it may be wise to employ an internal computer professional (system administrator) who is familiar with the system and therefore can identify and respond to threats. This employee can report network vulnerabilities to the external company and generally keep the system up-to-date with the latest upgrades and software patches. It may be the responsibility of this system administrator to configure filtering that will reject virus-laden and spam as well as recognise that the company website is liable to phishing attacks by hackers. It is imperative that all companies, especially ones who process client information, uphold integrity and endorse confidentiality. As the integrity and privacy of customer and employee data is precedence, user access will need to be controlled depending on employee roles, which are derived by usernames. Authorisation and authenticity of staff can be maintained by using identification cards and the introduction of electronic door access. However, it will be necessary for management to educate staff about the new security requirements, such as the regular change of user passwords. To maintain confidentiality to information stored on databases and to ensure the availability of the proposed services, a number of requirements will be necessary; Secondary electrical power supply and telecommunication link Frequent database back-ups and off-site storage and/or encrypted transfer Monitoring and use of external staff utilities, such as memory sticks Hierarchy of data access rights for authentication and confidentiality Exclusive hardware firewalls and security suite (anti-virus) software Encryption techniques and filtering (spam) It is conclusive that the resource most frequently at risk, will be internet connectivity, therefore it is essential that the last three points are implemented. Other security issues include fire precautions, health and safety standards, staff dismissal, employee vetting and/or monitoring. Appendix I: Security Overview is a diagram showing the security requirements for the project with an indication to the frequency of external and internal threats (scaled 1 to 10) and the impact they pose (colour coded). It shows the increase of threats and the impact they pose as the project phases progress. 2

5 2.2 Application of Relevant Ethical Theories The first phase that the company wish to implement (the electronic advertising promotion) conveys an egoistic attitude (focus on self interest), but it is in the interest of the company and to its employees, to stay competitive. The second phase should promote utilitarianism (greatest good for greatest number), giving existing and potential clients increased service and access to products as well as sustaining staff employment. The third phase requires the company to ethically maintain customer data and uphold privacy. For this, the new company website will need to secure client s online transactions, usernames and passwords. The company should keep business competence and recognise the balance of ethical liabilities to clients, employees and financial intermediaries (deontology). By providing training and upholding Health and Safety standards, the company demonstrates its loyalty and moral duty to its employees as well as an emphasis on the Social Contract Theory. However, Kantianism and the social contract theory may spotlight the individual decisions made by the system administrator, as he must consider all affected parties in consequence of his actions. One of the fundamental liabilities that the company must balance is client and employee privacy, although it can be argued that secrecy promotes anti-social behaviour and concealment to cause harm. The ethical importance of privacy is found in numerous scenarios that the project may create, such as online usernames and passwords, savings and mortgage account numbers, personal information, etc. 2.3 Analysis of Professional Codes It will be required by company employees to conform to professional codes of conduct outlined by the British Computer Society (BCS). The company has correctly initiated a professional attitude by incorporating advice and consultation from specialist personnel. However, it is important during and after project implementation that the company continues to illustrate to its employees the correct methods of sustaining professional conduct. This may require that management demonstrate the best practice and behaviour between work colleagues and uphold the golden rule treat people in the way you want them to treat you. The company also has an obligation to the public interest and employees will be responsible for keeping client information integral, confidential and secure. This is likely to affect managerial roles, especially the system administrator. The company also has a moral duty to the relevant society. On this occasion the business profession is finance and the Information Technology sector. Its duty to these professions, require that the business uphold the standards and practice found in modern banking and finance. The implementation of the project will also portray good professional competence for the business and proves it can modernise and incorporate practice in the best interest of its customers. 3

6 2.4 Legal Issues and Legislation Although the company currently stores and processes client information on the local network, the introduction of internet connectivity will impose more risk to electronically stored data. Conformity to the eight principles of the Data Protection Act (1998) will be dramatically increased. Client information must be kept up-to-date and accurate without accidental loss, damage or destruction; timely used for its original purpose; be adequate, relevant and not excessive; processed fairly and lawfully, etc. It may become a necessity for employees to complete annual compliance testing and/or Data Protection Act (DPA) questionnaires. Employees must also be aware of the Computer Misuse Act (1990). Although aimed toward attacks from computer hackers, masquerading, worms and viruses, etc.; it can also impede employees, who without an intention to commit an offence, may breach the Act. Advancements in technology may cause argument between what is identified as an offence, but recent legislation has been introduced to contend with these. Whistle-blowing is used in modern practice to identify persons who may use the internet to commit fraud or illegally transfer funds (Fraud Act 2006). People adopting another person s identity to commit illegal activities breaches the Identity Theft and Assumption Deterrence Act. Employees must be made aware of the proper use of the internet and . The Electronic Communications Act (2003) makes it illegal to intercept telephone conversations, , plus similar data transmissions. The company s phase to promote the business by electronic advertising could indeed infringe the this Act, as promotions must comply with client consent. Website forms should offer the availability to opt-in for promotions, questionnaires or canvassing, as this depicts the ethic of harm minimisation. Employees leaving or that are dismissed may be prone to breach of law and close monitoring of them may be necessary. However this may infridge their human rights, Human Rights Act (1998). Employees will be subject to regulations depicted by Health and Safety Legislation (1999), as more use of internet activity will increase screen operation. The company may need to offer free eye tests as well as provide special provisions for the disabled through the Disability Discrimination Act (1995). One more point brings attention to the liability of external companies, especially the software providers, as these must be reliable and provide services under the Supply of Goods and Services Act (1982). 3 Summary and Evaluation The project affordability must be analysed as it entails implementing resources of both human and technological. Security and data integrity are the main concerns along with change to the working environment and the need for training. Reliance and dependability of external companies may raise some concern, especially for an internet service provider may host the company website. 4

7 4 Conclusion The major concern that this project initially presents, lie with the company s moral and professional responsibility for the security of its customers and employees data. By implementing internet access to the existing network, the risk of external threats to the system, will be significantly increased. The company will also become reliant on other organisations to maintain and secure the system. The financial affordability of employing and/or hire of specialist personnel may be questioned. As discussed, a continual responsibility in conforming to and sustaining ethical, legal and professional issues, will be necessary. 5

8 5 Appendix I: Security Overview Diagram 6