MMT2 – IT STRATEGIC SOLUTIONS – Task #3
Donald Graham # 000483981
IT Strategic Solutions – MMT2 Task 3 Security Policies
The Evaluation of AEnergy’s Security Policies regarding Ethical Issues, the Security policies represent documents specifically examining the security safeguards, policies, and procedures formulated by an organization for managing access to its facilities and systems. Security policies also govern the conduct and practices of internal and external users accessing the network, data or other sensitive information of the organization. An important point worth making in establishing or examining security policies is whether any of the policies undermine the integrity of widely accepted ethical standards, in part or as a whole. To make security policies useful for those expected to comply, they must be comprehensive, easy to understand, recognized and readily available. They must also be reviewed and updated regularly as the organization’s needs change and respond to new and growing security threats. Existing policies for AEnergy make sense for the organization to maintain security for its proprietary information but steps should be taken not to overstep boundaries of individual rights.
A1. Unethical uses: Internal
One potential unethical use of technology by internal users in the organization is using the GPS tracking systems placed inside company laptops in a way that infringes on individual freedoms. AEnergy installs GPS tracking systems inside company laptops to keep secure company trade secrets. However, many employees take laptops inside their cars and homes with the potential of their movements being monitored and interfering with their right to privacy. Development technologies allow extensive monitoring with video, phones, the Internet, social media and other devices to track employee behavior (Ford, J., Willey, L., White, B. J., & Domagalski, T. (2015). If the employer goes too far or not far enough to identify and prevent misconduct of the employee, the legal consequences that the employer might have are costly for both revenue and reputation. A second potential unethical use of technology by internal users is the video monitoring of employees inside and outside facilities. Many ethical considerations encourage tracking of employees, including the need to avoid the leaks of secret information, stop infringements of company policies, and limit legal liability. The ethical challenge facing companies is whether employees should have a right to privacy in the workplace. AEnergy uses security cameras at its facilities to monitor the company’s perimeter against snooping and to protect its physical and digital assets. It would be unethical for an employee or other internal user with access to use video surveillance to observe other staff participating in non-work-related activities.
A2. Unethical uses: External
Two potential unethical applications of company technology and data by external users, the first being the leaking to third parties or competitors of confidential company information. It would be entirely unethical for external users, vendors and customers of AEnergy to have access to privileged or confidential company data to publicize data to-unapproved third parties, regardless of whether the leaking occurs intentionally or due to reckless conduct. It would also be unethical to discuss private or secret company information in public areas where third parties could be heard or recorded. The second unethical use would give unauthorized users access to data of the company by sharing credentials. External users would not be ethical to share network credentials, VPN access information or other sensitive network access keys with unauthorized users without AEnergy ‘s consent. Unauthorized access may expose the network of the company to security breaches and attempts by unauthorized third parties to access sensitive data. It would also be uncritical for external users to maintain access to AEnergy servers after completion of their contract with the company.
An evaluation of the effectiveness of AEnergy Company’s security policies includes three documents that cover the following areas: data security, accounting security, and employer security. These policies have been set in place to guarantee the privately-owned properties of the company and the private information of workers. Potential security threats classified into two major internal and external threat types. The following is an assessment of the company’s security policies regarding the identified threat classes. The accounting security policy clearly states new employees be assigned a user profile and password to track their activity. The use of passwords ensures permission to access is given only to approved users. The company records user ID, IP address, location, connection time and location of the accessed file or information. The company, by policy, protects its internal infrastructure from the threat of unauthorized access by securing access. By logging what data is accessed, the company can find out when a file has been copied, moved or deleted and is advantageous in the case of a security breach. The accounting security policy of AEnergy states that the company tracks user IP, browsing profile, content, location, time of use and search terms for users accessing the company’s website. Gathering such data allows the IT team to lessen hacking threats using and intrusion detection systems to regulate the company’s website for behaviors that match different interference signs. The data security policy of the company classifies data into four categories: public/unclassified, private, confidential and security / restricted. The security policy guarantees that the data collected from the company is appropriately classified physically or digitally. The security policy of the employer includes protections to alleviate the loss of laptops and projectors by equipping them with GPS trackers. The company uses security cameras to monitor employees and equipment inside and outside its facilities.
B1. Security Threats Internal
There are two possible security threats to the organization’s software information and internal user’s data. The first is the loss or illegal acquisition by the use of unapproved personal devices of restricted company records. This risk involves illegal access by internal users of critical or proprietary files on USB drives or other portable storage devices. Data security policy does not provide for internal users to copy company data to personal storage devices. Therefore, the company is at risk of losing sensitive information without the relevant permission of an employee copying data to a personal device. Although the company is monitoring when and how data is accessed and by whom, the policy is sufficient to overcome this threat when the identifying user has legitimate access to the data transferred. There are no restrictions on employee’s use of personal storage devices such as USB drives, and without proper screening, they could insert viruses, spyware or malware into the network that could cause sensitive data to be lost and increase the potential for network spying. Spyware scripts can also illegally distribute business secrets to competitors or third parties who could use the information to access the company’s network illegally.
The second threat would be internal users accessing the web without limitations and exposing confidential information. The company does not have a policy defining what is permitted or prohibited concerning the blogging activities of internal users. If staff engages in blogging, message boards or public forums discussing the internal processes of the company, trade secrets or other sensitive information, the company is at risk of losing confidential data which is crucial to the maintaining its competitive edge. Web activities that could threaten business information and innovations include the public release by internal users of network diagrams, web access codes, and passwords. The organization could be exploited to hacking attacks that could result in data loss or the propagation to third parties of private data. Without an explicit directive through the data security policy of acceptable activities, the company risks losing sensitive data through its internal user’s web activities.
B2. Security Threats External
As part of its business process, AEnergy provides its network data to partners, vendors, customers, and other third parties. The threat of unintentional or intentional sharing of data to third parties is a potential safety threat to the company’s information technology from outside associates. The company by allowing this remote access exposes the company to the threat of data theft, should one of these working partners illegally extend their access to the company’s infrastructure to additional associates. AEnergy faces a likely threat considering they cannot monitor client’s control of this information. The firm can only respond after a violation is detected, and the data lost. A threat to its data and technologies exists, if a customer shares commercially sensitive material with competitors or other intermediaries about the corporation’s infrastructure. This threat ultimately leads to hacking attempts and other illegal efforts to obtain the company’s information and infiltrate its network if not alleviated. AEnergy is a probable target for cyber terrorism or spying. Cyberspying increases the likelihood of attack to the organization’s infrastructure and the loss of sensitive business data or trade secrets. Cyber terrorism activities are quite often the actions of politically motivated perpetrators and hard to catch. An effective hacking can lead to theft of sensitive customer and employee data that can be subjected to identity theft.
Updated Company Policies
The following is a list of eight company policies that have been updated to address the security threats identified above.
I will establish three new and separate policy documents to distinguish internal user policy from external users. This would help to ensure that policy statements can encompass both groups in greater detail.
In each policy section, I shall include a legally binding non – disclosure agreement preventing internal and external users from sharing classified information with any unauthorized factions. The policy shall state the consequences of disclosure of secure material to any person or persons not entrusted with it.
I will include a signature page at the end of each policy document so that expected workers can recognize their receipt and intention to comply with the provisions of the policies.
I will include a section stating how personal storage devices are scanned to protect the network against viruses and malware. I will add the new data security policy which clarifies what personal devices internal users may use on the company’s facilities and the method by which software authorization for installation on the company’s computers.
I will include an ethical behavior section in all three policy sections which identifies the organization ‘s position on the ethical use of its technology and information for each of the three security policy sections. Sharing passwords, network and confidential information with unauthorized factions would be a direct violation of this policy.
I will include a section on employer security policy that establishes the protocol for reporting illegal actions by internal and external users. I will maintain a telephone and email hotline to address security issues of the company.
I will update the employer security policy section on email, to outlaw the use of company accounts to send or receive personal emails.
I will update the employer’s security policy to define what video surveillance is utilized and what employee actions the company pursues. This update will also outline what the company considers the misuse of its video surveillance activities.
The company will not use GPS tracking on employee laptops to monitor workers locations when working outside of facilities or after business hours. Any recognized abuse of the GPS policy could be recommended for termination of employment. The update outlines what activities the company considers an abuse of its surveillance capabilities.
C1. Mitigate Unethical Uses
I identified one unethical use of technology by internal users, would be the organizations use of GPS tracking systems placed in company laptops in a manner that violates individual freedoms. The new employee security policy number nine addresses the improper use of GPS tracking devices inside company equipment to monitor employees’ locations after hours or during business-related trips requiring overnight stays. The company recognizes the right to privacy of its employees and regards it as a dangerous offense with severe punishment for those who would prevent it. I identified a second potential unethical use of technology by internal users is the video monitoring of employees inside and outside facilities. I addressed in number eight the use of on-site security cameras to spy on the activities of colleagues. The threat mitigated by defining what the company considers to be a misuse of this capability and informing employees of what actiwons they monitor. I identified an unethical use of company technology by external users, would be leaking to third parties or competitors of confidential company information. The non – disclosure agreement addressed in policy number two, must be signed by all users mitigates the opportunity for the illegal distribution of secret information to unapproved factions. Giving unapproved factions access to the organization’s network by sharing credentials is addressed in number two policy. The non-disclosure agreement contains a section that prohibits sharing credentials, access codes and passwords with anyone and identifies penalties of such actions.
C2. Mitigate Security Threats
The proposed number four change policy would alleviate the loss or illegal distribution of sensitive company data through unauthorized personal devices. By upgrading the data security policy to characterize which devices internal users may use on company facilities and how devices are secured lessons the risk of data being jeopardized or stolen due to the use of unauthorized devices. Also includes a section that lists the software approved for use on the company’s computers that mitigates this security threat. Number seven is a new employer security policy addressing unauthorized web use by internal users. The procedure eliminates the use of company email addresses for personal emails and alleviates the possibility of wrong use of company resources. Policy number two adds the non-disclosure agreement to all three sections and also helps mitigate the improper use of internet on company computers. The problem of speaking in public domains about internal company information is lessened in the number five policy that creates an ethical behavior section identifying what the company considers inappropriate activities. The threat of malicious third parties alleviated in the non-disclosure agreement and in number five of the data security policy it ensures third parties recognize the organization’s expectations of privacy as it pertains to company information of which they have access. The agreement would help combat third-party security threats. The threat of cyberterrorism or spying lessoned through the non-disclosure agreement and the ethical behavior section created in the number five policy. An intrusion detection system will minimize the success of cyber-attacks on the network. Hackers might be frustrated because of the restrictions placed on users by the disclosure of sensitive company information such as the communications network.
Ford, J., Willey, L., White, B. J., ; Domagalski, T. (2015). NEW CONCERNS IN ELECTRONIC EMPLOYEE MONITORING: HAVE YOU CHECKED YOUR POLICIES LATELY? Journal of Legal, Ethical and Regulatory Issues, 18(1), 51-70. Retrieved from https://wgu.idm.oclc.org/login?url=https://search-proquest-com.wgu.idm.oclc.org/docview/1693347921?accountid=42542