Securing Information Systems (I.S.) resources is a complex topic. Understanding the complexity is necessary if we are to control it. There are three dimensions of I.S. security that can help companies expose (and reduce) the complexity:

Dimension ONE: The types of problems that could possibly arise and the corresponding types of objectives that ought to be pursued. The first type of problem is the unauthorized use of I.S. resources by those who can get access to them. The corresponding objective would be: TO ASSURE ONLY THE AUTHORIZED USE OF I.S. RESOURCES The second type of problem is that I.S. resources can be modified and tampered with, endangering their integrity. The corresponding objectives would be: TO ASSURE THE INTEGRITY OF I.S. RESOURCES The third type of problem is that I.S. resources can be destroyed and made available due to a variety of factors. The corresponding objective would be: TO ASSURE THE CONTINUED AVAILABILITY OF I.S. RESOURCES

Dimension TWO: The three types of resources are HARDWARE, SOFTWARE, and DATA. There are nine ways in which dimensions ONE and TWO can be combined: 1. To assure only the authorized use of all hardware 2. To assure only the authorized use of all software 3. To assure only the authorized use of all data 4. To assure the integrity of all hardware 5. To assure the integrity of all software 6. To assure the integrity of all data 7. To assure the continued availability of all hardware 8. To assure the continued availability of all software 9. To assure the continued availability of all data Dimension THREE: Each of these nine objectives can be understood more concretely in terms of the various problematic situations that could arise, the business impacts of those situations, and ways of coping with those situations, both reactively and proactively. Reactively = what to do AFTER the problem has occurred. Proactively = what to do to prevent the problem from happening in the first place. For example, number 7 from the above list of nine items covers a variety of scenario such as: A piece of hardware being stolen

An earthquake destroying all hardware at one location A computer virus disabling all hardware on a network of computers A union demonstration getting ugly and angry workers attacking a facility and smashing up computers As you can see, each of the four situations has a different impact and a different method of coping with it is required. Chain-locking equipment may take care of the first. Falling back temporarily on hardware installed at other locations of the company may be a solution to the second. Installing anti-virus software and tightening access may solve the third. And, sealing off the computer center and protecting it with human security guards may be a viable way of dealing with the fourth.

Question 1: Now, pretend that you are a committee member of Information Systems Security at a well-known University. For each of the nine categories listed in Dimension TWO, propose ways of assurance, both reactively and proactively, when applicable. You should assume that your proposed ways would become adopted I.S. security policies at the University.

1. To assure only the authorized use of campus hardware Proactively: (For example) Provide visible signs at appropriate locations to indicate that campus computer equipment are for Employees and/or Students use only Reactively: (For example) Discovered unauthorized users shall be escorted out of campus by campus security guard for violation of campus rule 2. To assure only the authorized use of campus software Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here] 3. To assure only the authorized use of campus data Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here] 4. To assure the integrity of campus hardware Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here]

5. To assure the integrity of campus software Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here] 6. To assure the integrity of campus data Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here] 7. To assure the continued availability of campus hardware Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here] 8. To assure the continued availability of campus software Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here] 9. To assure the continued availability of campus data Proactively: [Enter Your Response Here] Reactively: [Enter Your Response Here] Ethical issues are very important to organizations and the use of information systems has caused new issues related to ethics to arise. Ethics is generally defined as having to do with right and wrong behavior and it is not restricted only to topics governed by laws. However, not everyone agrees on what constitutes ethical behavior, but companies are interested in developing and maintaining a successful business while at the same time, being fair, just, and trustworthy. Ethical behavior in business includes personal integrity, honesty, fairness and respect for the rights of others. Many companies also try to screen potential employees based on these attributes. Question 2:

For each of the following behaviors, indicate whether you consider it ethical or not ethical and provide a discussion why you think it is ethical or not ethical. If you think it depends is the most appropriate answer, please clearly justify. 1. Making a single copy of a software program that belongs to someone else for your personal use. You are doing this with that persons consent. 2. Making a single copy of a software program that belongs to someone else for your business use. You are doing this with that persons consent. 3. Selling a software program (its CDs) you bought but no longer need. However, the software has already been installed on your computer and you registered it using false information. 4. Selling a software program (its CDs) you bought but no longer need. However, the software has already been installed on your computer and you registered it using truthful information. 5. Keeping a secret record on your employees (That is, keeping information about an employee without the employee knowing it). 6. Monitoring the emails of your employees without their knowing it. 7. Refusing to reimburse a client who suffered business losses because of incorrect data your computer provided to her. The inaccuracy was due to a programming error made by the programmer you contracted the job to.

8. Learning that a newly developed technology will protect your employees from the harmful physiological effects of working with their computers, and yet refusing to buy it for them because buying would put a dent in your company budget. Your employees do not know about the technology and there is no legal requirement imposed on companies to purchase it.