The Sarbanes-Oxley Act
Abstract
The purpose of this paper is to create a policy that will ensure Firion 's compliancy with governmental regulations concerning cyber security as well for the protection of the company and its customers.
Introduction
Firion is a “corporation which develops, produces, and markets specialized jackets used in waste disposal and other safety-related applications” (UMUC, 4). Like most modern companies, Firion utilizes technology for increased efficiency in production, networking among employees, and to store and maintain important data. For example, databases contain employee and customer information as well as sensitive information about the research concerning Firion’s new glove designs and coatings. It is of extreme importance …show more content…
that Firion be able to keep sensitive information confidential to prevent loss of financial interest through lawsuits or loss of profit. If Firion fails to keep certain information confidential the loss of employee and customer confidence in the company and the potential loss of technological edge over competition can be extremely damaging and difficult to recover from. There are a large number of modern threats to the cyber infrastructure of any company and the number of threats is ever increasing.
Recent cases of hacking show how common cyber attacks have become and why it is important to take steps to prevent Firion from being a victim of such attacks. Epsilon, “the largest email marketing service company in the world” fell victim to an attack in early March of 2011 ("Email marketing firm"), and Sony was dealt a huge blow the very next month when about 70 million of their customer’s credit information was compromised (“70 Million Playstation”). Lastly, in June of 2011 Google announced that Chinese hackers had compromised the Gmail accounts of U.S. politicians using an attack called Spear Phishing (“Google Announced”). These major attacks happened within the span of a few months and there continues to be cases of attacks like the ones listed above. There are very serious repercussions for a company when they are attacked in such a manner as Sony. For example, PlayStation users in New York filed suit against the Sony claiming negligence (McEntegart, 2011). In order for Firion to protect its self against these and other attacks, there must be a sound cyber security policy in place in order to ensure that the company is actively protecting its own interests in all the necessary areas.
In order to have a complete cyber security policy, Firion must take into account two major issues: compliancy with federal laws and regulations and protection of the company’s interests against cyber threats (Firion’s cyber security policy will focus heavily on the human aspects of cyber threats). The U.S. Government has enacted several laws that companies must enforce in order to better ensure the security of their own company as well as the security of its customers which are likely to be U.S. citizens. So it is in the best interest of Firion to ensure that such laws are enforced to increase the security of the company and to decrease Firion’s liability as well as avoid potential fines. Secondly, it is important for the cyber security policy to dedicate proper examination of the human aspects which affect a company’s security and provide practical solutions to each human vulnerability or threat. It is of first importance to protect Firion and its employees and customers but that protection should not stifle Firion from being able to conduct normal business. In the end, the aim will be to create a cyber security policy for Firion which addresses all the necessary issues and retains a balance of sufficient security without over restricting the business.
Federal Compliancy Laws Regulatory compliance is an important part of business no matter how large or small, ensuring that employees take all steps required to follow laws and regulations is vital. Violating one regulation, however small it may seem, can result in fines and other repercussions. Regulatory compliance covers a wide range of rules. Numerous government legislation acts exists that provide the regulations that all companies must abide by. It is important that compliance standards are met, as it will serve to protect employee and customer personal information from access by unauthorized parties. Failure to comply can lead to fines, imprisonment, or both. Federal Information Security Act (FISMA) is a legislation signed into law as part of the Electronic Government Reform ACT of 2002. FISMA describes broad context to protect sensitive information from man-made and natural threats. FISMA makes permanent of the information security management responsibilities introduced and delegates assignments to several agencies ensuring that all data is secure. The act requires that agency officials keep risks low or at satisfactory levels. The National Institute of Standards and Technology (NIST) defines the actions toward fulfillment with FISMA:
• Risk Assessments
• Security Awareness Training
• Policies and Procedures
• Security Plans
• Contingency Plans
• Incident Response Procedures
• Remediation Procedures
• Annual Security Testing
Since its establishment, Federal information systems and databases have been integrated into non-Federal agencies, including law enforcement, and businesses ("Detailed overview," 2010). The Health Insurance Portability and Accountability Act (HIPAA), provides regulation for the use and release of an individual’s medical information. The goal is to guarantee that an individuals’ healthcare information is secure and still permitting the flow of healthcare information that is necessary to protect the public’s welfare and boost the quality of healthcare. HIPPA finds a compromised that allows important use of the information, while protecting the privacy of those who seek medical care. ("Summary of the,”) The Sarbanes-Oxley Act (SOX) was introduced in 2002 in response to the Enron and WorldCom scandals.
The Sarbanes-Oxley Act is organized into eleven titles and protects from errors in accounting to fraudulent practices. IT and financial departments are affected due IT departments the daunting task of having to produce and preserve a archive of corporate files in a way that is lucrative and that complies with the requirements set forth by the legislation. The Sarbanes-Oxley Act states that all records can only be saved for five years. SOX allow enough information about transactions that would allow one to identify where misstatements due to fraud or human error could occur. There is information and controls set forth to detect or prevent fraud ("What is sox," …show more content…
2010). The Electronic Communications Privacy Act (ECPA) prohibits a third party from disclosing or diverting communications without proper authorization. The law was enacted in 1986 covering a wide area of electronic communications. Electronic communication means the transfer of “writings, images, sounds, and signals intelligence transmitted by any communication system that affects interstate or foreign commerce.” ECPA forbids the unauthorized access and particular release of communication content. The Act protects communications in transit as well as in storage (“Federal Statues,” 2012). The Digital Millennium Copyright Act (DMCA) protects the rights of copyright owners and consumers. The controversial reform covers circumvention of copyright protections, fair use of copyright materials, and protection of ISPs from liability as long as they follow specific procedures. DMCA also forbids bypassing of access controls, copyrights, and bans devices, which does circumventions. The act is considered to be a compromising measure because it would prohibit activities that are ethical. Revisions have been made to DMCA to allow encryption and security research (Rouse, 2011).
Threats
There are several threats to Firion 's security and infrastructure. These are both technical threats and human related threats. All of these threats affect the confidentiality, integrity and availability of the information system. In additions, these threats will have an financial and business impact on Firion.
Based on Firion security review, there are two technical threats that can affect Firion’s security and privacy goal. The first technical gap is the lack of change control on critical system. The incident where Nina able to disable the ports on the firewall is an indication that no formal change control nor detection is in place. The firewall incident also shows lack of separation of duty in Firion’s IT organization. With no separation of duty and change control, there will be very little monitoring of infrastructure to detect any abnormal changes. This threat allows attacks from both inside and outside Firion difficult to be detected. The lack of change control also extent to the client desktop environment. Llyod, the HR manager, is able to change is computer settings. The user having administrative rights is one of the leading causes of virus and malware infection. Imagine hackers or cyber criminals can open ports on firewall and redirect traffic to and from the internal network with minimal detection and change restriction. All the criminals need to do is to obtain a user’s credential and be able to perform changes on the network infrastructure. The potential on a denied of service attach on Firion domain name services (DNS) will cause a large outage on Firion infrastructure. Combating this technical gap require a formal change control and review process. With the combination of separation of duty and a proper change control process, the risk can be minimized and issues be able to be detected in an earlier stage.
The next technical threat is the lack of content filtering for Firion web and email traffic. The ability to block unauthorized or even dangerous downloads is an important factor in securing end-points. We need to have the ability to monitor and filter web and email traffic to and from Firion’s network. One of the attack vectors of virus and malware are from active web content on websites (Tittel, 2005). The absent on download protection and change control on user computer will put Firion’s computer a target for advance persistence threats (APTs). The APTs could be infecting Firion’s infrastructure and stealing data. The potential loss of intellectual properties could cost Firion billions dollars of damage. According to Verizon Data Breach Investigation report in 2011, 49% of data breaches are caused by malware (Verizon, 2011). The Internet also is a prime area for reconnaissance and social engineering. The incident of Chinese spies using a fake Facebook account for social engineering to obtain user information is an issue that we cannot ignore (Chinese Spies Use Fake Facebook Pages to Gain Intel, 2012). Having a defense in depth approach will ensure our end-points receive maximum protection against the ever changing Internet environment.
However, Firion has two major security threats that are related to its employees.
The missing of a formal acceptable use policy (AUP) did not give user or management a guideline on the day-to-day activities. The incident involving Laura requesting trial software without getting proper security review and authorization shows the lack of security awareness and proper request for exception procedure. According a report from Ernst & Young, over 75% of security breaches are caused by activities by internal users (H. M. P. S. & Wijayanayake, 2009). Misuse of computer resources in work place not only reduced productivities but also bring additional risk to company’s reputation. Activities like surfing the web and participating in social networking sites might bring questionable contents to the work place. These contents can be seen as a form of sexual harassment. The Melissa virus, founded in 1999, was originally planted in an alt.sex Usenet newsgroup message. The billions of dollars of productivity lost and the negative publicity can tarnish the image and the business of Firion. Without a formal review on software request, the IT security organization will not be able to design a security solution to cover the user base. This gap will allow both internal and external intruders to plant software or Trojan to disrupt services or stealing
data.
The most serious of security threat to Firion is the risk of data lost. The incident of Nina stealing R&D data in Firion is a wakeup call. The advent of Web 2.0 and social networking make it easy to share information. This new Internet environment also makes it easy for personal or corporate information leaks to the Internet. Sandra blogging on the Internet might be improving communication and collaboration with customers. On the other hand, the lack of controls on the flow of information makes it difficult to safe guard our data. The primary drives for Web 2.0 for corporation are improving communication both internally and externally. With this drive of communication, the primary concerns is security issues and potential for sensitive company information being make public (Donston, 2008). Having a web filtering software, data classification and proper education to users, we can minimize the change that critical business data leak to the Internet accidentally. The other vector for a potential data lost is the emailing of information to an external email account. The incident involve development manager Sam Eilot demonstrate that data could be leak to an external source. Once data is store in third party storage, Firion lost control on the storage and backup of the data. For example, once the data is store with Google, Google will have complete control of the data and allow the data to be searchable from the Internet. Imagine company intellectual property being accidentally emailed to the Gmail and have the data searchable on the Internet. The leak of such information might cause Firion billions of dollars in sales. There are industrial spy and cyber criminals constantly searching the web for any information that they can sell for a profit. The last data lost vector that Firion face is the use of removable storage. Removable storages (CD, USB Drives…etc) are getting smaller and smaller. It is easy for user to misplace the media. Most of these storages do not employ encryption. It becomes an easy target for anyone to steal and copy the information. Incidents like Countrywide Financial Corp losing 2 million customer applications for mortgage due to an employee copying them to a USB thumb drive (Reckard & Menn , 2008). Filling in these security gaps require the security organization takes on a multi prong approach. First of all, having a data classification policies and the appropriate control and measures ensure critical data are identified. Once we identify the critical data, we can design our solution to protect them when they are at rest or on the move using technologies like encryption. Secondly, having a data lost prevention solution to monitor web, email and removable media access is a key factor to stop data being leak. We need to have a solution that covers most of the common exit point of data. Flagging the channel where sensitive data is detected and take action to remediate it. Lastly, having an acceptable use policy and properly communicate and educate the end user base ensure proper security control will be executed. We need to address the widening socio-technological gap that happen in our modern workspace. We see the need to give guidance on how to apply ethical behavior in the workplace. The traditional security policy and acceptable use policies were focus on deterrent; however, there is a new idea to have the acceptable use policy to give users a sustainable ethical decision making (Ruighaver, Maynard, & Warren, 2010). We want to user to be present to the consequences to the company and make an ethical decision on the use of company resource and take security as a personal responsibility.
References
McEntegart, J. (2011, June 29). Sony sued for negligence over ps3 hack. Retrieved from http://www.tomsguide.com/us/PSN-Hack-Lawsuit-Negligence-Breach-of-Contract-Privacy,news-11662.html
Email marketing firm epsilon was hacked to obtain emails for "spear phishing”. (n.d.). Retrieved from http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6
70 million playstation users had their credit information compromised. (n.d.).
Retrieved from http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6
Google Announced. (n.d.). Retrieved from http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6
Detailed overview. (2010, August 17).
Retrieved from http://csrc.nist.gov/groups/SMA/fisma/overview.html
Federal statutes. (2012, march 21).
Retrieved from http://it.ojp.gov/default.aspx?area=privacy&page=1285
Rouse, M. (2011, March 22). Digital millennium copyright act (dmca).
Retrieved from http://whatis.techtarget.com/definition/0,,sid9_gci904632,00.html
Summary of the hipaa privacy rule. (n.d.).
Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
What is sox – sarbanies oxley act. (2010). Retrieved from http://soxresource.com/what-is-sox/
Chinese Spies Use Fake Facebook Pages to Gain Intel Donston, D. (2008, 5 19). WEB 2.0. Eweek, 25(16), 25(16), p. 39.
H. M. P. S. , H., & Wijayanayake, W. (2009). Computer misuse in the workplace. Journal Of Business Continuity & Emergency Planning., 3(3), 259-270.
Reckard, E., & Menn , J. (2008, 8 2). Insider stole Countrywide applicants ' data, FBI alleges. Los Angeles Times.
Ruighaver, A., Maynard, S., & Warren, M. (2010, 10). Ethical decision making: Improving the quality of acceptable use policies. Computer& Security, 29(7), pp. 731-736.
Tittel, E. (2005). PC Magazine Fighting Spyware, Viruses, and Malware. Wiley Pub.
Verizon. (2011). 2011 Data Breach Investigations Report.
The purpose of this paper is to create a policy that will ensure Firion 's compliancy with governmental regulations concerning cyber security as well for the protection of the company and its customers.
Introduction
Firion is a “corporation which develops, produces, and markets specialized jackets used in waste disposal and other safety-related applications” (UMUC, 4). Like most modern companies, Firion utilizes technology for increased efficiency in production, networking among employees, and to store and maintain important data. For example, databases contain employee and customer information as well as sensitive information about the research concerning Firion’s new glove designs and coatings. It is of extreme importance …show more content…
that Firion be able to keep sensitive information confidential to prevent loss of financial interest through lawsuits or loss of profit. If Firion fails to keep certain information confidential the loss of employee and customer confidence in the company and the potential loss of technological edge over competition can be extremely damaging and difficult to recover from. There are a large number of modern threats to the cyber infrastructure of any company and the number of threats is ever increasing.
Recent cases of hacking show how common cyber attacks have become and why it is important to take steps to prevent Firion from being a victim of such attacks. Epsilon, “the largest email marketing service company in the world” fell victim to an attack in early March of 2011 ("Email marketing firm"), and Sony was dealt a huge blow the very next month when about 70 million of their customer’s credit information was compromised (“70 Million Playstation”). Lastly, in June of 2011 Google announced that Chinese hackers had compromised the Gmail accounts of U.S. politicians using an attack called Spear Phishing (“Google Announced”). These major attacks happened within the span of a few months and there continues to be cases of attacks like the ones listed above. There are very serious repercussions for a company when they are attacked in such a manner as Sony. For example, PlayStation users in New York filed suit against the Sony claiming negligence (McEntegart, 2011). In order for Firion to protect its self against these and other attacks, there must be a sound cyber security policy in place in order to ensure that the company is actively protecting its own interests in all the necessary areas.
In order to have a complete cyber security policy, Firion must take into account two major issues: compliancy with federal laws and regulations and protection of the company’s interests against cyber threats (Firion’s cyber security policy will focus heavily on the human aspects of cyber threats). The U.S. Government has enacted several laws that companies must enforce in order to better ensure the security of their own company as well as the security of its customers which are likely to be U.S. citizens. So it is in the best interest of Firion to ensure that such laws are enforced to increase the security of the company and to decrease Firion’s liability as well as avoid potential fines. Secondly, it is important for the cyber security policy to dedicate proper examination of the human aspects which affect a company’s security and provide practical solutions to each human vulnerability or threat. It is of first importance to protect Firion and its employees and customers but that protection should not stifle Firion from being able to conduct normal business. In the end, the aim will be to create a cyber security policy for Firion which addresses all the necessary issues and retains a balance of sufficient security without over restricting the business.
Federal Compliancy Laws Regulatory compliance is an important part of business no matter how large or small, ensuring that employees take all steps required to follow laws and regulations is vital. Violating one regulation, however small it may seem, can result in fines and other repercussions. Regulatory compliance covers a wide range of rules. Numerous government legislation acts exists that provide the regulations that all companies must abide by. It is important that compliance standards are met, as it will serve to protect employee and customer personal information from access by unauthorized parties. Failure to comply can lead to fines, imprisonment, or both. Federal Information Security Act (FISMA) is a legislation signed into law as part of the Electronic Government Reform ACT of 2002. FISMA describes broad context to protect sensitive information from man-made and natural threats. FISMA makes permanent of the information security management responsibilities introduced and delegates assignments to several agencies ensuring that all data is secure. The act requires that agency officials keep risks low or at satisfactory levels. The National Institute of Standards and Technology (NIST) defines the actions toward fulfillment with FISMA:
• Risk Assessments
• Security Awareness Training
• Policies and Procedures
• Security Plans
• Contingency Plans
• Incident Response Procedures
• Remediation Procedures
• Annual Security Testing
Since its establishment, Federal information systems and databases have been integrated into non-Federal agencies, including law enforcement, and businesses ("Detailed overview," 2010). The Health Insurance Portability and Accountability Act (HIPAA), provides regulation for the use and release of an individual’s medical information. The goal is to guarantee that an individuals’ healthcare information is secure and still permitting the flow of healthcare information that is necessary to protect the public’s welfare and boost the quality of healthcare. HIPPA finds a compromised that allows important use of the information, while protecting the privacy of those who seek medical care. ("Summary of the,”) The Sarbanes-Oxley Act (SOX) was introduced in 2002 in response to the Enron and WorldCom scandals.
The Sarbanes-Oxley Act is organized into eleven titles and protects from errors in accounting to fraudulent practices. IT and financial departments are affected due IT departments the daunting task of having to produce and preserve a archive of corporate files in a way that is lucrative and that complies with the requirements set forth by the legislation. The Sarbanes-Oxley Act states that all records can only be saved for five years. SOX allow enough information about transactions that would allow one to identify where misstatements due to fraud or human error could occur. There is information and controls set forth to detect or prevent fraud ("What is sox," …show more content…
2010). The Electronic Communications Privacy Act (ECPA) prohibits a third party from disclosing or diverting communications without proper authorization. The law was enacted in 1986 covering a wide area of electronic communications. Electronic communication means the transfer of “writings, images, sounds, and signals intelligence transmitted by any communication system that affects interstate or foreign commerce.” ECPA forbids the unauthorized access and particular release of communication content. The Act protects communications in transit as well as in storage (“Federal Statues,” 2012). The Digital Millennium Copyright Act (DMCA) protects the rights of copyright owners and consumers. The controversial reform covers circumvention of copyright protections, fair use of copyright materials, and protection of ISPs from liability as long as they follow specific procedures. DMCA also forbids bypassing of access controls, copyrights, and bans devices, which does circumventions. The act is considered to be a compromising measure because it would prohibit activities that are ethical. Revisions have been made to DMCA to allow encryption and security research (Rouse, 2011).
Threats
There are several threats to Firion 's security and infrastructure. These are both technical threats and human related threats. All of these threats affect the confidentiality, integrity and availability of the information system. In additions, these threats will have an financial and business impact on Firion.
Based on Firion security review, there are two technical threats that can affect Firion’s security and privacy goal. The first technical gap is the lack of change control on critical system. The incident where Nina able to disable the ports on the firewall is an indication that no formal change control nor detection is in place. The firewall incident also shows lack of separation of duty in Firion’s IT organization. With no separation of duty and change control, there will be very little monitoring of infrastructure to detect any abnormal changes. This threat allows attacks from both inside and outside Firion difficult to be detected. The lack of change control also extent to the client desktop environment. Llyod, the HR manager, is able to change is computer settings. The user having administrative rights is one of the leading causes of virus and malware infection. Imagine hackers or cyber criminals can open ports on firewall and redirect traffic to and from the internal network with minimal detection and change restriction. All the criminals need to do is to obtain a user’s credential and be able to perform changes on the network infrastructure. The potential on a denied of service attach on Firion domain name services (DNS) will cause a large outage on Firion infrastructure. Combating this technical gap require a formal change control and review process. With the combination of separation of duty and a proper change control process, the risk can be minimized and issues be able to be detected in an earlier stage.
The next technical threat is the lack of content filtering for Firion web and email traffic. The ability to block unauthorized or even dangerous downloads is an important factor in securing end-points. We need to have the ability to monitor and filter web and email traffic to and from Firion’s network. One of the attack vectors of virus and malware are from active web content on websites (Tittel, 2005). The absent on download protection and change control on user computer will put Firion’s computer a target for advance persistence threats (APTs). The APTs could be infecting Firion’s infrastructure and stealing data. The potential loss of intellectual properties could cost Firion billions dollars of damage. According to Verizon Data Breach Investigation report in 2011, 49% of data breaches are caused by malware (Verizon, 2011). The Internet also is a prime area for reconnaissance and social engineering. The incident of Chinese spies using a fake Facebook account for social engineering to obtain user information is an issue that we cannot ignore (Chinese Spies Use Fake Facebook Pages to Gain Intel, 2012). Having a defense in depth approach will ensure our end-points receive maximum protection against the ever changing Internet environment.
However, Firion has two major security threats that are related to its employees.
The missing of a formal acceptable use policy (AUP) did not give user or management a guideline on the day-to-day activities. The incident involving Laura requesting trial software without getting proper security review and authorization shows the lack of security awareness and proper request for exception procedure. According a report from Ernst & Young, over 75% of security breaches are caused by activities by internal users (H. M. P. S. & Wijayanayake, 2009). Misuse of computer resources in work place not only reduced productivities but also bring additional risk to company’s reputation. Activities like surfing the web and participating in social networking sites might bring questionable contents to the work place. These contents can be seen as a form of sexual harassment. The Melissa virus, founded in 1999, was originally planted in an alt.sex Usenet newsgroup message. The billions of dollars of productivity lost and the negative publicity can tarnish the image and the business of Firion. Without a formal review on software request, the IT security organization will not be able to design a security solution to cover the user base. This gap will allow both internal and external intruders to plant software or Trojan to disrupt services or stealing
data.
The most serious of security threat to Firion is the risk of data lost. The incident of Nina stealing R&D data in Firion is a wakeup call. The advent of Web 2.0 and social networking make it easy to share information. This new Internet environment also makes it easy for personal or corporate information leaks to the Internet. Sandra blogging on the Internet might be improving communication and collaboration with customers. On the other hand, the lack of controls on the flow of information makes it difficult to safe guard our data. The primary drives for Web 2.0 for corporation are improving communication both internally and externally. With this drive of communication, the primary concerns is security issues and potential for sensitive company information being make public (Donston, 2008). Having a web filtering software, data classification and proper education to users, we can minimize the change that critical business data leak to the Internet accidentally. The other vector for a potential data lost is the emailing of information to an external email account. The incident involve development manager Sam Eilot demonstrate that data could be leak to an external source. Once data is store in third party storage, Firion lost control on the storage and backup of the data. For example, once the data is store with Google, Google will have complete control of the data and allow the data to be searchable from the Internet. Imagine company intellectual property being accidentally emailed to the Gmail and have the data searchable on the Internet. The leak of such information might cause Firion billions of dollars in sales. There are industrial spy and cyber criminals constantly searching the web for any information that they can sell for a profit. The last data lost vector that Firion face is the use of removable storage. Removable storages (CD, USB Drives…etc) are getting smaller and smaller. It is easy for user to misplace the media. Most of these storages do not employ encryption. It becomes an easy target for anyone to steal and copy the information. Incidents like Countrywide Financial Corp losing 2 million customer applications for mortgage due to an employee copying them to a USB thumb drive (Reckard & Menn , 2008). Filling in these security gaps require the security organization takes on a multi prong approach. First of all, having a data classification policies and the appropriate control and measures ensure critical data are identified. Once we identify the critical data, we can design our solution to protect them when they are at rest or on the move using technologies like encryption. Secondly, having a data lost prevention solution to monitor web, email and removable media access is a key factor to stop data being leak. We need to have a solution that covers most of the common exit point of data. Flagging the channel where sensitive data is detected and take action to remediate it. Lastly, having an acceptable use policy and properly communicate and educate the end user base ensure proper security control will be executed. We need to address the widening socio-technological gap that happen in our modern workspace. We see the need to give guidance on how to apply ethical behavior in the workplace. The traditional security policy and acceptable use policies were focus on deterrent; however, there is a new idea to have the acceptable use policy to give users a sustainable ethical decision making (Ruighaver, Maynard, & Warren, 2010). We want to user to be present to the consequences to the company and make an ethical decision on the use of company resource and take security as a personal responsibility.
References
McEntegart, J. (2011, June 29). Sony sued for negligence over ps3 hack. Retrieved from http://www.tomsguide.com/us/PSN-Hack-Lawsuit-Negligence-Breach-of-Contract-Privacy,news-11662.html
Email marketing firm epsilon was hacked to obtain emails for "spear phishing”. (n.d.). Retrieved from http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6
70 million playstation users had their credit information compromised. (n.d.).
Retrieved from http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6
Google Announced. (n.d.). Retrieved from http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6
Detailed overview. (2010, August 17).
Retrieved from http://csrc.nist.gov/groups/SMA/fisma/overview.html
Federal statutes. (2012, march 21).
Retrieved from http://it.ojp.gov/default.aspx?area=privacy&page=1285
Rouse, M. (2011, March 22). Digital millennium copyright act (dmca).
Retrieved from http://whatis.techtarget.com/definition/0,,sid9_gci904632,00.html
Summary of the hipaa privacy rule. (n.d.).
Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
What is sox – sarbanies oxley act. (2010). Retrieved from http://soxresource.com/what-is-sox/
Chinese Spies Use Fake Facebook Pages to Gain Intel Donston, D. (2008, 5 19). WEB 2.0. Eweek, 25(16), 25(16), p. 39.
H. M. P. S. , H., & Wijayanayake, W. (2009). Computer misuse in the workplace. Journal Of Business Continuity & Emergency Planning., 3(3), 259-270.
Reckard, E., & Menn , J. (2008, 8 2). Insider stole Countrywide applicants ' data, FBI alleges. Los Angeles Times.
Ruighaver, A., Maynard, S., & Warren, M. (2010, 10). Ethical decision making: Improving the quality of acceptable use policies. Computer& Security, 29(7), pp. 731-736.
Tittel, E. (2005). PC Magazine Fighting Spyware, Viruses, and Malware. Wiley Pub.
Verizon. (2011). 2011 Data Breach Investigations Report.