Jomo Kenyatta University of Agriculture and Technology

BACHELOR OF BUSINESS INFORMATION TECHNOLOGY

HBT 2202: ICT AND SOCIETY
COURSE OUTLINE
COURSE OBJECTIVES
The unprecedented advances in information and communication technologies (ICT) have transformed
societies in both developed and developing countries in ways that were unimaginable not so long ago. It
has caused revolution that have brought changes that have long-run implications for the society in general
and for the economy in particular. By the end of this course, learners will able to prepare critical thinking
and writing on impacts of ICT on society and its relationship to national development.

COURSE DESCRIPTION
1. Introduction to ICT and Society
2. Use of ICT within organizations
• training & support
• effects of change, and implementing change
3. ICT systems security
• Data security & personnel security
4. Risk analysis and computer auditing
5. Informational and ICT ethics

READINGS
1. “Ethics of Information Management”, Richard O. Mason, Florence M. Mason and Mary J. Culnan,
Sage Publications, 1995

CORSE JOURNAL
1. Oxford Journals: The Computer Journal
2. Computer Science Journals (CSC Journals)
3. Journal of Computing
4. Directory of Open Access (DOAJ): Computer Science

ASSESSMENT
• CATs/Assignments/Group presentations = 30%,
• Final Written Examination = 70%,
• Total = 100%
INTRODUCTION TO ICT AND SOCIETY
Information and Communication Technology (ICT) refers to technology that provides
access to information through telecommunications (the transmission of signals over
long distances). It focuses primarily on communication technologies. This includes the
Internet, wireless networks, cell phones, and other communication media.

Definition of ICT
Information and Communication Technology (ICT) can also be defined as the
convergence of electronics, computing, and telecommunications. It has unleashed a
tidal wave of technological innovation in the collecting, storing, processing,
transmission, and presentation of information that has not only transformed the
information technology sector itself into a highly dynamic and expanding field of
activity- creating new markets and generating new investment, income, and jobs but
also provided other sectors with more rapid and efficient mechanisms for responding
to shifts in demand patterns and changes in international comparative advantage,
through more efficient production processes and new and improved products and
services.

Today, the definition of Information and Communication Technology (ICT) is much

broader, encompassing nearly every type of business. From manufacturers, retailers,
banks, and publishers to research firms, medical institutions, law enforcement
agencies, government companies, and libraries everywhere rely on Information and
Communication Technology workers to run their daily businesses.

Dictionaries consistently define ICT means: managing a network of computers,

creating original web pages, producing videos digitally, designing computer systems
as a consultant, selling products on the Internet, 3-D artwork, administering a
company’s database, coding software, providing technical support, managing
projects, and budgets, writing technical documentation. ICT is the combination of
Information Technology and Communication Technology.

ICT and Society

The emergence of ICT is one of the wonderful gifts of modern science and technology,
which has brought tremendous changes in library and information science. The
application of information and communication technology (ICT) to library and
information work has revolutionized the traditional concept of libraries from a
“Storehouse of books to an intellectual information center,” connoting the idea of an
electronic library. It has opened up a new chapter in library communication and
facilitated global access to information crossing geographical limitations.

ICT is being increasingly used in libraries and information services to acquire, process,
and disseminate information. Libraries have been using ICT-based services to satisfy
the diverse information needs of the users. The use of ICT has become increasingly
important in special libraries as it is switching over to ICT-based resources and
services at an accelerated pace. Using computers for library operation avoids
respective jobs and saves time, resources, and labor. It also speeds up technical
processing and information services.

The impact of ICT is enormous and global in its magnitude, pervasiveness, and
usefulness because of its most distinguishing features of a dramatic decrease in cost,
size, and a tremendous increase in processing speed, storage, and communication
capabilities. ICT has a profound effect on the progress and development of human
civilization. The tools used in ICT include computer programs, databases,
communication networks, analysis and design methods programming languages,
artificial intelligence, knowledge bases, etc. ICT has a long-standing influence in
almost all areas of human activity.

In the past few decades there has been a revolution in computing and
communications, and all indications are that technological progress and use of
information technology will continue at a rapid pace. Accompanying and supporting
the dramatic increases in the power and use of new information technologies has been
the declining cost of communications as a result of both technological improvements
and increased competition. According to Moore’s law the processing power of
microchips is doubling every 18 months. These advances present many significant
opportunities but also pose major challenges. Today, innovations in information
technology are having wide-ranging effects across numerous domains of society, and
policy makers are acting on issues involving economic productivity, intellectual
property rights, privacy protection, and affordability of and access to information.
Choices made now will have long-lasting consequences, and attention must be paid
to their social and economic impacts.

One of the most significant outcomes of the progress of information technology is

probably electronic commerce over the Internet, a new way of conducting business.
Though only a few years old, it may radically alter economic activities and the social
environment. Already, it affects such large sectors as communications, finance and
retail trade and might expand to areas such as education and health services. It implies
the seamless application of information and communication technology along the
entire value chain of a business that is conducted electronically.

Application of ICT
1. Application of ICT in Everyday Life
ICTs have become a way of life in the present-day world. We are using various
ICTs in our day‑to‑day life for reading e‑newspapers, e‑magazines and
e‑books, online shopping, paying bills for food, using mobile apps, getting
online appointments from doctors and so on.
2. Application of ICT in Education
• Teaching, Learning and Assessment: ICT finds presence and
expression in almost all the functions of the schools, such as admission,
time table, classroom instruction, evaluation, laboratory management,
learning resources management, examination and certification. It is also
being used for office automation. E‑resources like websites, e‑books,
e‑newsletters, Open Educational Resources (OERs), etc., are used by
most of the schools.
• Inclusive Education: ICT is used for catering to the educational
needs of every section of the society, including children with special
needs. Various assistive devices and technologies are being developed
which play an important role in fulfilling the specific needs of these
children. For example, talking books, talk back feature of mobile phones,
GPS inbuilt walking sticks, etc., are making substantial changes in
people's lives.
3. Application of ICT in Art:
Creative construction and connection are being done in various domains with
the advent of ICT. Creative composition, compilation and communication can
be done quickly by compatible ICTs. The role of ICT is vital in disseminating
various art forms popular in one area to another. The appreciation of Art and
Culture gained popularity through ICT. ICT has made it possible to showcase
the creative works to the larger audience.
4. Application of ICT in Science and Technology
• Health: The use of ICT in surgeries has made them less invasive, highly
precise and automated. Due to this the recovery time has reduced many
folds. Robotic technology has got a positive impact on present medical
sciences. Now‑a‑days distance is not a constraint for any complicated
medical intervention to be done jointly by doctors located at different
places through networking.
• Telecommunication: The field of Information Technology has seen a lot
of advancement with the help of ICT. The satellite communication has
advanced a lot and reached a number of people belonging to different
setups. Low‑cost smartphones and very cost‑effective services have
made the availability of these to almost everybody in the society. App
based services available in different areas have made people’s life easy.
• Agriculture and Natural Resources: Frequent and almost
accurate weather updates have revolutionized the agriculture sector.
Early prediction of rains or other weather conditions by Metrological
Department has equipped the farmers in getting better yield. The
sustainable use of natural resources has also become possible due to
ICT integration; now it is possible to locate the oil wells, coal mines, etc.,
with the help of satellite technology.
5. Application of ICT in Business Transportation
ICT is used very effectively in the area of transportation. The GPS system is
installed in vehicles, to provide security and easy navigation to the commuters.
Airplanes and trains use RADAR systems for their control and path finding.
Application‑based services have revolutionized the experience of transport
 system by their users. Online reservations of flights, trains, buses and other
services have further made our lives easier.
• Marketing: Online marketing through various websites and mobile
applications is very popular in today’s world. People find them useful and
hassle free. They are not only cost effective but also saves a lot of time
and effort of the people. The online sales and services have generated
a new type of employment, which require very less investment at the
source.
• Tourism: Various online hotel booking systems have provided a great
experience to the users. With the advancement of ICT even checking
the overall scenario of a place before planning a visit has become
feasible. Also, online payment facilities have simplified the travel
experience.
6. Application of ICT in Administration
• Public Safety and Security: Deployment of ICT makes it possible for
the police departments to collect, store and rapidly disseminate the
information to enhance public safety. ICT can also be used for the
identification of criminals by tracing their digital footprints.
• e-Governance and Public Administration: e‑Governance is
generally understood as the use of Information and Communication
Technology (ICT) at all the level of the Government in order to provide
services to the citizens, interaction with business enterprises and
communication and exchange of information between different agencies
of the Government in a speedy, convenient efficient and transparent
manner.

Use of ICT within Business organizations

Information technology or IT refers to an entire industry. Information technology is the
use of computers and software to manage information. It refers to anything related to
computing technology, such as networking, hardware, software, the Internet, or the
people that involve these technologies. Nowadays many companies have IT
departments for managing the computers, networks, and other technical parts of their
businesses, such as storing information, protecting
information, processing the information, transmitting the information as necessary,
and later retrieving information as necessary. This is referred to as Management
Information Services (or MIS) or Information Services (or IS). Information technology
has become very important in the business world. No matter small or big business, IT
has helped the organization, manager, and workers in more efficient management, to
inquire about a particular problem, conceive its complexity, and generate new products
and services; thereby, improving their productivity and output.’Information technology
can help through
• Communication
• Inventory management
• Management Information Systems
• Customer Relationship Management

1. Communication
In the business world, communication plays an important role in maintaining the
relationship between employees, suppliers, and customers. Therefore, the use of IT
we can simplify the way to communicate through e-mail, video chat rooms or social
networking site.

2. Inventory Management
Organizations need to maintain enough stock to meet demand without investing in
more than they require. Inventory management systems identify the quantity of each
item a company maintains, an order of additional stock by using a way of inventory
management. It is become more important because organization needs to maintain
enough stock to meet customer demand. By using in IT in inventory management, it
also will helps in track quantity of each item a company maintains, triggering when it
comes to managing inventory.

3. Management Information Systems

Information data is very important for an organization and a valuable resource
requirement for safe and effective care. Data used is as part of a strategic plan for
achieving the purpose and mission. Then, the company should use the management
information system (MIS) to enable the company to track sales data, expenditure and
productivity as well as information to track profits from time to time, maximizing return
on investment and recognize areas of improvement.

4. Customer Relationship Management

Companies are using IT to improving the way of design and manage the customer
relationship. Customer Relationship Management (CRM) systems capture every
relation a company has with a customer so that a more experience gain is possible. If
a customer makes a call to centre and report an issue, the customer relation officer
will be able to see what the customer has purchased, view shipping information, call
up the training manual for that item and effectively respond to the issue.

Advantages of Information Technology in Business

Since the computerized system so widely used, it is advantageous to incorporate
information technology into the organization. Information technology provides
tremendous benefits to the business world such as allowing the organization to work
more efficiently and to maximize productivity.
Among the advantages of information technologies in business are:
• Storing and Protecting Information
• Working away
• Automated Processes
• Communication

Storing and Protecting Information

Information technology helps in storage systems of important data or document to
protect company’s valuable records. Storage systems, such as vaults, it can help via
keep information safe by only allowing certain users within your company to access,
withdraw, add or change the documents.

Working Away
Information Technology systems can access the remote network electronics company.
It allows one to work from home or anywhere. From this, it will help in increasing
productivity even physical work has been done in the office.
Automated Processes
Each organization to find ways do more work in a short amount of time. Therefore, the
efficiency of information technology by developing automated processes to take the
burden off your staff.

Communication
In the business world, communication plays an important role in maintaining the
relationship between employees, suppliers, and customers. Therefore, the use of IT
we can simplify the way to communicate through e-mail, video chat rooms or social
networking site. It means we can communicate with our employees, supplier and
customers anywhere.

Social Media for Business Growth

A significant amount of social media activity is carried out through mobile devices.
Make sure that your social media strategy is compatible with mobile devices to
guarantee a worthwhile user experience. Social media sites continue to gain popularity
at a rapid rate and it is important for small and growing businesses to use them to
advertise and market what they offer.

IMPACT OF INFORMATION TECHNOLOGY IN AN ORGANIZATION

The term “information technology systems in an organization” is composed of four
distinct parts which include: an organization, information in an organization, and
information technology and information technology systems in an organization. Below
I have listed some of the impacts of information technology in an organization.

Flow of Information
Information is a key resource for all organizations. What information describes might
be internal, external, objective or subjective. External information describes the
environment surrounding the organization. Objective information describes something
that is known. Subjective information describes something that is currently unknown.
With information technology, the flow of all these three types of information is made
simple buy use of centralized data centers where all this data can be retrieved.
Information in an organization can flow in four directions and these include upward
flow of information, downward flow of information, outward flow of information and
horizontal flow of information.

Transaction processing
Information technology simplifies the transaction process of an organization. A
transaction process system (TPS) is a system that processes transactions that occur
within an organization. At the heart of every organization are IT systems whose main
role is to capture transaction information, create new information based on the
transaction information. TPS will update any transaction process and store that
information in a database, so any concerned party in the organization can access that
information via a centralized information storage network of internet.

Workgroup support
Since information technology facilitates in creating an information sharing
environment, workers can easily consult each other across different department
without any interruption. They can use emails, text chatting services to inquire
something related to a given task at work. With work group support systems, group
decision making becomes easier.

Data Management
With the help of database software, an organization stores all its relevant data on a
database. This infrastructure can be designed when it is internal or external. An
internal centralized system can only be accessed within the organization while an
external centralized system allows data to be accessed outside the organization using
a remote (IP) internet protocol Address or a domain name. In this case, employees or
managers can use a company website to access relevant company data by use of
passwords. This data is not exposed to the public and search engines.

Communication
Information technology accounts in the development of communication technology.
Services like electronic mail make communication within and outside the organization
easy and first. Nowadays email communication is a default communication technology
used by every organization. Communication is a great tool in business develops, with
advanced communication tools, employees and managers can easily make beneficial
decisions in the organization.

ICT for Training and Support

The contribution of ICT to staff training and continuous professional development
(CPD) in organizations is an important issue particularly in overcoming barriers for
demotivation, lack of confidence in trying out new ideas using ICT tools, and constant
update of ICT competences. Challenges and experiences, as perceived by
employees, related to CPD as a mean to achieve ICT competence into their profession
is becoming increasingly important. However in spite of the numerous obstacles that
arise with the implementation of a continuing professional programmes on ICT
competence development, the intensive technological innovations occurring today
create a significant need for investigating how organizations provide possibilities to
develop ICT competences within CPD. Broader range of organizations using ICT for
staff CPD would give some light for how to obtain and maintain the high level of
professional knowledge and skills demanded by the industry and society.

ICT and Organizational Change Management

ICT plays a large role in organizational change management because many changes
that senior executives are driving get codified in business systems, information
management, collaboration tools, mobile apps, and even social tools. In fact, one
school of thought (not a particularly good one) asserts that changes and decisions
associated with organizational change management should be updated and codified
in ICT systems at the beginning of the change management process, in order to
enforce desired employee behaviors. But no matter what, organizational changes
eventually make their way into ICT systems.

This premise that ICT plays a big role in systematizing organizational change. IT was
the basis of a roundtable discussion at a recent IQPC PEX Operational Excellence
conference. Most of them put ICT in an unflattering light, which hopefully is an
exaggeration for what happens in many organizations. Nonetheless, this discussion
should be a wake-up call for Information officers, ICT leaders and business leaders in
organizations that are trying, perhaps unsuccessfully, to drive change in their
businesses.
ICT’s participation in change management projects
• The organization—both ICT and the business—needs to make sure it isn’t
automating broken processes.
• Workers need to liaise with ICT before changes are implemented; early in the
discovery process management must decide how much individual managers
and workers should get involved.
• ICT should talk with front line workers, not just managers and executives.
• ICT often gets in the way of change when they don’t understand the context for
the changes.

Usability
• User interfaces can be an issue if workers don’t like it and won’t spend the time
to learn it. Sometimes the UI is not fit for purpose, so workers resist it.
Data
• Dashboards are sometimes too high-level and not relevant to lower level
managers, group leaders and individual contributors.
• KPIs are not the only important management metrics; contextualized data is
key and should be the goal. To implement changes, the organization needs
actionable intelligence.
• Sometimes there’s too much data and it’s more than anyone knows how to use.
• Big data and analytics can be important tools if used properly and made
relevant to the changes.
• One of the big problems is that data is in silos. All the disciplines and functions
have their own silos.
• Data needs to be accessible and integrated so that workers can find all the
information they need to get the job done.
• People within the organization need to look at the same data but from different
points of view.

ICT SYSTEMS SECURITY

An ICT system is a set-up consisting of hardware, software, data and the people who
use them. It commonly includes communications technology, such as the networking.
ICT systems security is the protection of computer systems and networks from attacks
by malicious actors that may result in unauthorized information disclosure, theft of, or
damage to hardware, software, or data, as well as from the disruption or misdirection
of the services they provide.
The field is significant due to the expanded reliance on computer systems, the Internet,
and wireless network standards such as Bluetooth and Wi-Fi. Also, due to the growth
of smart devices, including smartphones, televisions, and the various devices that
constitute the Internet of things (IoT). Cybersecurity is one of the most significant
challenges of the contemporary world, due to both the complexity of information
systems and the societies they support. Security is of especially high importance for
systems that govern large-scale systems with far-reaching physical effects, such as
power distribution, elections, and finance.

The Information Security Triad: Confidentiality, Integrity,

Availability (CIA)

Confidentiality
When protecting information, we want to be able to restrict access to those who are
allowed to see it; everyone else should be disallowed from learning anything about its
contents. This is the essence of confidentiality. For example, aw requires that
universities restrict access to private student information. The university must be sure
that only those who are authorized have access to view the grade records.

Integrity
Integrity is the assurance that the information being accessed has not been altered
and truly represents what is intended. Just as a person with integrity means what he
or she says and can be trusted to consistently represent the truth, information integrity
means information truly represents its intended meaning. Information can lose its
integrity through malicious intent, such as when someone who is not authorized makes
a change to intentionally misrepresent something. An example of this would be when
a hacker is hired to go into the university’s system and change a grade. Integrity can
also be lost unintentionally, such as when a computer power surge corrupts a file or
someone authorized to make a change accidentally deletes a file or enters incorrect
information.

Availability
Information availability is the third part of the CIA triad. Availability means that
information can be accessed and modified by anyone authorized to do so in an
appropriate timeframe. Depending on the type of information, appropriate
timeframe can mean different things. For example, a stock trader needs information
to be available immediately, while a sales person may be happy to get sales numbers
for the day in a report the next morning. Companies such as Amazon.com will require
their servers to be available twenty-four hours a day, seven days a week. Other
companies may not suffer if their web servers are down for a few minutes once in a
while.

Tools for Information Security

In order to ensure the confidentiality, integrity, and availability of information,
organizations can choose from a variety of tools. Each of these tools can be utilized
as part of an overall information-security policy, which will be discussed in the next
section.

Authentication
The most common way to identify someone is through their physical appearance, but
how do we identify someone sitting behind a computer screen or at the ATM? Tools
for authentication are used to ensure that the person accessing the information is,
indeed, who they present themselves to be. Authentication can be accomplished by
identifying someone through one or more of three factors: something they know,
something they have, or something they are. For example, the most common form of
authentication today is the user ID and password. In this case, the authentication is
done by confirming something that the user knows (their ID and password). But this
form of authentication is easy to compromise and stronger forms of authentication are
sometimes needed. Identifying someone only by something they have, such as a key
or a card, can also be problematic. When that identifying token is lost or stolen, the
identity can be easily stolen. The final factor, something you are, is much harder to
compromise. This factor identifies a user through the use of a physical characteristic,
such as an eye-scan or fingerprint. Identifying someone through their physical
characteristics is called biometrics. A more secure way to authenticate a user is to do
multi-factor authentication. By combining two or more of the factors listed above, it
becomes much more difficult for someone to misrepresent themselves.

Access Control
Once a user has been authenticated, the next step is to ensure that they can only
access the information resources that are appropriate. This is done through the use of
access control. Access control determines which users are authorized to read, modify,
add, and/or delete information. Several different access control models exist. Here we
will discuss two: the access control list (ACL) and role-based access control (RBAC).
For each information resource that an organization wishes to manage, a list of users
who have the ability to take specific actions can be created. This is an access control
list, or ACL. For each user, specific capabilities are assigned, such
as read, write, delete, or add. Only users with those capabilities are allowed to perform
those functions. If a user is not on the list, they have no ability to even know that the
information resource exists.
ACLs are simple to understand and maintain. However, they have several drawbacks.
The primary drawback is that each information resource is managed separately, so if
a security administrator wanted to add or remove a user to a large set of information
resources, it would be quite difficult. And as the number of users and resources
increase, ACLs become harder to maintain. This has led to an improved method of
access control, called role-based access control, or RBAC. With RBAC, instead of
giving specific users access rights to an information resource, users are assigned to
roles and then those roles are assigned the access. This allows the administrators to
manage users and roles separately, simplifying administration and, by extension,
improving security.
Password Security
So why is using just a simple user ID/password not considered a secure method of
authentication? It turns out that this single-factor authentication is extremely easy to
compromise. Good password policies must be put in place in order to ensure that
passwords cannot be compromised. Below are some of the more common policies
that organizations should put in place.

• Require complex passwords

• Change passwords regularly

• Train employees not to give away passwords.

Backups
Another essential tool for information security is a comprehensive backup plan for the
entire organization. Not only should the data on the corporate servers be backed up,
but individual computers used throughout the organization should also be backed
up. A good backup plan should consist of several components.

• A full understanding of the organizational information resources. What

information does the organization actually have? Where is it stored? Some data
may be stored on the organization’s servers, other data on users’ hard drives,
some in the cloud, and some on third-party sites. An organization should make
a full inventory of all of the information that needs to be backed up and
determine the best way back it up.

• Regular backups of all data. The frequency of backups should be based on how
important the data is to the company, combined with the ability of the company
to replace any data that is lost. Critical data should be backed up daily, while
less critical data could be backed up weekly.

• Offsite storage of backup data sets. If all of the backup data is being stored in
the same facility as the original copies of the data, then a single event, such as
an earthquake, fire, or tornado, would take out both the original data and the
backup! It is essential that part of the backup plan is to store the data in an
offsite location.
 • Test of data restoration. On a regular basis, the backups should be put to the
test by having some of the data restored. This will ensure that the process is
working and will give the organization confidence in the backup plan.

Firewalls
Another method that an organization should use to increase security on its network is
a firewall. A firewall can exist as hardware or software (or both). A hardware firewall is
a device that is connected to the network and filters the packets based on a set of
rules. A software firewall runs on the operating system and intercepts packets as they
arrive to a computer. A firewall protects all company servers and computers by
stopping packets from outside the organization’s network that do not meet a strict set
of criteria. A firewall may also be configured to restrict the flow of packets leaving the
organization. This may be done to eliminate the possibility of employees watching
YouTube videos or using Facebook from a company computer.
Some organizations may choose to implement multiple firewalls as part of their
network security configuration, creating one or more sections of their network that are
partially secured. This segment of the network is referred to as a DMZ, borrowing the
term demilitarized zone from the military, and it is where an organization may place
resources that need broader access but still need to be secured.

Intrusion Detection Systems

Another device that can be placed on the network for security purposes is an intrusion
detection system, or IDS. An IDS does not add any additional security; instead, it
provides the functionality to identify if the network is being attacked. An IDS can be
configured to watch for specific types of activities and then alert security personnel if
that activity occurs. An IDS also can log various types of traffic on the network for
analysis later. An IDS is an essential part of any good security setup.

Virtual Private Networks

Using firewalls and other security technologies, organizations can effectively protect
many of their information resources by making them invisible to the outside world. But
what if an employee working from home requires access to some of these resources?
What if a consultant is hired who needs to do work on the internal corporate network
from a remote location? In these cases, a virtual private network (VPN) is called for.
A VPN allows a user who is outside of a corporate network to take a detour around
the firewall and access the internal network from the outside. Through a combination
of software and security measures, this lets an organization allow limited access to its
networks while at the same time ensuring overall security.

Physical Security
An organization can implement the best authentication scheme in the world, develop
the best access control, and install firewalls and intrusion prevention, but its security
cannot be complete without implementation of physical security. Physical security is
the protection of the actual hardware and networking components that store and
transmit information resources. To implement physical security, an organization must
identify all of the vulnerable resources and take measures to ensure that these
resources cannot be physically tampered with or stolen. These measures include the
following.

• Locked doors: It may seem obvious, but all the security in the world is useless
if an intruder can simply walk in and physically remove a computing device.
High-value information assets should be secured in a location with limited
access.

• Physical intrusion detection: High-value information assets should be

monitored through the use of security cameras and other means to detect
unauthorized access to the physical locations where they exist.

• Secured equipment: Devices should be locked down to prevent them from

being stolen. One employee’s hard drive could contain all of your customer
information, so it is essential that it be secured.

• Environmental monitoring: An organization’s servers and other high-value

equipment should always be kept in a room that is monitored for temperature,
humidity, and airflow. The risk of a server failure rises when these factors go
out of a specified range.

• Employee training: One of the most common ways thieves steal corporate
information is to steal employee laptops while employees are traveling.
Employees should be trained to secure their equipment whenever they are
away from the office.
Security Policies
Besides the technical controls listed above, organizations also need to implement
security policies as a form of administrative control. In fact, these policies should really
be a starting point in developing an overall security plan. A good information-security
policy lays out the guidelines for employee use of the information resources of the
company and provides the company recourse in the case that an employee violates a
policy.

According to the SANS Institute, a good policy is “a formal, brief, and high-level
statement or plan that embraces an organization’s general beliefs, goals, objectives,
and acceptable procedures for a specified subject area.” Policies require compliance;
failure to comply with a policy will result in disciplinary action. A policy does not lay out
the specific technical details, instead it focuses on the desired results. A security policy
should be based on the guiding principles of confidentiality, integrity, and availability.

Mobile Security
As the use of mobile devices such as smartphones and tablets proliferate,
organizations must be ready to address the unique security concerns that the use of
these devices bring. One of the first questions an organization must consider is
whether to allow mobile devices in the workplace at all. Many employees already have
these devices, so the question becomes: Should we allow employees to bring their
own devices and use them as part of their employment activities? Or should we
provide the devices to our employees? Creating a BYOD (“Bring Your Own
Device”) policy allows employees to integrate themselves more fully into their job and
can bring higher employee satisfaction and productivity. In many cases, it may be
virtually impossible to prevent employees from having their own smartphones or iPads
in the workplace. If the organization provides the devices to its employees, it gains
more control over use of the devices, but it also exposes itself to the possibility of an
administrative (and costly) mess.
Mobile devices can pose many unique security challenges to an organization.
Probably one of the biggest concerns is theft of intellectual property. For an employee
with malicious intent, it would be a very simple process to connect a mobile device
either to a computer via the USB port, or wirelessly to the corporate network, and
download confidential data. It would also be easy to secretly take a high-quality picture
using a built-in camera.

Usability
When looking to secure information resources, organizations must balance the need
for security with users’ need to effectively access and use these resources. If a
system’s security measures make it difficult to use, then users will find ways around
the security, which may make the system more vulnerable than it would have been
without the security measures! Take, for example, password policies. If the
organization requires an extremely long password with several special characters, an
employee may resort to writing it down and putting it in a drawer since it will be
impossible to memorize.

Personal Information Security

We will end this chapter with a discussion of what measures each of us, as individual
users, can take to secure our computing technologies. There is no way to have 100%
security, but there are several simple steps we, as individuals, can take to make
ourselves more secure.

• Keep your software up to date. Whenever a software vendor determines that a

security flaw has been found in their software, they will release an update to the
software that you can download to fix the problem. Turn on automatic updating
on your computer to automate this process.

• Install antivirus software and keep it up to date. There are many good antivirus
software packages on the market today, including free ones.

• Be smart about your connections. You should be aware of your surroundings.

When connecting to a Wi-Fi network in a public place, be aware that you could
be at risk of being spied on by others sharing that network. It is advisable not
to access your financial or personal data while attached to a Wi-Fi hotspot. You
should also be aware that connecting USB flash drives to your device could
also put you at risk. Do not attach an unfamiliar flash drive to your device unless
you can scan it first with your security software.
 • Back up your data. Just as organizations need to back up their data, individuals
need to as well. And the same rules apply: do it regularly and keep a copy of it
in another location.

• Secure your accounts with two-factor authentication. Most e-mail and social
media providers now have a two-factor authentication option. The way this
works is simple: when you log in to your account from an unfamiliar computer
for the first time, it sends you a text message with a code that you must enter
to confirm that you are really you. This means that no one else can log in to
your accounts without knowing your password and having your mobile phone
with them.

• Make your passwords long, strong, and unique. For your personal passwords,
you should follow the same rules that are recommended for organizations. Your
passwords should be long (eight or more characters) and contain at least two
of the following: upper-case letters, numbers, and special characters. You also
should use different passwords for different accounts, so that if someone steals
your password for one account, they still are locked out of your other accounts.

• Be suspicious of strange links and attachments. When you receive an e-mail,

tweet, or Facebook post, be suspicious of any links or attachments included
there. Do not click on the link directly if you are at all suspicious. Instead, if you
want to access the website, find it yourself and navigate to it directly.

Vulnerabilities and Attacks

A vulnerability is a weakness in design, implementation, operation, or internal control.
Most of the vulnerabilities that have been discovered are documented in the Common
Vulnerabilities and Exposures (CVE) database. An exploitable vulnerability is one for
which at least one working attack or exploit exists. Vulnerabilities can be researched,
reverse-engineered, hunted, or exploited using automated tools or customized scripts. To
secure a computer system, it is important to understand the attacks that can be made
against it, and these threats can typically be classified into one of the following categories:

Backdoor
A backdoor in a computer system, a cryptosystem, or an algorithm, is any secret method
of bypassing normal authentication or security controls. They may exist for many reasons,
including original design or poor configuration. They may have been added by an
authorized party to allow some legitimate access, or by an attacker for malicious reasons;
but regardless of the motives for their existence, they create a vulnerability. Backdoors
can be very hard to detect, and backdoors are usually discovered by someone who has
access to the application source code or intimate knowledge of the operating system of
the computer.

Denial-of-service attack
Denial of service attacks (DoS) are designed to make a machine or network resource
unavailable to its intended users.[20] Attackers can deny service to individual victims, such
as by deliberately entering a wrong password enough consecutive times to cause the
victim's account to be locked, or they may overload the capabilities of a machine or
network and block all users at once. While a network attack from a single IP address can
be blocked by adding a new firewall rule, many forms of Distributed denial of service
(DDoS) attacks are possible, where the attack comes from a large number of points – and
defending is much more difficult. Such attacks can originate from the zombie computers
of a botnet or from a range of other possible techniques, including distributed reflective
denial of service (DRDoS), where innocent systems are fooled into sending traffic to the
victim. With such attacks, the amplification factor makes the attack easier for the attacker
because they have to use little bandwidth themselves.

Direct-access attacks
An unauthorized user gaining physical access to a computer is most likely able to directly
copy data from it. They may also compromise security by making operating system
modifications, installing software worms, keyloggers, covert listening devices or using
wireless microphones. Even when the system is protected by standard security measures,
these may be bypassed by booting another operating system or tool from a CD-ROM or
other bootable media. Disk encryption and Trusted Platform Module are designed to
prevent these attacks.

Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private computer conversation
(communication), typically between hosts on a network. Even machines that operate as a
closed system (i.e., with no contact with the outside world) can be eavesdropped upon by
monitoring the faint electromagnetic transmissions generated by the hardware. TEMPEST
is a specification by the NSA referring to these attacks.
Multi-vector, polymorphic attacks
A polymorphic attack also known as multi vector attack, is a type of cyber-attack that
uses a constantly changing code, content, or structure in order to evade detection by
security systems. In the context of email, polymorphic phishing attacks may use a
different sender's address, subject line, or even the body of the email for each instance
of the attack making it difficult for security systems to build rules or establish patterns
to protect against. These attacks are commonly highly targeted and are designed to
trick individuals into providing sensitive information, such as login credentials or
financial information, or to download malware onto their devices.

Phishing
An example of a phishing email, disguised as an official email from a (fictional) bank. The
sender is attempting to trick the recipient into revealing confidential information by confirming
it at the phisher's website. Note the misspelling of the words received and discrepancy as
received and discrepancy, respectively. Although the URL of the bank's webpage appears to
be legitimate, the hyperlink points at the phisher's webpage. Phishing is the attempt of
acquiring sensitive information such as usernames, passwords, and credit card details directly
from users by deceiving the users. Phishing is typically carried out by email spoofing or instant
messaging, and it often directs users to enter details at a fake website whose look and feel
are almost identical to the legitimate one. The fake website often asks for personal information,
such as login details and passwords.
This information can then be used to gain access to the individual's real account on the real
website. Preying on a victim's trust, phishing can be classified as a form of social engineering.
Attackers are using creative ways to gain access to real accounts. A common scam is for
attackers to send fake electronic invoices to individuals showing that they recently purchased
music, apps, or others, and instructing them to click on a link if the purchases were not
authorized. A more strategic type of phishing is spear-phishing which leverages personal or
organization-specific details to make the attacker appear like a trusted source. Spear-phishing
attacks target specific individuals, rather than the broad net cast by phishing attempts.

Privilege escalation
Privilege escalation describes a situation where an attacker with some level of restricted
access is able to, without authorization, elevate their privileges or access level. For
example, a standard computer user may be able to exploit a vulnerability in the system to
gain access to restricted data; or even become root and have full unrestricted access to a
system.

Reverse engineering
Reverse engineering is the process by which a man-made object is deconstructed to
reveal its designs, code, and architecture, or to extract knowledge from the object; similar
to scientific research, the only difference being that scientific research is about a natural
phenomenon.

Side-channel attack
Any computational system affects its environment in some form. This effect it has on its
environment includes a wide range of criteria, which can range from electromagnetic
radiation to residual effect on RAM cells which as a consequence make a Cold boot attack
possible, to hardware implementation faults that allow for access and or guessing of other
values that normally should be inaccessible. In Side-channel attack scenarios, the
attacker would gather such information about a system or network to guess its internal
state and as a result access the information which is assumed by the victim to be secure.

Social engineering
Social engineering, in the context of computer security, aims to convince a user to disclose
secrets such as passwords, card numbers, etc. or grant physical access by, for example,
impersonating a senior executive, bank, a contractor, or a customer. This generally
involves exploiting people's trust, and relying on their cognitive biases. A common scam
involves emails sent to accounting and finance department personnel, impersonating their
CEO and urgently requesting some action.

Spoofing
Spoofing is an act of masquerading as a valid entity through the falsification of data (such
as an IP address or username), in order to gain access to information or resources that
one is otherwise unauthorized to obtain. There are several types of spoofing, among them
includes:
• Email spoofing, is where an attacker forges the sending (From, or source) address
of an email.
• IP address spoofing, where an attacker alters the source IP address in a network
packet to hide their identity or impersonate another computing system.
 • Biometric spoofing, where an attacker produces a fake biometric sample to pose
as another user.

Tampering
Tampering describes a malicious modification or alteration of data. An intentional but
unauthorized act resulting in the modification of a system, components of systems, its
intended behaviour, or data. So-called Evil Maid attacks and security services planting of
surveillance capability into routers are examples.

Malware
Malicious software (malware) installed on a computer can leak any information, such as
personal information, business information and passwords, can give control of the system
to the attacker, and can corrupt or delete data permanently.

HTML smuggling
HTML files can carry payloads concealed as benign, inert data in order to defeat content
filters. These payloads can be reconstructed on the other side of the filter.

Information Security Culture

Employee behaviour can have a big impact on information security in organizations.
Cultural concepts can help different segments of the organization work effectively or work
against effectiveness toward information security within an organization. Information
security culture is the "...totality of patterns of behaviour in an organization that contributes
to the protection of information of all kinds.
Sometimes, employees often do not see themselves as part of their organization's
information security effort and often take actions that impede organizational changes.
Indeed, the Verizon Data Breach Investigations Report 2020, which examined 3,950
security breaches, discovered 30% of cybersecurity incidents involved internal actors
within a company. Research shows information security culture needs to be improved
continuously. In "Information Security Culture from Analysis to Change", authors
commented, "It's a never-ending process, a cycle of evaluation and change or
maintenance." To manage the information security culture, five steps should be taken:
pre-evaluation, strategic planning, operative planning, implementation, and post-
evaluation.
 • Pre-evaluation: To identify the awareness of information security within
employees and to analyze the current security policies.

• Strategic planning: To come up with a better awareness program, clear targets

need to be set. Assembling a team of skilled professionals is helpful to achieve it.

• Operative planning: A good security culture can be established based on internal

communication, management buy-in, security awareness and a training program.

Implementation: Four stages should be used to implement the information security

culture. They are:

• Commitment of the management

• Communication with organizational members

• Courses for all organizational members

• Commitment of the employees

Post-evaluation: To assess the success of the planning and implementation, and to

identify unresolved areas of concern.

Data Security
Data security is the practice of protecting digital information from unauthorized access,
corruption or theft throughout its entire lifecycle. It’s a concept that encompasses every
aspect of information security from the physical security of hardware and storage devices
to administrative and access controls, as well as the logical security of software
applications. It also includes organizational policies and procedures.
When properly implemented, robust data security strategies will not only protect an
organization’s information assets against cybercriminal activities, but they'll also guard
against insider threats and human error, which remain among the leading causes of data
breaches today. Data security involves deploying tools and technologies that enhance the
organization’s visibility into where its critical data resides and how it is used. Ideally, these
tools should be able to apply protections such as encryption, data masking and redaction
of sensitive files, and should automate reporting to streamline audits and adhering to
regulatory requirements.
Business challenges
Digital transformation is profoundly altering every aspect of how today’s businesses
operate and compete. The sheer volume of data that enterprises create, manipulate and
store continues to grow, driving a greater need for data governance. In addition, computing
environments are more complex than they once were, routinely spanning the public cloud,
the enterprise data center and numerous edge devices ranging from Internet of Things
(IoT) sensors to robots and remote servers. This complexity creates an expanded attack
surface that’s more challenging to monitor and secure. At the same time, consumer
awareness of the importance of data privacy is on the rise fueled by increasing public
demand for data protection initiatives.
The business value of data has never been greater than it is today. The loss of trade
secrets or intellectual property (IP) can impact future innovations and profitability. So,
trustworthiness is increasingly important to consumers, with a full 75% reporting that they
will not purchase from companies they don’t trust to protect their data.

Personnel Security
In the context of data integration projects, personnel security encompasses procedural
and personnel measures for limiting access to confidential information, where access is
limited to authorized staff for approved purposes only. The personnel security measures
that are used for data integration projects may vary according to the differences in
personnel security policies that apply across agencies and the assessed risk of the project.
However, the range of measures recommended for data integration projects are:
• access to unit record information is decided on a strict need-to-know basis through a
formal approval process. Individuals must only have access to information that is
required for them to perform specific functions or tasks for a specific data integration
project. The ‘need-to-know’ principle is a fundamental rule of personnel security
according to the Protective Security Framework and is mandatory for all data
integration projects.
• a senior officer is responsible for managing and monitoring access control, including
reviewing who can access particular datasets when personnel move positions and
their work no longer requires access.
• appropriate personnel security arrangements are in place to ensure only those who
are eligible and suitable to have access to the information are authorised to have
access. For example, staff undergo security checks, sign an undertaking to
acknowledge their confidentiality responsibilities, and are subject to sanctions or
 penalties for breaches of confidentiality. In the case of high risk projects penalties for
disclosure should include jail terms and/or fines.
• the policies, protocols and obligations regarding security, the protection of personal
information and breaches of security or confidentiality are communicated to all staff on
an on-going basis through training, policy and procedural documentation and other
corporate awareness raising activities.
• induction and training strategies are in place for staff to place a strong emphasis on
the appropriate use of the technology environment, e.g. not having passwords written
down where they can be discovered by third parties, not storing confidential information
on laptops or thumb drives without protection such as encryption and passwords.

RISK ANALYSIS AND COMPUTER AUDITING