A. Evaluation of AEnergy’s Security Policies in Regard to Ethical Issues Security policies constitute a single or group of documents that explicitly define the security safeguards, processes and procedures adopted by an organization to govern access to its premises and systems. Security policies also serve to govern the behavior and activities of internal and external users to whom access to the organization’s network, data or other sensitive information might be granted. In order for security policies to be effective, they must be comprehensive, easy to understand, acknowledged by and readily available those expected to comply with them. They must also be reviewed and updated regularly as the needs of the organization change and in response to new and increasing security threats. One important factor to consider when developing or evaluating security policies is to determine whether any of the policies constitute, in part or as a whole, a violation of widely accepted ethical standards. It is crucial to balance the organization’s need for security with the individual rights of its internal and external clients and employees.
A preliminary review of AEnergy’s security policies reveals that the company is employing enterprise level security procedures to safeguard the employee and client data on its network. Some of the techniques employed include the use of access control lists, system monitoring, strong passwords and trend analysis to ensure only those authorized are able to access sensitive data. The company tracks account usage to ensure that clients and employee cost centers are billed appropriately for their access. The company also classifies its data based on sensitivity and confidentiality to ensure that employees, vendors, partners and clients treat particular pieces of data alike.
It is unethical to expect employees and clients to adhere to security policies if those policies are not made available to them. From the policy documents reviewed it was clear that AEnergy makes every possible effort to ensure users, employees, vendors and clients are aware of the security policies. For example, certain policies are made available on the company’s website to ensure that external clients are able to access and adhere to them. •
Privacy with respect to email or network activity monitoring and tracking
AEnergy’s ability to protect and secure its employee and client data is crucial to its success as a company. It is hence understandable that the company scans outgoing emails, monitors network traffic and activity and employs other safeguards like access cards to secure its data. However those actions could potentially violate the privacy of AEnergy’s employees. For example, the company requires its employees to mark personal emails by placing the word “personal” in the subject line to prevent its systems from scanning and logging those emails for security analysis. However marking such emails simultaneously allows the company to track whether intentionally or not how often particular employees are sending personal emails. It also allows those emails to be singled out and targeted for review in violation of the sender’s privacy by any employee with appropriate access to the company’s email servers. This poses an ethical issue for the company. Network activity monitoring can also violate employee privacy especially when the security policies do not define what kind of activity is acceptable and what is not.
Use of location tracking devices on company equipment
As per AEnergy’s employer security policy, company equipment like laptops are equipped with tracking devices to aid in their recovery in case they are lost or stolen. Although it is within the company’s rights to track its equipment, this policy may inadvertently become a way to track employee whereabouts and location at all times in violation of their privacy. Just because an employee has a company laptop in their personal car does not give the company implicit license to track and monitor their private movements especially when they are not on company business.
Acknowledgement of security policies by employees and external users
With the exception of AEnergy’s data security policy, none of the other policies require employees to sign them acknowledging their reception of the policy as well as their intent to adhere to it. This is a potential ethical issue since the company is requiring employees to adhere to rules without making explicitly certain that they understand the rules and intend to obey them.
The above-mentioned areas of focus could lead to ethical violations if they are not properly reviewed and addressed.
A1. Two Potential unethical uses of company technology and/or data by internal users 1. Use of on premise security cameras to spy on the activities of fellow employees AEnergy employs security cameras on its premises for the primary purpose of monitoring the company’s perimeter for intrusion and protecting the company’s physical and digital assets. It would be unethical for an employee or another internal user with the appropriate access to use the company’s security cameras as a tool to discretely monitor employees without their knowledge or consent. Doing so could violate the privacy of the victims and potentially create legal and public relations issues for the company.
2. Reading personal emails of other employees
As per the company’s security policies, personal emails must be marked with the word “Personal” in the subject line. Although the intent of the policy is to eliminate personal emails from scanning, it makes those emails easily identifiable and hence potential targets for unauthorized access. It would be unethical for any internal employee with the appropriate access to read, reply to, forward, print or save the personal emails of other employees without their explicit and verifiable consent. Doing so would constitute a privacy violation and could expose the company to legal issues should the violation be discovered and made public.
A2. Two Potential unethical uses of company technology and/or data by external users 1. Disseminating confidential company information to third parties or competitors It would be highly unethical for external users, vendors and clients of AEnergy with access to proprietary or confidential company data to disseminate that data to unauthorized third parties regardless of whether the dissemination occurs deliberately or by virtue of reckless behavior. It would also be unethical to discuss private and confidential company information in public places where they could be heard or recorded by third parties. 2. Giving unauthorized users access to the company’s network by sharing credentials It would be unethical for external users to share network credentials, VPN access information or other sensitive network access keys with unauthorized users without the consent of AEnergy. Doing so may expose the company’s network to security breaches and attempts to access sensitive data by unauthorized parties. It would also be unethical for external users to maintain access to AEnergy’s servers after their contract with the company is completed.
B. Evaluation of the effectiveness of AEnergy Company’s security policies AEnergy’s security policies comprise three documents that cover the following areas: accounting security, data security and employer security. These policies were developed and implemented to secure the company’s intellectual and physical properties as well as its data and employees from loss or harm. The potential security threats facing the company can be classified into two main types: internal and external. Internal security threats comprise activities from within the company that could lead to data loss and the disruption of the company’s normal functions.
External security threats are those the company faces from elements outside its walls. These threats can come from clients and partners of the company or from unrelated groups seeking to do harm to the company’s data or network infrastructure. The following is an evaluation of the company’s security policies with respect to the identified threat classes. With regards to internal security threats, the accounting security policy stipulates that every new employee be assigned a user profile and password enabling the company to track each request to connect to a network or service. This ensures users have the appropriate permission to access the requested resource.
Collecting this data allows the IT team to mitigate the threat of hacking by using an intrusion detection system to monitor the company’s website for activities that match different intrusion signatures. The company’s data security policy classifies data into four classes, namely public/unclassified, private, confidential and secret/restricted. Employing data classification and requiring that all employees, vendors, clients and partners adhere to it is a threat mitigation strategy that reduces the possibility of sensitive data falling into the hands of unauthorized internal or external users. It is also ensuring that data taken out of the company physically or electronically is properly classified to prevent unauthorized forwarding, copying or sharing.
The IT team which is responsible for the implementation of the data security policy employs access controls, strong passwords, system monitoring and trend analysis to regulate and secure the company’s network to reduce the threat of security breaches, data loss or other activity that could disrupt normal company processes from internal or external users. By requiring expected adherents to sign the data security policy, the company is ensuring acknowledgement of the policy which makes its enforcement processes easier in the event of a violation.
The employer security policy contains safeguards to mitigate the threat of loss of company equipment like laptops and projectors by equipping them with GPS trackers. The company also uses security cameras to monitor its internal and external perimeter to protect employees and equipment. The employer security policy also requires all visitors to wear an electronic identification badge which monitors and restricts access to various areas in the company. This policy eliminates the threat of external users gaining unauthorized access to sensitive areas of the company.
All in all, AEnergy’s security policies identify some areas of possible threat and provide safeguards to ensure the likelihood of each threat is mitigated if not eliminated. However the policies could use some updates to ensure that all threats are identified and that a plan is implemented to ensure the likelihood of their occurrence is reduced to its lowest level. For example, there are a few tenets defined in the security policies that are effective only in their implementation.
This means the company must ensure the policies are disseminated to all expected adherents and that the stipulations defined therein are swiftly and effectively enforced. Another example of an urgently needed update is the fact that employees are not required to acknowledge their receipt and willingness to abide by two of the policies. This is an issue that could negatively affect compliance with those. My recommended changes to the policies will be discussed in detail in part C.
B1. Two potential security threats to the company technology and/or data from internal users
1. Loss or illegal dissemination of sensitive company data through the use of unauthorized personal devices
This threat includes the unauthorized access and copying of sensitive or confidential files and data to USB drives or other portable storage devices by internal users. The data security policy does not stipulate whether internal users can copy company data onto personal storage devices. Hence the company is at risk of losing sensitive data should an employee copy data to a personal device without the proper authorization. Even though the company tracks when and how data is accessed and by whom, the current policy is insufficient to eliminate this threat in situations where the offending user has legitimate access to the data being transferred.
This threat also includes the downloading of unauthorized software to company computers or the introduction of malware or viruses into the company’s network via personal storage devices. When employees are allowed to connect personal storage devices like USB drives to their computers without proper vetting, they could introduce viruses, spyware or malware into the company’s network which could cause the company to lose sensitive data as well as increase the possibility of an intrusion into the company’s network. Spyware scripts can also enable the illegal dissemination of company trade secrets or network infrastructure information to competitors or other unauthorized third parties who could in turn use that information against the company in the form of illegal attempts to access the company’s network.
Root kits can also be used to open backdoors in the company’s network to enable other malicious software to access protected areas of the company’s network. This threat could lead to data destruction, illegal distribution or loss of intellectual property. 2. Loss of confidential data through unauthorized web activities by internal users The company faces a serious threat to its confidential or sensitive data from internal users because it does not currently have a policy on what internal users can discuss openly in public chat rooms, message boards or forums. Also the company has no policy defining what is allowed or forbidden with respect to the blogging activities of internal users.
If employees engage in unauthorized blogging or participate in message boards or public forums that discuss the company’s internal processes, trade secrets or other sensitive information, the company stands the risk of losing confidential data, which is crucial to maintaining its competitive edge. Other unauthorized web activities that could pose a threat to the company’s data and technologies include the publishing of network diagrams, access codes and passwords on the web by internal users. These activities could expose the company to hacking attacks, which if successful could lead to data loss or the dissemination of confidential data to unauthorized third parties. Without a clear directive via the company’s data security policy as to which web activities are acceptable and which are not, the company stands the risk of losing sensitive data through the web activities of its internal users.
B2. Two potential security threats to the company technology and/or data from external parties
1. Threat of malicious third parties
As part of its business processes, AEnergy gives partners, vendors, clients and other third parties access to its network and data. Although this remote access is sanctioned by the company, allowing it exposes the company to the threat of data loss should a company partner, vendor or client share network credentials or illegally extend their access to the company’s infrastructure to unauthorized parties. This is a viable threat because AEnergy does not have control over what the partner or client does with the access granted to them by the company.
Moreover, the company is able to react only after a breach has been detected, at which point the data might already be lost or illegally distributed. The company also faces a threat to its data and technologies if a client, partner or vendor shares confidential and/or proprietary information about the company’s infrastructure with competitors or other third parties. This threat, if not mitigated could lead to hacking attempts and other illegal attempts to access the company’s data or network.
2. Threat of cyber terrorism and espionage
As a leader in its field, AEnergy is a likely target for cyber terrorism or espionage. The threat of cyber espionage is on the rise around the globe and companies like AEnergy stand the risk of losing sensitive company data or intellectual property should their network and infrastructure be invaded by these organized and well-coordinated hacking attempts. Some of these cyber terrorism activities, classified as hacktivism, are politically motivated and hard if not impossible to predict. AEnergy is a viable target for such attacks because it stores sensitive data of clients and employees like credit card information, names, addresses and social security numbers on its network. A successful intrusion can lead to the theft of the sensitive data of clients and employees which could expose them to identity theft.
C. Updated Company Policies
To mitigate and eventually eliminate the ethical issues and security threats identified in the previous sections, I will update the company’s security policies as follows: 1. I will include a signature page at the end of each policy document so expected adherents can acknowledge their receipt and intent to abide by their requirements. 2. I will include an ethical behavior section in each of the three policies that defines the company’s position on what ethical use of its technology and data comprises with respect to each security policy. This list would also define what activities the company considers unethical and state the consequences of the violation of each policy. For instance, sharing passwords, proprietary network information, and confidential data with unauthorized parties whether in person or in an electronic medium like a blog post will be identified as unethical and forbidden by policy.
Also copying, forwarding or transferring company data to third parties without proper authorization would be identified as unethical. 3. I will include a section in the employer security policy that outlines the procedure for internal and external users alike to report unethical behavior. I will also establish a telephone and email hotline for internal and external users to ask questions if they are not sure whether a particular behavior or activity is compliant with any of the company’s security policies. 4. I will update the employer security policy’s section on emails to disallow the sending or receiving of personal emails using company email accounts.
5. I will include a section in the data security policy that outlines what personal devices internal users are allowed to use while on the company’s premises and the process by which software is approved to be installed on the company’s computers and workstations. I will also include a section that stipulates how personal storage devices will be scanned to ensure they don’t introduce viruses and malware into the company’s network.
6. I would include a legally binding non-disclosure agreement in each policy that prevents internal and external users alike from sharing confidential and proprietary information about the company’s data, infrastructure and security policies with unauthorized third parties. This section will also include an acknowledgement not to share passwords, access cards or codes both within and without the company. This policy will state the consequences of unauthorized disclosure should they be discovered.
7. I will update the employer security policy to define what if any surveillance is being conducted on employees and what employee activity the company tracks. This update will also outline what activities the company considers a misuse of its surveillance capabilities.
8. I will create three new and separate policy documents to differentiate the policies related to internal users from those related to external users. This would ensure that the policy documents are able to cover both groups in more depth.
9. I will define in the data security policy how third parties are to use the access granted them by the company. This would include a list of activities that would be explicitly forbidden. For example, third parties would be forbidden from sharing AEnergy’s network access with their own clients or sub-contractors unless otherwise authorized by the company. 10. I will update the employer and data security policies to include the company’s implementation of a hardware based intrusion detection system which would monitor the network for various threat signatures and alert the appropriate department about any potential threat before it is executed.
11. I will include a section in the data security policy that stipulates that all company data be encrypted and that it transfers need to be completed, they be done in a secure manner using secured channels.
C1. How proposed changes would mitigate the unethical uses discussed in parts A1 and A2 In sections A1 and A2 the following unethical uses were identified: •
Use of on premise security cameras to spy on the activities of fellow employees Updating the employer security policy to define the surveillance activities of the company and what the company considers a misuse of that capability gives employees notice on which of their activities would be subject to such surveillance and which would not. It also mitigates or eliminates the potential for unintentional surveillance that could violate the privacy of employees and other internal users.
Reading the personal emails of other employees
Eliminating the use of company email addresses for personal emails completely eliminates the possibility of this unethical use of company resources. •
Disseminating confidential company information to third parties or competitors The non-disclosure agreement that external and internal users are required to sign will mitigate the potential for the dissemination of confidential company information to unauthorized parties.
Giving unauthorized users access to the company’s network by sharing credentials The non-disclosure agreement includes a section that forbids the sharing of network credentials, access codes or passwords and states the consequences of such actions should they be discovered.
C2. How proposed changes would mitigate the security threats discussed in B1 and B2 In sections B1 and B2 the following security threats were identified: •
Loss or illegal dissemination of sensitive company data through the use of unauthorized personal devices
Updating the data security policy to define which devices internal users are allowed to use on the company’s premises and how those devices are to be secured mitigates the risk that company data would be compromised or lost due to the use of unauthorized devices. Also including a section that lists the software approved for use on the company’s computers and workstations mitigates this security threat.
Loss of confidential data through unauthorized web activities by internal users Eliminating the use of company email addresses for personal emails mitigates the possibility of this unethical use of company resources. Also the new non-disclosure agreement will help mitigate this issue. Finally, defining which activities the company considers inappropriate helps steer users away from unauthorized activities like blogging or speaking in public about internal company matters.
Threat of malicious third parties
The non-disclosure agreement coupled with the new section in the data security policy suggested in recommendation 9 above will ensure that clients, partners and vendors understand the company’s expectations with regards to the access granted them to the company’s network, data and other resources. This would help mitigate the security threats posed by third party access.
Threat of cyber terrorism and espionage
The non-disclosure agreement along with the ethical behavior lists and the implementation of the intrusion detection system will minimize the chance of success of a cyber-attack on the company’s network. By forbidding the disclosure of sensitive company information like network topology, the company can prevent would-be hackers from gaining access to its network. Even if there were a successful attack on the company’s network, the new policy requiring all company data to be encrypted will ensure that data and intellectual property is protected.