Embed Size (px)
Citation preview
Business CommunicationEBU320
Name
Student ID
Task 1
1.1
There are many issues which relate to the use of information which affect an organization, there are three main headings which are legal issues, ethical issues and operational issues. These main headings cover all the key information and how it may affect an organization which may be crucial to the way they deal with information and how it may need to adjust its way of operating for legal issues, ethical issues and operational issues.
Legal issues
For many organizations legal issues are very important protect them and their clients, when it comes down to their personal information and client information may be shared between the company and its users. There are two relevant data protection Legislation which are Data protection act of 1998 and the Freedom of information act 2000. These two acts are both design in the form of purpose to help protect individuals and organizations by giving them guidelines in which they must abide and if there were to fail to do so prosecution may be taken as it can be a criminal offence to breach these acts.
Data protection act of 1998
For online companies such as Zayani to work and operate by abiding to data protection Act of 1998 it must be mindful of individuals information and data. It's important for companies like Zayani to reported to the office of the information Commissioner that they are in possession of such data which will also require them to pay a small annual fee to be allowed to keep this data about individuals. For companies it's also important to consider these key points when it comes to personal information
all information must be fairly and lawfully obtained. information must be held for a specific and lawful purposes and not processed in any
manner incompatible with those purposes. adequate, relevant and not excessive for those purposes. all information must be kept up to date and accurate which must not be kept longer then
necessary. Information must be processed in accordance with the rights of their person to whom the
data refers to. Data must be kept securely to ensure the data is not lost or dispose of or misused. Data must not be transferred from the European economic call area unless the destination
has an accurate level of data protection.
Freedom of information act 2000
For organizations such as zayani on freedom of information act of 2000 does not really apply to them directly however they do contain information about individuals and will have to follow guidelines when information is requested. For public request they must be written and will be processed within 20 days of receipt this is a very formal letter in which information will be requested. As long as an individuals comply with requesting guidelines the organization is obliged to provide evidence.. Data is regulated by the data protection act of 1998 which will restrict certain information being released about an individual's personal data.
Other legislation
computer misuse act 1990: is applicable to companies such as Zayani which have many different people using the Internet at their offices which may be prone to computer hacking. Hacking can take place in different ways in which somebody could illegal gain access to the system and change people's information or corrupt data or steel information sold to other companies that might find it useful. Another way of hacking would be for someone inside the company and gain access which will not be allowed to view such as credit card numbers or simply attempted cause damages. It is illegal to gain information for purposes of theft or malicious intentions. It is a criminal offences and can lead to prosecution in a court of law.
1.2
When running a company such as Zayani are a lot of ethical issues and not only for an individual inside the company but for a company as a whole. Organizations and institutes can help develop their own policies with their employees for users which they must comply by and in some circumstances if they fail to comply with the policies they may be fired or in some cases criminal prosecution which may be one of the outcomes of an bad ethical behavior.
Ethical behavior requires a code of practice or organization policies these policies are frequently used in side companies to protect itself and its interests. Organization policies tend to be set by the organization itself and that code of practice will be usually set by external bodies outside the organization for example, British computer Society. All these policies are served to protect the company organizations own interests as if somebody was to breach their policies and do damage to their users and others they will not personally be prosecuted as a whole organization but the individual who was responsible will be prosecuted on their own and not be related to the organization in a court of law.
Use of email and the internet
In today's world of technology the most abused things on Earth is the Internet and emails, most people did in their own personal time. Most likely they will distributed data which may be of adult content being over social media or via emails and some people will think it is and appropriate use of these services so it would not be surprising they would also inappropriate
images, videos and data as a whole at work using the company's computers and internet. T will be what a company cannot have as it is a liability which could course a company's reputation to be damage and weaken when it comes to client and investors trust whit their money and business. For a company like Zayani this will not be a risk that they would want to take as it may bring them in a legal battle if information was of a extreme content such as pornographic images of children which are distributed inside the company's emails and internet, which will weaken their image as a good business to work with. Policies are put in place to protect companies such as Zayani from material in emails and the Internet. these policies will be put in place protect the company as a whole and even if people would surf the Internet and email inappropriate things the company will not be held responsible and in some certain cases the employee who was distributing the information will be fired or in some extreme cases prosecuted for criminal acts such as distributing inappropriate content.
Whistle blowing
In Zayani Co. is very important for complete freedom of speech and to report anything that may be inappropriate or legal that is happening at a workplace for examples employees have the responsibility to report colleagues for doing any inappropriate behavior that they have witnessed in relation to the organization system. For companies like Zayani it will be very destructive if an employee to be sealing information such as credit card numbers, addresses or simple details that they can sell on to companies or individuals that might be using that information for illegal purposes such detail that might allow fraudulent documents such as credit card or fake IDs. Companies must work with employees to know that they will act on full discretion if someone was reports colleagues for malpractice or misuse such as hacking or purposely destroying data or distributing inappropriate images or information over the company Internet or emailing system. Ethnically it is important for somebody to do this as personally it will not be right for somebody to distribute inappropriate information over the company's computers and Internet. The company must also make sure that if a employee does not approach a higher chain of command to report these offences or others they will be accounted for these crimes too and will face being prosecuted as a accomplice to the crime.
Information ownership
Information ownership is very important as a company or organization as when information can often be copied so it is there it is your moral duty to take all the responsibilities that come for looking after it. This means they should trade mark or patent work which could be copied even if it is the online website code as all of it may be miss used or copied without their permission. As a company such as Zayani is very important to remember that they tell their user or their potential client about the product and all that information must be solely there's or from the product owner which gives the product owner total ownership however it is up to them to make sure that the data is accurate and current information that is available about. They must also ensure that all the information has come from a reliable resource and is clearly layout laid out.
Ownership of information stored about individuals and many organizations which will require employees to sign a nondisclosure agreement which means that they are not allowed to talk
about information that is not theirs or about their client, such as personal flares about clients for the information such as credit card details and address. This might lead to criminal prosecution if it the information is wrong we mentioned or sold.
1.3
Zayani's Ethical policy
Policy statement
Immediate is committed to ensuring a high standard of ethical and environmental trade practices, including the provision of safe working conditions and the protection of workers’ rights, across its global businesses. Immediate conducts its business in accordance with the provisions of this Code of Ethical Policy (“the Code”) and expects its Suppliers to observe the Code’s provisions and to demonstrate a similar commitment to an ongoing programme of ensuring and, where necessary, improving, ethical and environmental practices. This Code of Ethical Policy enshrines the principles of the Ethical Trading Initiative Base Code and reflects the international standards set out in the International Labour Organisation (ILO) Conventions
Scope of the code
The Code applies to all areas of Immediate’s business and to its direct Suppliers as well as to goods and services sourced by Immediate. Immediate requires all direct Suppliers to observe the provisions of this Code and requires that such Suppliers, in turn, obtain similar compliance with its provisions from their Suppliers. All parties to whom this Code applies are required to comply with applicable national and international laws. Where the provisions of this Code afford greater protection than national law, the terms of this Code prevail.
Policy objective
The objectives of the Code are;
� To set out a clear statement of Immediate policy � To promote the adoption and improvement of ethical practices globally � To implement effective processes for improvement of trade practices
Task 2
Management commitment to information security The Board of Directors (“the Board”) is ultimately accountable for corporate governance as a whole. The management and control of information security risks is an integral part of corporate governance. In practice, however, the Board explicitly delegates executive responsibilities for most governance matters to the Executive Directors, led by the Chief Executive Officer (CEO).
The Executive Directors give overall strategic direction by approving and mandating the information security principles and axioms but delegate operational responsibilities for physical and information security to the Security Committee (SC) chaired by the Chief Security Officer (CSO).
Executive CommitteeChaired by the Chief
Executive Officer
Audit CommitteeChaired by Head of
Audit
Security CommitteeChaired by Chief
Security Officer CSO
Information Security Manager
Security Administration Policy & Compliance
Risk & Contingency Management Security Operations
Local Security Committees
One per location
Information Asset Owners (IAOs)
Site Security Managers
Security Guards Facilities Management
Risk CommitteeChaired by Risk
Manager
The Executive Directors depend heavily on the SC to coordinate activities throughout Zayani's Co., ensuring that suitable policies are in place to support Zayani’s security principles and axioms. The Executive Directors also rely on feedback from the SC, CSO, ISM, auditors, Risk Management, Compliance, Legal and other functions to ensure that the principles, axioms and policies are being complied-with in practice.
The Executive Directors demonstrate their commitment to information security by:
A statement of support from the CEO; Reviewing and re-approving the principles and axioms every year; Approving the IT budget including a specific element set aside for information security; Receiving and acting appropriately on management reports concerning information security
performance metrics, security incidents, investment requests etc.
Information security co-ordinationInformation security activities should be co-ordinated throughout Zayani to ensure consistent application of the security principles, axioms and policy statements.
The Executive Directors have charged the SC with the task of securing Zayani'’s assets. The SC is responsible for:
Management oversight and direction for both physical and logical aspects of security, including information security;
Coordinating and directing Zayani’s entire security framework, including the information security controls at all locations mediated through the Local Security Committees (see below) ;
Commissioning or preparing information security policy statements, ensuring their compliance with the principles and axioms approved by the Executive Directors, and formally approving them for use throughout
Periodically reviewing the security policy statements to ensure the efficiency and effectiveness of the information security controls infrastructure as a whole, recommending improvements wherever necessary;
Identifying significant trends and changes to information security risks and, where appropriate, proposing changes to the controls framework and/or policies for example by sponsoring major strategic initiatives to enhance information security;
Reviewing serious security incidents and, where appropriate, recommending strategic improvements to address any underlying root causes;
Periodically reporting on the status of the security controls infrastructure to the Executive Directors, and liaising as necessary with the Risk Management and Audit Committees etc., using metrics and other information supplied by the CSO, Local Security Committees, the ISM, Internal Audit and others.
The SC delegates some of its responsibilities (for example to the ISM, the Information Security function and Local Security Committees) but remains accountable to the Executive Directors for the overall effectiveness of information security throughout the Company
Business units or locations within the company have Local Security Committees (LSCs) which report to the SC. LSCs are responsible for:
Providing the strategic direction, support and resources necessary to manage all types of local security issues and thus ensure that company’s information assets are appropriately and consistently protected;
Co-ordinating and sharing information with each other to ensure consistent execution of the information security policy manual across all company locations;
Identifying specific Significant Information Assets, classifying them and nominating suitable Information Asset Owners (IAOs) for them;
Gathering metrics and other information on the overall effectiveness of information security controls in their remit, and reporting this to the SC.
Allocation of information security responsibilitiesThe Executive Directors have appointed a Chief Security Officer (CSO). The CSO is responsible for:
Chairing the SC; Taking the lead on information governance as a whole for example by issuing the policy
manual and by providing the overall strategic direction, support and review necessary to ensure that information assets are identified and suitably protected throughout
Appointing and managing the ISM and Information Security Management team.
The ISM and Information Security Management are responsible for: Defining technical and non-technical information security standards, procedures and
guidelines; Supporting IAOs and managers in the definition and implementation of controls, processes
and supporting tools to comply with the policy manual and manage information security risks;
Reviewing and monitoring compliance with the policy statements and contributing to Internal Audit and Control Self Assessment (CSA) processes;
Collecting, analyzing and commenting on information security metrics and incidents; Supporting IAOs in the investigation and remediation of information security incidents or
other policy violations; Liaising as necessary with related internal functions such as IT Operations, Risk
Management, Compliance and Internal Audit, as well as the CSO, LSCs, SC and external functions such as the Police when appropriate;
Organizing a security awareness campaign for personnel to enhance the security culture and develop a broad understanding of the requirements of ISO/IEC 27002.
Managers throughout <ORGANIZATION> are responsible for: Day-to-day implementation of the information security policy manual; Ensuring that suitable technical, physical and procedural controls are in place in accordance
with the manual, and are properly applied and used by all workers. In particular, they should take measures to ensure that workers:
Are informed of their obligations to fulfill relevant corporate policy statements by means of appropriate awareness, training and education activities;
Comply with the policy statements and actively support the associated controls; and Are monitored to assess their compliance with the policy statements and the correct
operation of the associated controls, and reminded of their obligations as appropriate;
Providing the direction, resources, support, and review necessary to ensure that information assets are appropriately protected within their area of responsibility;
Informing Information Security Management and/or IAOs of actual or suspected policy violations (information security incidents) affecting their assets; and
Evaluating compliance with the policy axioms through the regular CSA process and occasional Internal Audits.
Information Asset Owners (IAOs) are managers held accountable for the protection of particular Significant Information Assets by their LSC or the SC. IAOs may delegate information security tasks to managers or other individuals but remain accountable for proper implementation of the tasks. IAOs are responsible for:
Appropriate classification and protection of the information assets; Specifying and funding suitable protective controls; Authorizing access to information assets in accordance with the classification and business
needs; [For new application system developments] Undertaking or commissioning information
security risk assessments to ensure that the information security requirements are properly defined and documented during the early stages of development;
Ensuring timely completion of regular system/data access reviews; and Monitoring compliance with protection requirements affecting their assets.
All workers (i.e. employees on the payroll and others acting in a similar capacity, such as contractors, consultants, student placements etc.) are responsible for complying with the principles, axioms and policies in the information security policy manual where relevant to their jobs.
They are responsible for maintaining the security of all information entrusted to them. Upon hire, as a condition of employment, each worker undertakes to comply with information security policies. Any worker failing to comply with the security policies could be subject to disciplinary action, potentially including termination of employment or contract and/or prosecution.
Exemptions process: an IAO may propose exemptions to principles, axioms or policy statements identified in the policy manual for an information asset under their remit. The ISM is responsible for analyzing risks arising from the proposed exemptions and, in most cases, specifying mitigating controls to minimize those risks. Proposed exemptions which the ISM considers could significantly impact information security risks may be referred up through the LSC, SC, CSO and/or the Executive Directors for approval, depending on the significance of the perceived risk. A programme (action plan) is normally required to ensure full compliance with the within a specified time frame, in other words exemptions are not indefinite. The IAO will be held accountable for the mitigating controls and the action plan, and must personally assume any additional risk relating to the policy exemption and the mitigating controls until the exemption is resolved.
Current exemptions must be reviewed at least annually by the SC, LSCs, CSO and ISM. In an annual status report to the Executive Directors, authorized exemptions must be listed, the reasons why policy exemptions exist must be clarified and plans to resolve the non-compliance with policy (typically by means of strategic investment to achieve compliance, or by modifying the policy) must be explained.
Task 3
3.1
Legal Issues
Data Protection Act
o The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or transmit such data.
Computer Misuse Acto Although the Act ostensibly targets those who wish to gain unauthorized access to
computer systems for various purposes, its implications on previously relatively widespread or well-known industry practices such as the "time-locking" of software have been described in various computing industry publications.
Freedom Of Information Act
o Freedom of information is an extension of freedom of speech, a fundamental human right recognized in international law, which is today understood more generally as freedom of expression in any medium, be it orally, in writing, print, through the Internet or through art forms.
Copyright Acto Copyright may apply to a wide range of creative, intellectual, or artistic forms, or
"works".
Ethical issues
Privacy Policyo Privacy policy is a statement or a legal document (privacy law) that discloses
some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.
Operational issues
Risk Assessmentso Risk assessment is the determination of quantitative or qualitative value of risk
related to a concrete situation and a recognized threat (also called hazard).
