Ethical Issues
Generally, AEnergy Company aims to ensure security of its IT resources and strives to ensure that security policies are effective. With regard to ethical issues, the company’s approaches to Data Security Policy, Employer Security Policy, and Accounting Security Policy clearly demonstrate attempts to create a sound ethical environment. The company wants to protect sensitive data, whether personal or business.
For instance, Data Security Policy shows that A Energy Company adheres to employees and clients’ privacy very seriously. The company ensures that it protects data from security breaches and insists that that Data Security Policy must be followed and will be enforced fully.
Employer Security Policy emphasizes that all new employees must receive training related to computer and organization security during the required new hire training; must agree to the security requirements to receive the user ID and temporary password; and are expected to maintain secrecy of their password and abide by the company’s security procedures.
All employees must receive Accounting Security Policy at the time of acceptance of the employment offer. The company conducts a thorough examination of the accounting data quarterly; protects the users’ personal information and privacy; does not rent, sale, or otherwise distribute the data collected with other organizations or individuals; and ensures Web site security.
Unethical Uses: Internal
With regard to e-mail, potential unethical use could occur when an employee masquerades and uses another employee’s account to send messages without permission with the sole intention of deceiving others. The employee will assume ownership of the account. This is a case of internal unethical use of e-mails.
In addition, an employee may engage in forgery by editing contents of a forwarded e-mail with the purpose of misrepresenting information, subject matter, date, time and author. In some instances, such employees may transmit an embarrassing e-mail about another employee to colleagues and later claim that it was sent by accident. These are few instances of potential unethical usages of employees’ e-mail accounts.
Unethical Uses: External
A consultant working for AEnergy Company may gather the company’s sensitive information about competitive intelligence and decides to share such data with the competitors. AEnergy Company has competitive data about its future operations, marketing plans, pricing strategies and product development among others. Such information may fall in the wrong hands of third parties such as consultants (Myers, n.d). For instance, a consultant may decide to sell or rent them to AEnergy Company’s competitors. A competitor will use competitive intelligence unethically obtained from AEnergy Company for cross-referencing and comparative purposes and then adjust its approaches accordingly.
Security Threats
As noted above, AEnergy Company has formulated Data Security Policy, Employer Security Policy, and Accounting Security Policy to protect its data and physical IT resources. For instance, the Data Security Policy demonstrates that AEnergy Company protects its corporate and client data from security breaches by ensuring that the policy is followed and enforced fully. Employer Security Policy offers mandatory training on computer and organization security, provides passwords, staff security, computer and workstation security, guest security and monitoring of physical locations and resource usages and computer security.
Any violation must face the full extent of the law. Accounting Security Policy protects the users’ personal information and privacy; each employee is assigned a user profile and password; and all data collected through the Web site are secured and stored.
Although AEnergy Company strives to make its IT system as secure as possible with these policies, it can never completely safeguard itself from both internal and external threats.
Security Threats: External
AEnergy Company recognizes that its system is not completely secure from hackers. For instance, the policy states that data transmissions that are not completed through an SSL connection between the Web site and the user may not be completely secure, and the user must bear the risk of data transfer via the Internet. That is, some of its corporate data or client data may be vulnerable to hackers. AEnergy Company may be a target of identity theft or phishing.
It communicates through e-mails with clients who may submit their personal information in public sections of the Web site. These data are exposed to hackers who may collect and sell them to other third parties for different purposes. In addition, hackers have become sophisticated and may lure users to provide confidential information through fake Web sites of the company. AEnergy Company IT systems may be exposed to “buffer overflows, which cause denial of service attacks and even SQL injection” (Vernon, n.d).
The SQL injection could manipulate confidential information such as personal information, passwords or the company’s competitive intelligence. While SQL injection could be difficult to perform, it remains a critical external threat to the company (Vernon, n.d).
Another source of external threat is intentional access to a workstation by external parties before the system can automatically locks itself. Visitors or third parties may take advantage of unattended workstations shortly after the user leaves before lockout to gather sensitive information from them. In addition, they may also cause physical damages to company’s IT infrastructures and cause system malfunctioning. Currently, AEnergy Company has not provided any policies in cases of IT system malfunctioning, physical damages and data recovery and safety after such events.
Updated Company Policies
Generally, AEnergy Company has good IT policies. Nevertheless, there are some areas, which require new policies and procedures and improvements on existing ones. The company’s updated policies must focus on identified areas of weaknesses and vulnerabilities for both internal and external parties.
Data Security Policy
The policy must introduce continuous employee education on codes of ethics, ethical behaviors and projection of business image with regard to e-mails and personal data sharing and usages. This would ensure that employees act in professional manners and responsibly toward business and personal data. Any intentional abuse of such resources will not be tolerated whatsoever.
Employer Security Policy
Introduce new policies on flash drives, physical damages, system malfunctions and data recovery processes. The company currently lacks policies in these areas. This would prevent data leakages, theft and offer safety.
Accounting Security Policy
Secure all communication channels via Secure Sockets Layer (SSL). The use of SSL will limit cases of hacking and phishing messages and sensitive data from the company’s Web site.
Mitigate Unethical Uses
Two unethical uses of the company’s IT systems emanate from internal practices of misusing other employees’ e-mail accounts by masquerading and forgery. AEnergy Company should ensure that employee training on the use of e-mails is a continuous process to instill professional behaviors, sound ethical practices and security of personal and business information. The policy should further stress termination of any employees who violate data, employer and accounting security policies.
External consultants could get the company’s competitive intelligence during the period of their engagement with company and then decide to sell or rent such information to third parties. While the current policies restrict third parties from such practices, rather than asking guests or contractors to sign a nondisclosure form, it should be a mandatory requirement in the company. Second, AEnergy Company must remind all its visitors and service providers of its commitment to promote ethical practices, no information will be exchanged with other parties, and it will have copyright and legal ownership of all its data.
Mitigate Security Threats
As noted above the current security policies could be exploited because of certain vulnerabilities. First, AEnergy Company must immediately formulate new policies against use of flash drives. Only flash drives that meet the company’s security standards should be allowed at workstation. It is possible that data leaking occurs through flash drives due to a lack of policy to control their usages. Second, current policy on workstation automatic lockout only targets the systems.
Instead, it should be mandatory for all users to lock their workstations as soon as they live their desks. The policy should change from ‘advising’ to a ‘mandatory’ practice. This would ensure that workstations are not exposed to exploitation and therefore any potential risk is highly reduced. In addition, the new policies should protect the company’s IT systems from intentional physical damages, malfunctioning and define data recovery strategies once such events are experienced.
Although AEnergy Company has good security policies, it must continuously improve upon them as cases of vulnerabilities increase and its systems become highly exposed. It is believed that improvements on system security policy weaknesses will ensure that the company is protected from both internal and external threats.
References
Myers, Jr., R. (n.d). Legal and Ethical Issues in Obtaining and Sharing Information. Web.
Vernon, M. (n.d). Top five threats. Web.