IT POLICY & Ethics

PREPARED BY
MUTABAZI JOSEPH
 Learning objectives

 Define Ethics
 What are Cyber crimes
 What is considered to be an unethical behaviour for a
student or a teacher
 Security issues associate to personal information on
public computers
 Understand safety measures for ethics
 Define acceptable user policy
 Define security policy
 Factors which contribute to effective security polices
 DEFINITION
What are Ethics?
• Ethics are a structure of standards and practices that influence
how people lead their lives. It is not strictly implemented to
follow these ethics, but it is basically for the benefit of
everyone that we do.
• Ethics are unlike laws that legally mandate what is right or
wrong. Ethics illustrate society’s views about what is right
and what is wrong.
• Computer ethics are a set of moral standards that govern the
use of computers. It is society’s views about the use of
computers, both hardware and software. Privacy concerns,
intellectual property rights and effects on society are some of
the common issues of computer ethics.
 COMMANDMENTS OF COMPUTER ETHICS
1. Thou shall not use a computer to harm other people:
2. Thou shall not interfere with other people's computer work:
3. Thou shall not snoop around in other people's files:
4. Thou shall not use a computer to steal:
5. Thou shall not use a computer to bear false witness:
6. Thou shall not use or copy software for which you have not
paid:
7. Thou shall not use other people's computer resources without
authorization:
8. Thou shall not appropriate other people's intellectual output:
9. Thou shall think about the social consequences of the program
you write:
10. Thou shall use a computer in ways that show consideration and
respect:
 PRINCIPLES OF COMPUTER ETHICS
• Contribute to society and to human well-being, acknowledging
that all people are stakeholders in computing.
• Avoid harm.
• Be honest and trustworthy.
• Be fair and take action not to discriminate.
• Respect the work required to produce new ideas, inventions,
creative works, and computing artifacts.
• Respect privacy.
• Honor confidentiality
 ETHICAL ISSUES IN I.T
• Personal Privacy:
It is an important aspect of ethical issues in information technology. IT
facilitates the users having their own hardware, operating system and
software tools to access the servers that are connected to each other and to
the users by a network. Due to the distribution of the network on a large
scale, data or information transfer in a big amount takes place which leads
to the hidden chances of disclosing information and violating the privacy
of any individuals or a group. It is a major challenge for IT society and
organizations to maintain the privacy and integrity of data. Accidental
disclosure to inappropriate individuals and provisions to protect the
accuracy of data also comes in the privacy issue.
• Access Right:
The second aspect of ethical issues in information technology is access
right. Access right becomes a high priority issue for the IT and cyberspace
with the great advancement in technology. E-commerce and Electronic
payment systems evolution on the internet heightened this issue for
various corporate organizations and government agencies. Network on the
internet cannot be made secure from unauthorized access. Generally, the
intrusion detection system are used to determine whether the user is an
intruder or an appropriate user.
 ETHICAL ISSUES IN I.T

• Harmful Actions:

Harmful actions in the computer ethics refers to the damage or

negative consequences to the IT such as loss of important

information, loss of property, loss of ownership, destruction of

property and undesirable substantial impacts. This principle of

ethical conduct restricts any outsiders from the use of

information technology in manner which leads to any loss to

any of the users, employees, employers and the general public.

 ETHICAL ISSUES IN I.T
• Copyright:
The information security specialists are to be familiar with necessary
concept of the copyright law. Copyright law works as a very powerful
legal tool in protecting computer software, both before a security breach
and surely after a security breach. This type of breach could be the
mishandling and misuse of data, computer programs, documentation and
similar material. In many countries, copyright legislation is amended or
revised to provide explicit laws to protect computer programs.
• Trade Secrets:
Trade secrets is also a significant ethical issue in information technology.
A trade secret secures something of value and usefulness. This law
protects the private aspects of ideas which is known only to the discover
or his confidants. Once disclosed, trade secret is lost as such and is only
protected by the law for trade secrets. The application of trade secret law
is very broad in the computer range, where even a slight head start in the
advancement of software or hardware can provide a significant
competitive influence.
 ETHICAL ISSUES IN I.T
Liability: One should be aware of the liability issue in making ethical
decisions. Software developer makes promises and assertions to the user
about the nature and quality of the product that can be restricted as an
express warranty. Programmers or retailers possess the legitimate to
determine the express warranties. Thus they have to be practical when they
define any claims and predictions about the capacities, quality and nature of
their software or hardware. Every word they say about their product may be
as legally valid as stated in written. All agreements should be in writing to
protect against liability. A disclaimer of express warranties can free a
supplier from being held responsible of informal, speculative statements or
forecasting made during the agreement stages.
Piracy: Piracy is an activity in which the creation of illegal copy of the
software is made. It is entirely up to the owner of the software as to whether
or not users can make backup copies of their software. As laws made for
copyright protection are evolving, also legislation that would stop
unauthorized duplication of software is in consideration. The software
industry is prepared to do encounter against software piracy. The courts are
dealing with an increasing number of actions concerning the protection of
software.
…
• Patents:
It is more difficult to deal with these types of ethical issues. A
patent can preserve the unique and secret aspect of an idea.
Obtaining a patent is very difficult as compared with obtaining
a copyright. A thorough disclosure is required with the
software. The patent holder has to reveal the full details of a
program to a proficient programmer for building a program.
 COMPUTER CRIME
• Computer crime or cyber crime is criminal activity that involves
unlawful access to computer systems.
• Cyber crime is an illegal activity committed on the internet.
• Crime committed using a computer and the internet to steal data or
information.
• Example
• Stealing credit card information
• Breaking into government website
 CATEGORIES OF COMPUTER CRIME
 The computer as a target:
Using a computer to attack other computers e.g. Hacking,
virus/worms attacks
 The computer as a weapon:
Using a computer to commit real world crime e.g. cyber terrorism,
credit card fraud etc.
 FORMS OF COMPUTER CRIME
Viruses and Malware
Computer programs and apps rely on coding to function properly.
Unfortunately, very smart programmers identify weaknesses in the
security for major programs every day. They create viruses and
malware to interfere with computer function. Some of these steal data,
or hijack systems until a user or business agree to pay to be let back
in.
Identity Theft
Identity theft and credit card fraud are closely related crimes in which
a person steals data and uses it for his or her own purposes. This
might be as simple as using a stolen credit card to make purchases, or
as complex as using a person’s Social Security number to obtain credit
cards and bank account information. It often results in people
assuming an identity for months or years before the victim realizes it.
…..
Credit card fraud
When an individual uses another individuals’ credit card for
personal reasons while the owner of the card and card issuer are
not aware of the fact that the card is being used.
This problem occur while using online banking, shopping.
Computer vandalism
This refers to damaging or destroying data rather than stealing,
transmitting virus.
Phishing
A phishing scheme comes through spam emails or fake
advertisements on websites. If the user clicks on the link, it gives
the sender access to everything on the computer or network. They
have become harder to recognize as those creating phishing
schemes become more sophisticated.
….
Hacking
Clever computer hackers steal or guess passwords to get into
individual user accounts, or exploit security weaknesses to steal
large amounts of data from companies. Major data breaches occur
often, with companies losing their customers’ personal or
financial information, often costing a company millions of
dollars. Such as white hat hackers, black hat hacker, gray hat
hackers
 SAFETY TIPS FOR COMPUTER CRIME
 Use antivirus soft wares
 Insert firewalls.
 Uninstall unnecessary software.
 Maintain backup.
 Check security settings.
 Never give your full name or address to strangers.
 Learn more about internet privacy.
 ETHICAL ANALYSIS
• Ethical analysis is a systematic approach to figuring out the
right moral decision in a particular situation. By analyzing the
situation logically, in accordance with your ethical code, you
can figure out which options are both effective and moral.
• Ethical analysis principles encourage you to form an accurate
picture of the situation and think through the effect of your
decisions before you act.
 FIVE STEPS IN AN ETHICAL ANALYSIS
• The recommended procedure for analyzing ethical cases is
to apply a variant of the design/problem-solving loop. In
the process, one attempts to reason systematically to a
rationally defensible moral judgment using ethical
principles and moral rules. The basic steps in the procedure
are as follows:
 Identify the Issues,
 Outline the Options,
 Construct Ethical Arguments,
 Evaluate the Arguments,
 Make a Decision.
 Step 1: Identify the Issues
a) What are the major moral or ethical issues raised by this
case?
b) What are the major factual issues raised by this case?
c) What are the major conceptual issues raised by this case?
d) Who are the major stakeholders in this case? (Stakeholders
refer to all individuals whose interest could be affected by the
decision made in the case).
e) How the issues are in this case related to the application of
technology?
 Step 2: Outline the Options

a) What are the main alternative actions or policies that might

be followed in responding to the ethical issues in this case?
b) What are the major views on the conceptual issues raised by
this case?
c) What facts are unknown or controverter that might be
relevant to deciding this case (may require research to
determine some facts)?
 Step 3: Construct Ethical Arguments
a) Determine which of the four moral standards discussed by
Harris (egoism, natural law, utilitarianism, and respect for
persons) apply to this case?
b) Identify the moral principles or high-level rules that can be
invoked to support a conclusion as to what ought to be done
ethically in this case or similar cases?
c) Determine whether the different moral standards yield
converging or -diverging judgments about what ought to be
done?
Step 4: Evaluate the Arguments for each Option

(a) Weigh the ethical reasons and arguments for each option in
terms of their relative importance, assigning weights to each
consideration where:
 very important consideration,
 somewhat important consideration,
 a consideration of the only minor importance
(b) Determine whether there are any unwarranted factual
assumptions that need to be examined in each argument.
(c) Determine whether there are any unresolved conceptual issues
in each argument.
 Step 5: Make a Decision –
(a) Decide which of the identified options you would recommend
or judge to be the ethically best way to deal with the issue
presented in this case based on which option has the strongest
ethical reasons behind it.
(b) Determine how a critic of your position might try to argue
against it using other ethical reasons, and present a rebuttal or
counter-argument in defense of your judgment.
 Intellectual Property
• What is Intellectual Property?
• Intellectual Property (IP) refers to creations of the mind, such
as inventions; literary and artistic works; designs; and
symbols, names and images used in commerce. Intellectual
Property rights grant the owner of the work exclusive rights to
exploit and benefit from his/her creation.
 Why protect Intellectual Property?
• To provide an incentive to the innovators to be able to benefit
from the result of their endevor.
• The legal protection of innovations encourages the commitment
of additional resources for further innovation.
• The promotion and protection of intellectual property spurs
economic growth, creates jobs and enhances the quality and
enjoyment of life
 Forms of Intellectual Property

• The most common forms of Intellectual Property include:

Copyright, trademarks, patents, utility models, industrial
designs and geographical indications.
 FORMS OF INTELLECTUAL PROPERTY
Copyright – is a form of intellectual property that gives proprietary
publication, distribution and usage rights for the author. This means
that whatever idea the author created cannot be employed or
disseminated by anyone else without the permission of the author.
Patents
Patents are basically used to protect innovative ideas or processes and
also any newly engineered plant species or strains. Patents are the
types of intellectual property that provide for the right of the
owner to exclude others, normally for twenty years, from making,
selling, using and importing an invention.
 …..
Trade Secret
• A trade secret is information that is not publicly known and
reasonably ascertainable. It assures its owner a competitive
advantage. For a trade secret to be effective, the owner must keep it
confidential. This is achieved by using non-disclosure methods and
implementing policies and practices that restrict access to that
information. For example, the Coca Cola Company has a trade
secret in its formula for Coca Cola.
Trademarks
• A trademark is the name of a product associated with a service or
product. It is what consumers use to identify a product or its
source. If a trademark is made up of a word or words, it is referred
to as a word mark. Other than just the name, colors sounds, or even
smells may be used to serve as trademarks. Typically, most
trademarks are word marks, slogans or logos.
 I.T SECURITY POLICY
An Information Technology (IT) Security Policy identifies the rules
and procedures for all individuals accessing and using an
organization's IT assets and resources. Effective IT Security Policy is
a model of the organization’s culture, in which rules and procedures
are driven from its employees' approach to their information and
work.
To be able to achieve these objectives, the policy must aim at:
i. Developing user friendly high business value and high tech-
nological impact applications with the help of proper IT planning.
ii. Specifying a common interface to applications to ensure high
degree of consistency from one to the next application.
iii. Providing controlled and quick exchange of information in diverse
forms at different locations.
….
i. Ensuring effective control and maintenance of IT infrastructure,
including defining a system of access to applications and
services, security procedures, etc.
ii. To actively search and identify information technologies that
will give strategic advantage to the enterprise and seeking
opportunities to acquire such technologies that create
competitive barriers in marketing, procurement, production, and
manpower management.
iii. To design and develop a comprehensive plan for IT infrastruc-
ture that may serve as guide for future direction of application
development effort. This may include a proper system of
regular evaluation of existing and proposed applications in
terms of their contribution to the success of the enterprise.
 ELEMENTS OF AN I.T POLICY
1. Purpose
First state the purpose of the policy which may be to:
• Create an overall approach to information security.
• Detect and preempt information security breaches such as misuse
of networks, data, applications, and computer systems.
• Maintain the reputation of the organization, and uphold ethical and
legal responsibilities.
• Respect customer rights, including how to react to inquiries and
complaints about non-compliance.
2. Audience
Define the audience to whom the information security policy
applies. You may also specify which audiences are out of the
scope of the policy (for example, staff in another business unit
which manages security separately may not be in the scope of the
policy).
 (CONT..)
3. Information security objectives
Guide your management team to agree on well-defined objectives
for strategy and security. Information security focuses on three
main objectives:
• Confidentiality. only individuals with authorization can should
access data and information assets
• Integrity. data should be intact, accurate and complete, and IT
systems must be kept operational
• Availability. users should be able to access information or systems
when needed
4. Authority and access control policy
• Hierarchical pattern—a senior manager may have the authority to
decide what data can be shared and with whom. The security
policy may have different terms for a senior manager vs. a junior
employee.
 (CONT..)
• The policy should outline the level of authority over data and IT
systems for each organizational role.
• Network security policy—users are only able to access company
networks and servers via unique logins that demand authentication,
including passwords, biometrics, ID cards, or tokens. You should
monitor all systems and record all login attempts.
5. Data classification
The policy should classify data into categories, which may include
“top secret”, “secret”, “confidential” and “public”. Your objective
in classifying data is:
• To ensure that sensitive data cannot be accessed by individuals with
lower clearance levels.
• To protect highly important data, and avoid needless security
measures for unimportant data.
 (CONT..)
6. Data support and operations
• Data protection regulations—systems that store personal data, or
other sensitive data, must be protected according to organizational
standards, best practices, industry compliance standards and
relevant regulations. Most security standards require, at a
minimum, encryption, a firewall, and anti-malware protection.
• Data backup—encrypt data backup according to industry best
practices. Securely store backup media, or move backup to secure
cloud storage.
• Movement of data—only transfer data via secure protocols.
Encrypt any information copied to portable devices or transmitted
across a public network.
…..
7. Security awareness and behavior
Share IT security policies with your staff. Conduct training
sessions to inform employees of your security procedures and
mechanisms, including data protection measures, access
protection measures, and sensitive data classification.
• Social engineering—place a special emphasis on the dangers
of social engineering attacks (such as phishing emails). Make
employees responsible for noticing, preventing and reporting
such attacks.
• Clean desk policy—secure laptops with a cable lock. Shred
documents that are no longer needed. Keep printer areas clean
so documents do not fall into the wrong hands.
• Acceptable Internet usage policy—define how the Internet
should be restricted. Do you allow YouTube, social media
websites, etc.? Block unwanted websites using a proxy.
….
8. Responsibilities, rights, and duties of personnel
Appoint staff to carry out user access reviews, education, change
management, incident management, implementation, and periodic
updates of the security policy. Responsibilities should be clearly
defined as part of the security policy.
 STEPS TO DESIGN I.T POLICY
1. Identify need
• Policies can be developed:
• In anticipation of need
• In response to need (e.g. a policy position on a government
strategy may be developed in response to a consultation paper).
• The organization needs to constantly assess its activities,
responsibilities and the external environment in order to identify
the need for policies and procedures.
2. Identify who will take lead responsibility
• Delegate responsibility to an individual, working group, sub-
committee or staff members, according to the expertise required.
 ….
3. Gather information
• Do you have any legal responsibilities in this area? Is your
understanding accurate and up to date? Have other organizations
tackled the same issue? Are there existing templates or examples
that you could draw on? Where will you go for guidance?
4. Draft policy
• Ensure that the wording and length or complexity of the policy are
appropriate to those who will be expected to implement it.
Consult with appropriate stakeholders
• Policies are most effective if those affected are consulted are
supportive and have the opportunity to consider and discuss the
potential implications of the policy. Depending on whether you
are developing policies to govern the internal working of the
organization or external policy positions, you may wish to
consult, for example:
 STEPS TO DESIGN I.T POLICY
5. Supporters;
• Staff and volunteers;
• Management Committee members; and
• Service users or beneficiaries.
6. Finalize / approve policy
• Who will approve the policy? Is this a strategic issue that should
be approved by the Management Committee or is the Committee
confident that this can be dealt with effectively by staff?
7. Consider whether procedures are required
• Procedures are more likely to be required to support internal
policies. Consider whether there is a need for clear guidance
regarding how the policy will be implemented and by whom. (E.g.
a policy regarding receiving complaints will require a set of
procedures detailing how complaints will be handled).
 STEPS TO DESIGN I.T POLICY
Who will be responsible for developing these procedures? When will
this be done? What will be the processes for consultation, approval
and implementation?
8. Implement
• How will the policy be communicated and to whom? Is training
required to support the implementation among staff and
volunteers? Should the organization produce a press release (for
external policy positions)?
9. Monitor, review, revise
• What monitoring and reporting systems are in place to ensure that
the policy is implemented and to assess usage and responses? On
what basis and when will the policy be reviewed and revised (if
necessary)?
Approaches to management
 What is the Top-down approach to
management?
• In the Top-down approach to management, a team or project
manager makes decisions, which then filter down through a
hierarchical structure. Managers gather knowledge, analyse it, and
draw actionable conclusions. They then develop processes that are
communicated to and implemented by the rest of the team. You
may hear this style of management referred to as “command and
control” or “autocratic leadership.”
• The top-down approach is probably what you think of when you
think of the management process. Traditional industries like retail,
healthcare, or manufacturing typically apply the top-down
management style.
 Advantages of Top-down management
• There are benefits to a top-down management style, especially for
larger teams that consist of multiple smaller teams or groups that
function together in a broader organizational hierarch
• Well-known management style
• The top-down management style is common, which means there’s
less of a learning curve for new hires if they came from a company
that uses this structure. As a team leader, you can help new team
members adjust more quickly by incorporating some familiar
elements of top-down methodology into your management style.
• Greater clarity
• The top-down approach results in clear, well-organized processes
that leave little room for confusion. Because all decisions are made
in one place and all communication flows in one direction, mix-
ups and misunderstandings happen less frequently than with other
management styles.
 …
• Quicker implementation
• Since the decision-making process takes place at just one level of
management, they can be finalized, distributed, and implemented
much more quickly than decisions that require input from multiple
leaders or project stakeholders.
• More accountability
• When problems or inefficiencies do occur, the top-down
management approach makes it easy to track them to their source.
With clearly defined teams that each have their own separate
responsibilities, it’s easier to locate, diagnose, and solve problems
quickly and efficiently.
• Clear delegation of tasks. Just because management and decision
making occur at multiple levels in an organization doesn't
necessarily mean that conflict and overlap are inevitable. Delegate
work clearly and strategically so different managers know the
scope of their domains and respect the autonomy of other
managers and decision makers. Provide clear information for
employees about who to approach with which type of question.
• Comprehensive training. When more workers and managers are
empowered to make decisions, your training system should be
robust enough to teach staff members what they need to do to
effectively meet these raised expectations. Training should cover
both the practical details of the work being performed and also
management techniques for delegating work and motivating
workers.
• Effective communication. To minimize friction and overlap,
develop systems and expectations for communicating within a
decentralized management system.
….
• Establish protocols for how to convey urgent
and less-urgent information, and also lay out
channels for addressing conflict and
misunderstandings.
•
 Disadvantages of Top-down management
• Though top-down methodology has some advantages, there are
also drawbacks to consider in how this approach might impact
individual team members and overall team morale.
• More of a strain on leadership
• Since all decisions are made at the top, a mismatched project
management hire can have a bigger impact on the success of the
team. Many process problems are only visible at the lower level, so
project managers who fail to solicit feedback from individual team
members before making decisions can inadvertently cause
significant problems, delays, and losses.
• Less creativity
• With all communication flowing from leaders to team members
with little room for dialogue, the top-down approach allows fewer
opportunities for creative collaboration. Less interdepartmental
collaboration may also eliminate fresh perspectives and stifle
innovation.
 ….
• Greater distance between decision-makers and decisions
• While a bottom-up approach allows decisions to be made by the
same people who are working directly on a project, the top-down
style of management creates distance between that team and
decision-makers. This can lead to poorly-informed decisions if
leadership doesn’t ask for input or feedback from their project
team.
• Team disengagement
• One challenge with the top-down management approach is that it
requires proactive work to keep non-leadership team members
feeling engaged, connected, and respected. When all decisions are
made at the top, the rest of the team might feel that their feedback
and opinions aren’t valued.
 What does bottom-up management look like?

• When approaching project objectives from the bottom up, a team

will collaborate across all levels to determine what steps need to
be taken to achieve overall goals. The bottom-up approach is
newer and more flexible than the more formal top-down strategy,
which is why it’s more commonly found in industries where
disruption and innovation are a priority.
• Democratic management: leaders work with team members to
determine what decisions should be made at each level, allowing
for better collaboration while also maintaining structure.
 Advantages of bottom-up management
• The bottom-up style of management solves many of the problems
that come with the top-down approach. This approach has
advantages that make it a great fit for creative teams and industries
where collaboration is key, like software development, product
design, and more.
• More informed decisions
• In collaborative settings, those who work directly on projects and
oversee project management can speak to the decisions that will
impact their future work. Upper managers work directly with team
members to chart a course of action, which prevents potential
process blind spots that might otherwise appear when decisions are
made without team input.
 …
• More room for creativity
In top-down processes, there are fewer opportunities for teams to give
input or suggestions. Collaborative approaches like the bottom-up
approach, on the other hand, create opportunities for feedback,
brainstorming, and constructive criticism that often lead to better
systems and outcomes.
• Better team morale
The bottom-up approach encourages greater buy-in from team
members because everyone is given the opportunity to influence
decisions regardless of seniority. It also facilitates better relationships
between colleagues by offering members of all seniority levels an
equal opportunity to influence project outcomes. In doing so, this
approach increases the likelihood that all members will be invested in
the team’s success.
 Disadvantages of Bottom-up management
Of course, there’s a reason that the bottom-up approach hasn’t been
more widely adopted: it comes with a number of challenges that make
it incompatible with certain types of teams, projects, and industries.
• Reduced momentum
A purely bottom-up approach to solving a problem might result in “too
many cooks in the kitchen.” When everyone in a group is invited to
collaborate, it can be harder to arrive at a decision and, as a result,
processes can slow down. To avoid this: Consider assigning one to
two group leaders who take into consideration all of the input and then
make a decision based on feedback.
• Shift in team dynamics
Though it’s important to give team members the opportunity to provide
feedback, not everyone is comfortable doing so—especially with
leadership in the room. Keep in mind that everyone has different
comfort levels and pushing too hard for feedback might stifle honesty
 ….
• Build relationships outside the management team
Since process-related communication flows top to bottom in top-down
companies, it’s easy for individuals and groups to become siloed and
eventually feel isolated. Create opportunities for communication
across departments, teams, management levels, and even geographical
locations to help ensure that your team members can build meaningful
relationships with each other.
• Facilitate cross-team communication
Whether your team uses a top-down or bottom-up approach, provide
purpose-built opportunities for collaboration between teams that don’t
normally work together. Though not part of your day-to-day processes,
these additional brainstorms can help stimulate creativity, build
relationships, and lead to creative solutions that can later be
implemented to benefit the greater group.
 ….
• Great management is all about balance
When it comes down to it, effective managers know how to balance
the efficiency of the top-down approach with the collaborative and
creative advantages that come from the entire team.
By blending elements of different management styles, you can find an
approach that works best for you and your unique team. Once you
decide the right approach, you can establish streamlined workflow
management.
• Supplement with additional forms of feedback
Non-management teammates may feel less invested when their
opinions and perspectives aren’t considered by the people making
decisions at the top. Build new channels for bottom-up feedback to
not only increase buy-in with lower-level team members, but also give
decision-makers valuable insight into gaps or issues with processes.
 ….
• Lack of high-level insight
In many ways, it makes sense for project decisions to be made at the
project level. However, projects are still impacted by higher-level
factors like company goals, budgeting, forecasting, and metrics that
aren’t always available at the team level. Processes designed from the
bottom-up can suffer from blind spots that result from a lack of access
to insights from upper management. To avoid this: Create a
communication flow that provides team leads with summaries of
information from the company level that may be relevant to project-
level decisions. As a team lead, you can pass along information to
your team as you see fit to ensure team decisions are aligned with
company-wide positions and goals.
 ….
• To avoid this: Offer different environments for team members to
contribute, like in small group breakout rooms, 1:1 meetings, or
quarterly anonymous feedback surveys. Encourage more senior
team members to find ways to break the ice with new contributors
so everyone feels comfortable participating.
• Cross-functional team management tips: The key to
implementing a management approach that works is to invest in
your people as much as you do in your processes. The challenges of
the top-down management approach can be alleviated or even
eliminated entirely if the people at the top of the process aren’t just
good managers, but are leaders too.
 What is a Risk assessment?
• The definition of a risk assessment is a systematic process of
identifying hazards and evaluating any associated risks within a
workplace, then implementing reasonable control measures to
remove or reduce them.
• When completing a risk assessment, it is important to clearly define
some keywords:
• An accident is ‘an unplanned event that results in loss’
• A hazard is ‘something that has the potential to cause harm’
• A risk is ‘the likelihood and the severity of a negative occurrence
(injury, ill-health, damage, loss) resulting from a hazard.’
• Additional training may be required if you need to complete or re-
assess your risk management procedures.
 Why are risk assessments important?
• As previously stated, carrying out suitable and sufficient risk
assessments is the primary management tool in effective risk
management. It is a legal requirement for any employer and must
be documented wherever five or more people are employed.
• Risk assessment is a straightforward and structured method of
ensuring the risks to the health, safety and wellbeing of employees
(and others) are suitably eliminated, reduced or controlled
• The main purpose of risk assessments are:
• To identify health and safety hazards and evaluate the risks
presented within the workplace
 …..
• To evaluate the effectiveness and suitability of existing control
measures
• To ensure additional controls (including procedural) are
implemented wherever the remaining risk is considered to be
anything other than low.
• To prioritise further resources if needed to ensure the above.
• It can be a costly lesson for a business if they fail to have necessary
controls in place. They could face not only financial loss (through
fines, civil actions, etc) but also loss in respect of production time,
damage to equipment, time to train replacement employees and
negative publicity amongst others.
 When to carry out a risk assessment?
• A suitable and sufficient risk assessment must be carried out prior to
a particular activity or task being carried out in order to eliminate,
reduce or suitably control any associated risk to the health, safety
and wellbeing of persons involved with (or affected by) the
task/activity in question.
• Once completed a risk assessment should be reviewed periodically
(proportionate to the level of risk involved) and in any case when
either the current assessment is no longer valid and/or if at any
stage there has been significant changes to the specific activity or
task.
• Relevant risk assessments should be reviewed following an
accident, incident or ill-health event in order to verify if the control
measures and level of evaluated risk where appropriate or require
amendment.
 How to carry out a Risk assessment
• How a risk assessment is conducted varies widely depending on the
risks unique to the type of business, the industry that business is in
and the compliance rules applied to that given business or industry.
However, there are five general steps that companies can follow
regardless of their business type or industry.
• Step 1: Identify the hazards. The first step in a risk assessment is to
identify any potential hazards that, if they were to occur, would
negatively influence the organization's ability to conduct business.
Potential hazards that could be considered or identified during risk
assessment include natural disasters, utility outages, cyber attacks
and power failure.
• Step 2: Determine what, or who, could be harmed. After the hazards
are identified, the next step is to determine which business assets
would be negatively influenced if the risk came to fruition. Business
assets deemed at risk to these hazards can include critical
infrastructure, IT systems, business operations, company reputation
and even employee safety.
 …..
• Step 3: Evaluate the risks and develop control measures. A risk
analysis can help identify how hazards will impact business assets
and the measures that can be put into place to minimize or
eliminate the effect of these hazards on business assets. Potential
hazards include property damage, business interruption, financial
loss and legal penalties.
• Step 4: Record the findings. The risk assessment findings should
be recorded by the company and filed as easily accessible, official
documents. The records should include details on potential
hazards, their associated risks and plans to prevent the hazards.
• Step 5: Review and update the risk assessment regularly. Potential
hazards, risks and their resulting controls can change rapidly in a
modern business environment. It is important for companies to
update their risk assessments regularly to adapt to these changes.
 What's a Business Continuity Plan?
• A business continuity plan (BCP) is a document that outlines how a
business will continue operating during an unplanned disruption in
service. It’s more comprehensive than a disaster recovery plan and
contains contingencies for business processes, assets, human resources
and business partners – every aspect of the business that might be
affected.
• Plans typically contain a checklist that includes supplies and equipment,
data backups and backup site locations. Plans can also identify plan
administrators and include contact information for emergency
responders, key personnel and backup site providers. Plans may provide
detailed strategies on how business operations can be maintained for
both short-term and long-term outages.
• A key component of a business continuity plan (BCP) is a disaster
recovery plan that contains strategies for handling IT disruptions to
networks, servers, personal computers and mobile devices. The plan
should cover how to re-establish office productivity and enterprise
software so that key business needs can be met. Manual workarounds
should be outlined in the plan, so operations can continue until computer
systems can be restored.
 …
• There are three primary aspects to a business continuity plan for
key applications and processes:
• High availability: Provide for the capability and processes so that
a business has access to applications regardless of local failures.
These failures might be in the business processes, in the physical
facilities or in the IT hardware or software.
• Continuous operations: Safeguard the ability to keep things
running during a disruption, as well as during planned outages
such as scheduled backups or planned maintenance.
• Disaster recovery: Establish a way to recover a data center at a
different site if a disaster destroys the primary site or otherwise
renders it inoperable.
 Why is a Business Continuity Plan important?
• It’s important to have a business continuity plan in place to identify
and address resiliency synchronization between business processes,
applications and IT infrastructure.
• To withstand and thrive during these many threats, businesses have
realized that they need to do more than create a reliable
infrastructure that supports growth and protects data. Companies
are now developing holistic business continuity plans that can keep
your business up and running, protect data, safeguard the brand,
retain customers – and ultimately help reduce total operating costs
over the long term.
• Yet developing a comprehensive business continuity plan has
become more difficult because systems are increasingly integrated
and distributed across hybrid IT environments – creating potential
vulnerabilities. An organization can face revenue loss and eroded
customer trust if it fails to maintain business resiliency while
rapidly adapting and responding to risks and opportunities.
 Components of Business Continuity
• The components of business continuity are:
• Strategy: Objects that are related to the strategies used by the
business to complete day-to day activities while ensuring
continuous operations
• Organization: Objects that are related to the structure, skills,
communications and responsibilities of its employees
• Applications and data: Objects that are related to the software
necessary to enable business operations, as well as the method to
provide high availability that is used to implement that software
• Processes: Objects that are related to the critical business process
necessary to run the business, as well as the IT processes used to
ensure smooth operations
 ….
• Technology: Objects that are related to the systems, network and
industry-specific technology necessary to enable continuous
operations and backups for applications and data
• Facilities: Objects that are related to providing a disaster recovery
site if the primary site is destroyed
 REVISION QUESTIONS
• Define the term ethics
• With relevant examples discuss why we need ethics.
• What is Computer Security?
• Why is Computer Security Important?
• The Internet can be a hazardous place. Explain how?
• What are the consequences for security violations? Define the term
Cyber – Crime
• Elaborate on the different cyber-crimes and show how you can
combat them.
• Define the term privacy and discuss the privacy principals for
personal data
• Who writes a policy? Explain the two different approaches to
writing and I.T policy
 Cont…

• Explain the 10 commandments of computer crimes

• Discuss the following classes of policy statements in details
- Corporate Policy
- Information Security Policy
- Personnel Security Policy
- Business Continuity Planning
• Define the term Authentication and show why it is important?
• Discuss the methods of authentication
• Discuss are the similarities between Ethics and law
• Explain the inventions protected by intellectual property law
• Explain the ethical and unethical computer code of conducts
• Discuss the methods of authentication
 …..
• Describe the Steps for ethical analysis
• Explain any five criteria of writing a good policy
• With clear examples, illustrate at least five signs that indicate that
a company really need to implement policies
• Data in organizations is classified into several categories. Briefly
discuss the five categories of information you know
• Explain the top-down approach of designing an Information
Technology policy
• Write shorts of the following
 Cookies
 Global Unique Identifier
 Global Positioning System (GPS)
 Encryption
 Threat
 SHORT NOTES AS USED IN ETHICS
• Plagiarism – is an act of copying and publishing another person’s
work without proper citation. It’s like stealing someone else’s
work and releasing it as your own work.
• Cracking – is a way of breaking into a system by getting past the
security features of the system. It’s a way of skipping the
registration and authentication steps when installing a software.
• Software License – allows the use of digital material by
following the license agreement. Ownership remains with the
original copyright owner, users are just granted licenses to use the
material based on the agreement.