IT Security, Privacy and Ethics

Security has become an imperative issues for many organizations and has been elevated from a separate, technical concern to an enterprise concern. Security is a business requirement that must directly align with strategic goals, enterprise objectives, risk management plans, compliance requirements, and organizational policies. Given that security is a business problem, organizations must actively coordinate, deploy, and direct many of their principal resources and competencies to manage and align security risks with their strategic goals, operational measures, compliance requirements, and systems architecture.

Security needs to be managed horizontally, vertically, and cross functionally throughout the organization as an enterprise issue. Enterprise security management is a concept that encompasses a wide variety of security, management, and process related areas and is viewed as a shared effort that will utilize a broad range of organizational capabilities if it is to be successful. Practicing robust computer security is a persistent requirement and a challenging activity as a result of the technical and environmental complexity of today’s organizations. Adding to this complexity are an increasing list of vulnerabilities and progressively more sophisticated threats to which organizations are subjected day after day.To understand corporate security, the organization must understand what the key assets in the company are – and often the organization’s key asset is information. Information can take many structures, and as a consequence there are a variety of methods of securing information.

Rather than dividing information into categories based on content, organization’s should consider analyzing threats to information based on categories, methods of processing and storing, and its required protection level. There are three information domains which are defined as physical, social/personal, and logical or network and information security must take these into account whether the information is written down, in someone’s head, or on a computer or the network.

The organization must take measures to ensure that the appropriate physical, administrative and technical controls are in place. Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Classical security concentrates on physical protection such as buildings, server rooms, access controls etc. Examples of physical controls are:  closed circuit surveillance cameras, motion or thermal alarm systems, security guards, picture IDs , locked and dead bolted steel doors.  Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as: training and awareness, disaster recovery and business continuity plans, personnel recruitment, accounting, and separation strategies, and account provisioning and deprovisioning. Technical controls use technology as a foundation for controlling the access and usage of sensitive data throughout a physical structure and over a network. Technical controls are extensive in scope and encompass such technologies as: encryption, smart cards, network authentication, ACLs (Access Control Lists), and file integrity auditing software.

The measures an organization can take to ensure the security of its IT systems include:

• A risk assessment to determine existing vulnerabilities
• Creation and implementation of security policies
• The organization and governance of information security
• Asset management including inventory and classification of information assets
• Human resources security which encompasses the security aspects for employees joining, moving and leaving an organization
• Physical and environmental security and the protection of the computer facilities
• Communications and operations management including the management of technical security controls in systems and networks
• Access controls including the restriction of access rights to networks, systems, applications, functions and data
• Information systems acquisition, development and maintenance including building security into applications
• Information security incident management by anticipating and responding appropriately to information security breaches
• Business continuity management including protecting, maintaining and recovering business critical processes and systems
• Compliance which ensures conformance with information security policies, standards, laws and regulations

In the information age, raw data has become a precious commodity and the protection of personal information is increasingly important to our sense of privacy. The development of new information and communication technologies has increased exponentially the ability of the government and the private sector to collect, record and mine personal information. The traffic in personal information is enormous and there is almost nothing the commercial and governmental sectors are not eager to find out about us as individuals.

Organizations and IT professionals in particular must be strongly committed to maintaining the privacy of an individual’s personal information and the security of their computer systems. Organizations must be accountable and make every effort to ensure compliance with applicable federal law with respect to the collection, use, and disclosure of personal information. Organizations must have a clear understanding concerning the law and policy issues relating to information privacy and computers, databases, and the Internet and be proactive in ensuring information privacy.

The erosion of information privacy by technology occurs in three ways:

• Increased Access to Information – this is not only attributable to the fact that that previously confidential information is now public, but instead because technology is changing the meaning of “public”. Global computer networks guarantee that “public access” means the entire online world.
• Collection of Information – the capacity of electronic databases to aggregate and distribute otherwise insignificant information allows an extensive profile of an individual to be created.
• Storage of Information – the ubiquity of information technology allows greater amounts of redundant information about individuals to be kept for extended periods of time.

The IT community needs to focus on ways to apply technology to applications that will give consumers better control over their privacy and enable software developers to create privacy aware applications. IT professionals need to focus on innumerable areas concerning information, privacy and security including:

Government surveillance

• The Fourth Amendment
• Sensory enhancement technologies
• Wiretapping
• Computer searches
• ISP records
• The Electronic Communications Privacy Act
• The Foreign Intelligence Surveillance Act
• The USA-Patriot Act

New issues

• Privacy and access to public records
• Government access to personal information
• Airline passenger screening and profiling
• Data mining
• Identity theft
• Consumer privacy
• Financial privacy

Emerging information technologies

• Computer databases
• RFID
• Cookies
• Spyware, Adware and Malware
• Viruses and Worms
• Cyberthreats
• Data mining

In today’s environment, almost every aspect of an individual’s daily life touches data processing systems in some way. And those who use the Internet are constantly being asked for personal and demographic information. All too often, privacy issues related to all this information are not addressed by a secure, consistent methodology. Because of that, individuals stand a good chance of having far more personal information released to 3rd parties than they may be comfortable with. IT professionals need to become aware of the complex issues surrounding information privacy and build solid systems and processes that protect that privacy.

IT Professionals need to act with professional responsibility and integrity, and each individual professional must decide the correct ethical course of action in any given case – ultimately it is up to the individual to decide. Classical and applied ethics focus on competing human values. It may be that ethical inquiry specialized to computing can help engineers shape responsible, rational answers to questions about the quality of the products they are producing. The issue of informed consent has been prominent in the applied ethics of medicine, and this issue may be appropriate to systems engineering as well.

Some of the ethical topics that should be considered by IT professionals include: 

• Understanding of ethics/morality
• Ethics for it professionals and it users
• Computer and Internet crime
• Privacy
• Freedom of expression
• Intellectual property
• Software development
• Employer/employee issues
• The impact of information technology on the quality of life

There are a number of professional codes of conduct that can offer guidance to IT professionals including:

• Association for Computing Machinery (ACM) Code of Ethics and Professional Conduct
• Association of Information Technology Professionals (AITP) Code of Ethics
• Software Engineering Code of Ethics and Professional Practice
• PMI Member Ethical Standards and Member Code of Ethics

Any IT professional responsible for designing, configuring, deploying or managing information systems needs to understand and apply ethics in information security which can include: personal integrity/claims of competence; personal accountability for work; responsibility to employer/client; responsibility to profession; confidentiality of information/privacy; conflict of interest; dignity/worth of people; public safety, health, and welfare; participation in professional societies; increase public knowledge about technology. Computers are a unique technology and as such they raise some unique ethical issues. IT professionals should endeavor to use their special technical knowledge to advance quality of life and feel an ethical obligation to assess social consequences ensuring safe and beneficial us of IT applications. IT professionals need to have a basic respect for the privacy and integrity of individuals, groups, and organizations. Public trust in information technology is dependent upon conscious protection of established cultural and ethical norms of information privacy.

Statistics on IT projects failure rate

Before embarking on a “strategic” project, every organization should be aware of its chances of success. Statistics of IT project failure rate provide a good measure of those chances. The purpose is to make executives undertaking large projects ponder on how to approach this endeavor to maximize their chances of success.The following surveys provide statistical data about the rate of failure of IT projects.

• The KPMG Canada Survey (1997)
• The Chaos Report (1995)
• The OASIG Survey (1995)

 The KPMG Canada Survey (1997)

In April 1997, KPMG Canada sent a survey questionnaire focusing on IT project management issues to Canada’s leading 1,450 public and private sector organizations. The main purpose was to outline the reasons behind the failure of Information Technology projects.

Survey Scope 

Out of 1,450 questionnaires sent, 176 were analyzed. Of these, 61% reported details on a failed IT project.

Key Findings

Over 61 % of the analyzed projects had failed according to the respondents. More than three quarters went over their schedules by 30% or more; more than half exceeded their budgets by a substantial margin. Considering that an estimated $25 billion is spent on IT application development  in Canada annually, the survey data indicated that unbudgeted IT project expenditures must run into the billions of dollars.

The Chaos Report (1995)

The Chaos Report was a landmark survey made by the Standish Group. This report is the study of IT project failure and is widely cited when IT project failures are being discussed.

Scope of the Study

The respondents to the Standish Group survey were IT executive managers. The sample included large, medium, and small companies across major industry segments: banking, securities, manufacturing, retail, wholesale, heath care, insurance, services, local, state, and federal organizations. The total sample size was 365 respondents representing 8,380 applications. In addition, The Standish Group conducted focus groups and personal interviews to provide a qualitative context for the survey results.

Key Findings

The Standish Group research showed a staggering 31.1% of projects would be cancelled before they ever get completed. Further results indicated that 52.7% of projects will cost over 189% of their original estimates. Based on this research, The Standish Group estimated that in 1995 American companies and government agencies would spend $81 billion for cancelled software projects and paid an additional $59 billion for software projects that would be completed, but exceeded their original time estimates and projects completed by the largest American companies had only approximately 42% of the originally-proposed features and functions.

The OASIG Study (1995)

This study was undertaken under the auspices of OASIG, a Special Interest Group in the UK concerned with the Organizational Aspects of Information Technology.

Scope of the Study

Information was collected in 1995 in the United Kingdom from a sample of 45 experts employed primarily by Universities or Consultancies. On average they had each over 20 years personal experience representing a cumulative knowledge base of over 900 years. The OASIG drew their opinion from a sample of approximately 14,000 user organizations. 31 of these interviewees (69%) included consultancy work as a major component of their work and 27 (60%) include research; many did both. Their professional areas of expertise covered the domains of management, business, and social science. A small number of those interviewed had a background in engineering.

Key Findings

The IT project success rate quoted revolved around 20-30% based on the most optimistic interviews. Ultimately, 7 out of 10 IT projects “failed” in one respect or another.

Iterative & Incremental Development

Software project failure is often devastating to an organization. Missed deadlines and releases containing serious flaws and missing features can mean the end of the project or even financial disaster for a company. It is economics that determine the success of any software project and its value to a company with the amount of money spent on development determining the cost of the asset. The return generated by the product is its value, with the difference between the return and the cost being the “return on investment”. The Standish Group’s Chaos Report is a landmark study of IT project failure. The Standish Group research shows a staggering 31.1% of projects will be cancelled before completion. Further results indicate that 52.7% of projects will cost over 189% of their original estimates. The cost of these failures and overruns are just the tip of the proverbial iceberg. The lost opportunity costs are not measurable, but could easily be in the trillions of dollars in the United States alone.The traditional project methodologies, such as the SDLC (Systems Development  Life Cycle) approach, that many top corporations use are considered to be bureaucratic or “predictive” in nature, and they have resulted in many unsuccessful projects. These “heavyweight” methodologies are becoming increasingly unpopular. They can be so laborious that design, development  and deployment can actually be slowed down.Agile software development is an increasingly prevalent alternative to traditional, process centric software development processes differentiated by a focus on people, results, minimal methods and maximum collaboration. It is geared towards the high pace and the rapidly changing environments of today’s business projects.The purpose of this process analysis is to identify how Agile software development can benefit organizations and individuals within that organization from stakeholders and business persons to project managers and engineers, with Revolution being no exception. This benefit will be realized through a deeper understanding of how traditional software development methodologies are not delivering on the promise of creating a framework for the successful delivery of critical software systems and how alternative methodologies can help software initiatives realize their maximum return on investment. 

Iterative & Increment Development

This Blog will discuss industry trends and best practices for a range of topics including project management processes and methodologies, enterprise software architecture and design, Web technologies, databases and network infrastructure. Firstly, a few thoughts on the software development lifecycle. The process of software development is a critical function in many organization, including my own.  Every development effort undertaken adheres to one of three fundamentally incompatible process models: chaotic (ad-hoc, code and fix), heavyweight (waterfall, linear-sequential) and adaptive (agile, incremental and iterative). Within many organizations, groups unwisely chose to develop products under the waterfall process model, although that model is not appropriate given the organization’s business context and constraints.Heavyweight software development processes try to plan out a large part of a software project in great detail over a long span of time. Project managers want to see every technical detail because they want to predict every conceivable project milestone. This leads managers to demand a variety of specifications, plans, reports, checkpoints, and schedules. This strategy is only effective as long as there are not any unexpected changes.Traditional methodologies are typically known as “heavy” or “monumental”. These methodologies typically follow what is called and SDLC (Systems or Software Development  Life Cycle). The unpopularity of these “heavy” methodologies is a result of the massive effort required throughout the process which slows down the development  process and often lead to the failure of the project. The benefit of incremental, adaptive and lightweight processes such as Agile is its focus on producing value added releases and addressing architectural risk early in the project. This helps the project manager to ensure that the development team is working on those aspects important to the client as well as those that provide the most value to the business and increase the likelihood of delivering the project within the restraints of schedule and budget. A process analysis focusing on comparing heavyweight and lightweight processes as implemented within my organization and thousands of organizations around the world will be the subject of future posts.