Download - MIS chap # 10..

© 2007 by Prentice Hall© 2007 by Prentice Hall Management Information Systems, 10/e RManagement Information Systems, 10/e Raymond McLeod and George Schell aymond McLeod and George Schell

11

Management Management Information Systems, Information Systems,

10/e10/eRaymond McLeod Jr. and George P. Raymond McLeod Jr. and George P.

Schell Schell

© 2007 by Prentice Hall© 2007 by Prentice Hall Management Information Systems, 10/e RManagement Information Systems, 10/e Raymond McLeod and George Schell aymond McLeod and George Schell

22

Chapter 10Chapter 10Ethical Implications of Information Ethical Implications of Information

TechnologyTechnology

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

3

Learning ObjectivesLearning Objectives► Understand how morals, ethics, and laws differ.Understand how morals, ethics, and laws differ.► Be familiar with computer legislation that has been Be familiar with computer legislation that has been

passed in the United States and know how legislation passed in the United States and know how legislation in one country can influence computer use in others in one country can influence computer use in others as well.as well.

► Know how a firm creates an ethical culture by first Know how a firm creates an ethical culture by first establishing a corporate credo, then establishing establishing a corporate credo, then establishing ethics programs, and then lastly establishing a ethics programs, and then lastly establishing a corporate ethics code.corporate ethics code.

► Know why society demands that computers be used Know why society demands that computers be used ethically.ethically.

► Know the four basic rights that society has concerning Know the four basic rights that society has concerning the computer.the computer.


4

Learning Objectives (Cont’d)Learning Objectives (Cont’d)► Know how the firm’s internal auditors can play a Know how the firm’s internal auditors can play a

positive role in achieving information systems that positive role in achieving information systems that are designed to meet ethical performance criteria.are designed to meet ethical performance criteria.

► Be aware of computer industry codes of ethics, and Be aware of computer industry codes of ethics, and the wide variety of educational programs that can the wide variety of educational programs that can help firms and employees use computers ethically.help firms and employees use computers ethically.

► Know what the chief information officer (CIO) can Know what the chief information officer (CIO) can do to be a power center as the firm follows ethical do to be a power center as the firm follows ethical practices.practices.

► Be acquainted with the most produced piece of Be acquainted with the most produced piece of legislation to be levied on business in recent legislation to be levied on business in recent history–The Sarbanes-Oxley Act.history–The Sarbanes-Oxley Act.


5

Prescriptive vs. Descriptive Prescriptive vs. Descriptive CoverageCoverage

►Prescriptive coveragePrescriptive coverage is when we is when we prescribe how the MIS prescribe how the MIS ought to beought to be developed and used in a business firm.developed and used in a business firm.

►Descriptive coverageDescriptive coverage explains how explains how things things are beingare being done. done. Our mission is to recognize that Our mission is to recognize that

businesspeople in general and information businesspeople in general and information people in particular have definite people in particular have definite responsibilities in terms of performing within responsibilities in terms of performing within ethical, moral, and legal constraints.ethical, moral, and legal constraints.


6

Morals, Ethics, and LawsMorals, Ethics, and Laws►MoralsMorals are traditions of belief about are traditions of belief about

right and wrong conduct; a social right and wrong conduct; a social institution with a history and a list of institution with a history and a list of rules.rules.

►EthicsEthics is a collection of guiding beliefs, is a collection of guiding beliefs, standards, or ideals that pervades an standards, or ideals that pervades an individual or a group or community of individual or a group or community of people.people.

►Pirated softwarePirated software–software that is –software that is illegally copied and then used or sold.illegally copied and then used or sold.


7

Morals, Ethics, and Laws Morals, Ethics, and Laws (Cont’d)(Cont’d)

►LawsLaws are formal rules of conduct that a are formal rules of conduct that a sovereign authority, such as a sovereign authority, such as a government, imposes on its subjects or government, imposes on its subjects or citizens.citizens.

► In 1966, first case of computer crimeIn 1966, first case of computer crime Programmer for a bank altered a program Programmer for a bank altered a program

not to flag his account for being overdrawn.not to flag his account for being overdrawn. Programmer not charged because no laws Programmer not charged because no laws

existed.existed.


8

Computer Legislation in Computer Legislation in U.S.A.U.S.A.

► U.S. computer legislation has focused on rights and restrictions U.S. computer legislation has focused on rights and restrictions related to data access, information privacy, computer crime, related to data access, information privacy, computer crime, and, most recently, software patents. and, most recently, software patents.

► The 1966 Freedom of Information ActThe 1966 Freedom of Information Act gave U.S. citizens gave U.S. citizens and organizations the right to access data held by the federal and organizations the right to access data held by the federal government.government.

► The 1970 Fair Credit Reporting ActThe 1970 Fair Credit Reporting Act dealt with the handling dealt with the handling of credit data.of credit data.

► The 1978 Right to Federal Privacy ActThe 1978 Right to Federal Privacy Act limited the federal limited the federal government’s ability to conduct searches of bank records.government’s ability to conduct searches of bank records.

► The 1988 Computer Matching and Privacy ActThe 1988 Computer Matching and Privacy Act restricted restricted the federal government’s right to match computer files for the the federal government’s right to match computer files for the purpose of determining eligibility for government programs or purpose of determining eligibility for government programs or identifying debtors.identifying debtors.

► The 1968 Electronics Communications Privacy ActThe 1968 Electronics Communications Privacy Act covered covered only voice communications; rewritten in 1986 to include digital only voice communications; rewritten in 1986 to include digital data, video communications, and electronic mail.data, video communications, and electronic mail.


9

Computer Legislation in U.S.A. Computer Legislation in U.S.A. (Cont’d)(Cont’d)

► In 1984, U.S. Congress passed federal In 1984, U.S. Congress passed federal statutes that applied to computer crime.statutes that applied to computer crime.

►The Small Business Computer Security The Small Business Computer Security and Education Advisory Counciland Education Advisory Council.. Advises Congress of matters relating to Advises Congress of matters relating to

computer crime against small businesses.computer crime against small businesses. Evaluate the effectiveness of federal and state Evaluate the effectiveness of federal and state

crime laws in deterring and prosecuting crime laws in deterring and prosecuting computer crimes.computer crimes.


10

Computer Legislation in U.S.A. Computer Legislation in U.S.A. (Cont’d)(Cont’d)

► The Counterfeit Access Device and Computer The Counterfeit Access Device and Computer Fraud and Abuse Act made it a federal felony Fraud and Abuse Act made it a federal felony for someone to gain unauthorized access to for someone to gain unauthorized access to information pertaining to national defense or information pertaining to national defense or foreign relations.foreign relations. Misdemeanor to gain unauthorized access to a Misdemeanor to gain unauthorized access to a

computer protected by the Right to Financial computer protected by the Right to Financial Privacy Act or the Fair Credit Reporting Act and to Privacy Act or the Fair Credit Reporting Act and to misuse information in a computer owned by the misuse information in a computer owned by the federal government.federal government.


11

Software PatentsSoftware Patents► In July 1998, in theIn July 1998, in the State Street Decision, State Street Decision,

the US Court of Appeals affirmed that a the US Court of Appeals affirmed that a business process could be patented.business process could be patented.

► In April 2001, the U.S. Congress introduced a In April 2001, the U.S. Congress introduced a bill requiring a determination of the bill requiring a determination of the significance of the patent and whether it is significance of the patent and whether it is appropriate for use with computer technology.appropriate for use with computer technology.

► In this fashion, the U.S. federal government has In this fashion, the U.S. federal government has gradually established a legal framework for gradually established a legal framework for computer use.computer use.

► As with ethics, however, the computer laws can As with ethics, however, the computer laws can vary considerably from one country to the next.vary considerably from one country to the next.


12

Ethics Culture ConceptEthics Culture Concept► Ethics cultureEthics culture states that if a firm is to be states that if a firm is to be

ethical, then top-management must be ethical, then top-management must be ethical in everything that it does and says, ethical in everything that it does and says, i.e., lead by example.i.e., lead by example.

► Corporate credoCorporate credo is a succinct statement of is a succinct statement of values that the firm seeks to uphold.values that the firm seeks to uphold.

► Ethics programEthics program is an effort consisting of is an effort consisting of multiple activities designed to provide multiple activities designed to provide employees with direction in carrying out the employees with direction in carrying out the corporate credo.corporate credo.


13

Figure 10.1 Top-Level Management Figure 10.1 Top-Level Management Imposes Ethics Culture in a Top-Down Imposes Ethics Culture in a Top-Down

MannerManner


14

Figure 10.2 Example of a Figure 10.2 Example of a Corporate CredoCorporate Credo


15

Ethics Culture Concept Ethics Culture Concept (Cont’d)(Cont’d)

►Ethics auditEthics audit is when an internal is when an internal auditor meets with a manager in a auditor meets with a manager in a several-hour session for the purpose of several-hour session for the purpose of learning how the manager’s unit is learning how the manager’s unit is carrying out the corporate credo.carrying out the corporate credo.

►Tailored corporate credoTailored corporate credo are usually are usually adaptations of codes for a particular adaptations of codes for a particular industry or profession that a firm has industry or profession that a firm has devised for their own corporate credo.devised for their own corporate credo.


16

Computer EthicsComputer Ethics► Computer ethicsComputer ethics consists of two main activities: consists of two main activities:

Analysis of the nature and social impact of Analysis of the nature and social impact of computer technology; andcomputer technology; and

Formulation and justification of policies for the Formulation and justification of policies for the ethical use of such technology.ethical use of such technology.

► The CIO must:The CIO must:1.1.Be alert to the effects that the computer is Be alert to the effects that the computer is

having on society; and having on society; and 2.2.Formulate policies to ensure that the technology Formulate policies to ensure that the technology

is used throughout the firm in the right way.is used throughout the firm in the right way.


17

Reasons for the Importance of Reasons for the Importance of Computer EthicsComputer Ethics

► James H. Moor believes there are three main reasons James H. Moor believes there are three main reasons for the high level of interest in computer ethics:for the high level of interest in computer ethics: Logical Malleability:Logical Malleability: The computer performs The computer performs

exactly as instructed, so if it’s used for an exactly as instructed, so if it’s used for an unethical activity the computer is not the culprit.unethical activity the computer is not the culprit.

The Transformation Factor: The Transformation Factor: CComputers can omputers can drastically change the way we do things.drastically change the way we do things.

The Invisibility FactorThe Invisibility Factor:: I Internal operations nternal operations provides the opportunity for invisible programming provides the opportunity for invisible programming values, invisible complex calculations, and invisible values, invisible complex calculations, and invisible abuse.abuse.


18

Social Rights and the Social Rights and the ComputerComputer

► Mason coined the acronym Mason coined the acronym PAPAPAPA (privacy, (privacy, accuracy, property, and accessibility) to accuracy, property, and accessibility) to represent society’s four basic rights in terms of represent society’s four basic rights in terms of information. information.

► Mason felt that “the right to be left alone” is Mason felt that “the right to be left alone” is being threatened by two forces:being threatened by two forces:

1.1.the increasing ability of the computer to be used the increasing ability of the computer to be used for surveillance.for surveillance.

2.2.the increasing value of information in decision the increasing value of information in decision making.making.

► For example, decision makers place such a high For example, decision makers place such a high value on information that they will often be value on information that they will often be willing to invade someone’s privacy to get it.willing to invade someone’s privacy to get it.


19

More Rights …More Rights …► Right to Accuracy:Right to Accuracy: the potential for a level the potential for a level

of accuracy that is unachievable in of accuracy that is unachievable in noncomputer systems;noncomputer systems; some computer-some computer-based systems contain more errors than based systems contain more errors than would be tolerated in manual systems.would be tolerated in manual systems.

► Right to PropertyRight to Property: c: copyright and patent opyright and patent laws provide some degree of protection.laws provide some degree of protection.

► Right to AccessRight to Access: much information has : much information has been converted to commercial databases, been converted to commercial databases, making it less accessible to the public.making it less accessible to the public.


20

Information AuditingInformation Auditing► External auditors from outside the External auditors from outside the

organization verify the accuracy of organization verify the accuracy of accounting records of firms of all sizes.accounting records of firms of all sizes.

► Internal auditors perform the same analyses Internal auditors perform the same analyses as external auditors but have a broader as external auditors but have a broader range of responsibilities.range of responsibilities.

► Audit committee defines the responsibilities Audit committee defines the responsibilities of the internal auditing department and of the internal auditing department and receives many of the audit reports.receives many of the audit reports.

► Director of internal auditing manages the Director of internal auditing manages the internal auditing department and reports to internal auditing department and reports to the CEO or the CFO.the CEO or the CFO.


21

Figure 10.3 The Position of Figure 10.3 The Position of Internal Auditing in the Internal Auditing in the

OrganizationOrganization


22

Types of Auditing ActivityTypes of Auditing Activity► Internal auditors offer more objectivity since their Internal auditors offer more objectivity since their

only allegiance is to the board, the CEO, and the CFO. only allegiance is to the board, the CEO, and the CFO. ► Four basic types of internal auditing activity: Four basic types of internal auditing activity:

A A financial audit:financial audit: verifies the accuracy of the firm’s records verifies the accuracy of the firm’s records and is the type of activity performed by external auditors.and is the type of activity performed by external auditors.

An An operational audit:operational audit: aimed to validate the effectiveness aimed to validate the effectiveness of procedures including adequacy of controls, efficiency, and of procedures including adequacy of controls, efficiency, and compliance with company policy. Systems analyst does in compliance with company policy. Systems analyst does in SDLC analysis stage.SDLC analysis stage.

A A concurrent audit:concurrent audit: is the same as an operational audit is the same as an operational audit except that the concurrent audit is ongoing.except that the concurrent audit is ongoing.

Internal Control Systems Design:Internal Control Systems Design: the cost of correcting a the cost of correcting a system flaw increases dramatically as the system life cycle system flaw increases dramatically as the system life cycle progresses (Figure 10.4).progresses (Figure 10.4).


23

Figure 10.4 The Escalating Cost of Figure 10.4 The Escalating Cost of Correcting Design Errors as the System Correcting Design Errors as the System

Development Life Cycle ProgressesDevelopment Life Cycle Progresses


24

Internal Audit SubsystemInternal Audit Subsystem► In the financial information system, In the financial information system,

the internal audit subsystem is one of the internal audit subsystem is one of the input subsystems.the input subsystems.

► Including internal auditors on systems Including internal auditors on systems development teams is: development teams is: A good step toward having well-controlled A good step toward having well-controlled

systems, and the systems are:systems, and the systems are: A good step toward giving management A good step toward giving management

the information it needs to achieve and the information it needs to achieve and maintain ethical business operations.maintain ethical business operations.


25

Achieving Ethics in Information Achieving Ethics in Information TechnologyTechnology

►Ethic codes and ethics educational Ethic codes and ethics educational programs can provide the foundation programs can provide the foundation for the culture.for the culture.

►Educational programs can assist in Educational programs can assist in developing a corporate credo and in developing a corporate credo and in putting ethics programs in place.putting ethics programs in place.

►Ethic codes can be used as is or can Ethic codes can be used as is or can be tailored to the firm.be tailored to the firm.


26

Codes of EthicsCodes of Ethics► ACM Code of Ethics and Professional ACM Code of Ethics and Professional

Conduct.Conduct. Adopted in 1992.Adopted in 1992. Consists of 24 “imperatives”, i.e., statements of Consists of 24 “imperatives”, i.e., statements of

personal responsibility.personal responsibility.► Code is subdivided into four parts.Code is subdivided into four parts.

General moral imperatives.General moral imperatives. More specific professional responsibilities.More specific professional responsibilities. Organizational leadership imperatives.Organizational leadership imperatives. Compliance with the code.Compliance with the code.


27

Figure 10.5 Outline of the ACM Figure 10.5 Outline of the ACM Code of Ethics and Professional Code of Ethics and Professional

ConductConduct


28

Table 10.1 Topics Covered by the ACM Table 10.1 Topics Covered by the ACM Code of Ethics and Professional ConductCode of Ethics and Professional Conduct


29

Table 10.2 Topics Covered by the ACM Table 10.2 Topics Covered by the ACM Software Engineering Code of Ethics and Software Engineering Code of Ethics and

Professional PracticeProfessional Practice


30

ACM Software Engineering Code ACM Software Engineering Code of Ethics and Professional of Ethics and Professional

PracticePractice► This code consists of expectations in eight This code consists of expectations in eight

major areas:major areas: PublicPublic Client and employerClient and employer ProductProduct JudgmentJudgment ManagementManagement ProfessionProfession ColleaguesColleagues SelfSelf


31

Computer Ethics EducationComputer Ethics Education► College coursesCollege courses–ACM developed a model –ACM developed a model

computing curriculum of courses that should computing curriculum of courses that should be offered.be offered.

► Professional programsProfessional programs–AMA, Amer. Mgt. –AMA, Amer. Mgt. Assoc., offers special programs addressing Assoc., offers special programs addressing ethics and integrity.ethics and integrity.

► Private educational programsPrivate educational programs–LRN, the –LRN, the Legal Knowledge Co., offers Web-based Legal Knowledge Co., offers Web-based course modules that address a wide range course modules that address a wide range of ethical and legal issues.of ethical and legal issues.


32

Ethics and the CIOEthics and the CIO► As of August 11, 2002, CEOs and CFOs are required As of August 11, 2002, CEOs and CFOs are required

to sign off on the accuracy of their financial to sign off on the accuracy of their financial statements.statements.

► This requirement puts responsibility on the This requirement puts responsibility on the executives but also on the corporate information executives but also on the corporate information services unit and the information services units of services unit and the information services units of the business areas to provide the executives with the business areas to provide the executives with information that is accurate, complete, and timely.information that is accurate, complete, and timely.

► Information Systems are only one unit in the Information Systems are only one unit in the organizational structure but it is in a key position to organizational structure but it is in a key position to have the most influence on satisfying the demands have the most influence on satisfying the demands of both government and society for accurate of both government and society for accurate financial reporting.financial reporting.


33

Ethics and the CIO (Cont’d)Ethics and the CIO (Cont’d)The CIO can bring financial reporting up to expectations The CIO can bring financial reporting up to expectations

by following a program that includes the following:by following a program that includes the following: Achieving a higher level of understanding of Achieving a higher level of understanding of

accounting principles. accounting principles. Reviewing the information systems that accomplish Reviewing the information systems that accomplish

financial reporting and taking remedial action.financial reporting and taking remedial action. Educating the firm's executives on financial systems.Educating the firm's executives on financial systems. Integrating alarms into information systems that alert Integrating alarms into information systems that alert

executives to activities that require attention. executives to activities that require attention. Actively participating in the release of financial Actively participating in the release of financial

information to environmental elements.information to environmental elements. Keeping tight control on money spent for information Keeping tight control on money spent for information

resources.resources.


34

Life under Sarbanes-OxleyLife under Sarbanes-Oxley► The objective of Sarbanes-Oxley, known as SOX, is The objective of Sarbanes-Oxley, known as SOX, is

to protect investors by making the firm’s to protect investors by making the firm’s executives personally accountable for the financial executives personally accountable for the financial information that is provided to the firm’s information that is provided to the firm’s environment, primarily stockholders and the environment, primarily stockholders and the financial community.financial community.

► SOX consists of 10 major provisions, 2 directly SOX consists of 10 major provisions, 2 directly affect the firm’s information services unit.affect the firm’s information services unit. CEOs and CFOs must certify the financial reports.CEOs and CFOs must certify the financial reports. U.S. companies are required to have internal audit units.U.S. companies are required to have internal audit units.


35

SOX Provisions Affecting SOX Provisions Affecting Information Services, Resources, Information Services, Resources,

and ITand IT► SOX 404 – CIO must ensure that SOX imposed SOX 404 – CIO must ensure that SOX imposed

control requirements are built into systems control requirements are built into systems during systems development and activities during systems development and activities should include:should include: Identifying systems that play a role in financial Identifying systems that play a role in financial

reportingreporting Identifying the risks faced by these systemsIdentifying the risks faced by these systems Developing controls that address the risksDeveloping controls that address the risks Documenting and testing the controlsDocumenting and testing the controls Monitoring the effectiveness of the controls over timeMonitoring the effectiveness of the controls over time Updating the controls as neededUpdating the controls as needed


36

SOX Provisions … (Cont’d)SOX Provisions … (Cont’d)► SOX 409–firm must be able to report changes in its SOX 409–firm must be able to report changes in its

financial condition in financial condition in real timereal time–as the changes –as the changes occur.occur. Should feature online inputs.Should feature online inputs. Output subsystems should be capable of immediately Output subsystems should be capable of immediately

reporting changes in the firm’s financial condition.reporting changes in the firm’s financial condition.► SOX and COBITSOX and COBIT

COBIT is an industry organization that provides security COBIT is an industry organization that provides security standards for the firm’s information resources.standards for the firm’s information resources.

COBIT can assist the firm in addressing its SOX COBIT can assist the firm in addressing its SOX responsibilities because COBIT standards align very well responsibilities because COBIT standards align very well with the SOX expectations.with the SOX expectations.

COBIT has 47,000 members worldwide, its financial COBIT has 47,000 members worldwide, its financial reporting standards can have a global effect.reporting standards can have a global effect.