CHAPTER 9 and 10

Topics Under Discussion

Chapter 9. ICT Policy and E-Strategy
Definition of Information Policy and e-strategy
Goals of Information Policy
ICT policy development
Levels of Information Policy
Chapter 10: Legal, Security, Social and Ethical Issues in
Information Systems
 Impact of Information systems
 Security concerns and security management strategies in e-
business applications
 Ethical issues Information systems
 Definition of Information Policy and e-strategy
• IP refers to a set of guidelines, principles, and rules that govern the collection,
storage, dissemination, and use of information.

• IP is comprised of laws, regulations, and doctrinal positions – and other

decision making and practices with society-wide constitutive effects –
involving information creation, processing, flows, access, and use.

• It provides a framework for organizations and governments to regulate and

manage information resources effectively.

• IP can address various aspects, including privacy, security, data retention,

intellectual property, accessibility, and ethical considerations.

• The goal of information policy is to ensure that information is handled in a way

that is efficient, ethical, and aligned with organizational or societal objectives.
 Definition of Information Policy and e-strategy
• E-strategy, is the strategic planning and implementation of ICT to achieve
specific goals.

• E-strategy focuses on leveraging digital tools and technologies to enhance

organizational performance, competitiveness, and efficiency.

• It outlines how an organization will utilize technology and digital channels to

enhance its operations, engage with customers, and achieve competitive
advantage in the digital age.

• It involves various aspects such as digital transformation, online presence, e-

commerce, digital marketing, data analytics, and cybersecurity.

• E-strategy typically aligns with the broader organizational strategy and aims to
leverage technology effectively to gain a competitive advantage in the digital
marketplace.
 Definition of Information Policy and e-strategy
• Effective e-strategy implementation requires considerations of information
policy to address issues such as data privacy, security, and intellectual
property rights.

• Information policy needs to be informed by the organization's e-strategy to

ensure that it accommodates technological advancements and enables the
effective use of digital tools.

• Both concepts are interdependent and play a crucial role in the effective and
ethical utilization of information resources in the digital age.
 Goals of Information Policy
• Data Security: Ensuring the confidentiality, integrity, and availability of sensitive
information.

• Compliance: Ensuring with relevant laws, regulations, and industry standards

governing the collection, storage, and processing of data.

• Risk Management: Identifying and mitigating risks associated with data breaches,
cybersecurity threats, data loss, and other vulnerabilities

• Access Control: Implementing mechanisms to control access to information

resources based on the principle of least privilege.

• User Training and Awareness: Providing training and awareness programs to

educate employees about information security best practices, data handling
procedures, and their roles and responsibilities in safeguarding information assets.

• Data Governance, Business Continuity and Disaster Recovery and Alignment with Business Objectives
 ICT policy development
• ICT (Information and Communication Technology) policy development involves the
creation of guidelines, principles, and regulations to govern the use,
management, and deployment of technology within an organization or a broader
context, such as a government or society.

• Outline of the process involved in ICT policy development:

• Identify Objectives and Scope: By considering the organization's goals, needs, and
strategic priorities. Determine the scope of the policy, including the technologies,
systems, and stakeholders it will cover.

• Stakeholder Engagement: Engage key stakeholders, including management, IT

professionals, legal experts, users, and relevant external parties such as regulators
or industry associations.
 ICT policy development
• Research and Analysis: To understand current trends, best practices, legal
requirements, and potential risks related to ICT. Evaluate existing policies and
regulations to identify gaps and opportunities for improvement.

• Policy Formulation: Develop the policy framework, including goals, principles,

guidelines, and specific provisions related to areas such as cybersecurity, data
privacy, IT infrastructure, digital services, and technology procurement. Ensure
that the policy is clear, concise, and actionable.

• Risk Assessment: Conduct a comprehensive risk assessment to identify potential

threats, vulnerabilities, and impacts associated with ICT systems and operations.

• Develop risk management strategies and controls to mitigate identified risks

effectively.
 ICT policy development
• Legal and Regulatory Compliance: Ensure that the ICT policy complies with relevant
laws, regulations, industry standards, and contractual obligations./ Seek legal advice

• Implementation Plan: Develop a detailed implementation plan that outlines the steps,
resources, and timelines for rolling out the ICT policy. Identify responsible parties,
establish accountability mechanisms, and allocate sufficient resources for
implementation.

• Training and Awareness: Provide training and awareness programs to educate

stakeholders about the ICT policy, their roles and responsibilities, and best practices for
compliance./employees understand the rationale behind the policy

• Monitoring and Evaluation: Establish mechanisms for monitoring and evaluating the
effectiveness of the ICT policy over time. / Define key performance indicators

• Review and Revision: Periodically review and revise the ICT policy to reflect changes in
technology, business needs, regulatory requirements, and emerging threats
 Levels of Information Policy
• Information policy can be developed and implemented at various levels within
an organization or a broader context. Here are the common levels of
information policy:

• Organizational Level: Outline how information is collected, stored, accessed,

used, and protected within the organization.

• Provide guidelines for employees and stakeholders on how to handle

information and ensure consistency and compliance throughout the
organization.

• National or Government Level: Policies are developed by government bodies

and regulatory authorities to address various aspects such as data protection,
cybersecurity, e-government initiatives, intellectual property rights, freedom
of information, and privacy laws.
 Levels of Information Policy
• Industry or Sector Level: Address the unique information management
challenges and requirements within that sector. For example, the healthcare
industry may have information policies that govern the privacy and security of
patient health records, while the financial sector may have policies related to
financial data protection and compliance with regulatory standards.

• International Level: to address global issues and promote cooperation and

standardization in information management. Organizations such as UN, ISO,
EU play a role in developing international IP. These policies may cover areas
such as cross-border data flows, data protection standards, cybersecurity
cooperation, and intellectual property rights

• Departmental or Functional Level, Project Level, etc.

 Benefits of Information systems
• To develop valuable skills in problem-solving, communication, teamwork, and
innovation.

• Help organization achieve its strategic objectives, improve its performance,

and enhance its competitive advantage.

• Organization leverage data and analytics, optimize business processes, and

innovate new products and services.

• Address various social and environmental challenges, such as health care

access, education quality.

• Contribute to the development and dissemination of knowledge, the

promotion of social justice and inclusion, and the advancement of human
rights and democracy
 Impact of Information systems
• Efficiency: IS streamline processes, saving time and resources.

• Improved Decision Making: Real-time data enables better-informed strategic

decisions.

• Enhanced Communication: Seamless collaboration fosters innovation and

strengthens relationships.

• Globalization: Tools for remote collaboration and supply chain management

enable international expansion.

• Customer Service: Personalized interactions and efficient processing lead to

higher satisfaction.

• Innovation: Support for research and data analysis drives product and service
development.
 Impact of Information systems
• Transparency: Access to relevant information builds trust and accountability.

• Risk Management: Data analysis and compliance monitoring help mitigate

potential disruptions.

• Sustainability: Resource optimization and digital practices promote

environmental responsibility.

• Access to Education and Healthcare: Online platforms improve accessibility to

learning and medical services.
 Security concerns and security management strategies in e-business applications

• Security concern of an asset is a function of threat and vulnerability of that asset.

• E-business applications face risks such as data breaches, hacking, malware, phishing, and
denial-of-service attacks.

• Security Management Strategies:

• Encryption: Implementing strong encryption protocols to protect data both in transit and
at rest.

• Access Control: Implementing role-based access control and multi-factor authentication

to restrict unauthorized access.

• Network access control, such as two-factor authentication and role-based access

controls, can help organizations prevent unauthorized access to systems and data.

• Regular Updates: Keeping software and systems updated with the latest security patches
to address vulnerabilities./Stay updated on the latest security threats and trends
 Security concerns and security management strategies in e-business applications

• Firewalls: Deploying firewalls to monitor and control incoming and outgoing network
traffic.

• Intrusion Detection Systems : Implementing IDS to detect and respond to potential

security breaches.

• Security Audits: Conducting regular security audits and penetration testing to identify
and address security weaknesses.

• Regular risk assessments to identify potential security threats and vulnerabilities. This
includes both physical and cybersecurity risks.

• Employee Training: Providing comprehensive training to employees on security best

practices to prevent social engineering attacks and human errors.

• Make employees to understand their role in maintaining security and mitigating potential
security threats
 Security concerns and security management strategies in e-business applications

• Incident Response Plan: Developing and regularly updating an incident

response plan to effectively respond to security incidents and minimize their
impact.

• Data Backup and Recovery: Implementing robust data backup and recovery
procedures to ensure business continuity in the event of a security breach or
data loss.

• Vendor Management: Evaluating the security measures of third-party vendors

and partners and ensuring that they adhere to industry-standard security
practices.