No Duty of Care: The Governance of ICT

Marghanita da Cruz, Principal Consultant, Ramin Communications

ET GOVICT2008 - A Conference on the Ethical Governance of ICT and the Role of Professional Bodies
University House, Australian National University
1 - 2 May 2008

Outline

April's News
Straw Poll of Roles and Responsibilities
Australian Standard for Corporate Governance of ICT
Security
Financial Legislation
Regulation & Legislation of the Use of ICT
Level of Online Fraud
Ethics
What could ICT Professional Ethics Offer

April's news

Straw Poll on ICT Roles and Responsiblities

analysis and programming.
Web conformance
IT architect ...simplistic requests of "a desktop server costing a few thousand dollars" to run an enterprise class application.
a small team of good programmers could make something that worked extremely well for very little money running open source software like apache, perl, python, postgresql..
departments make their own decisions within a framework of technology and data standards
Design Authority - Enterprise Architect, Business Process Architect, Business leaders, Risk, Compliance and Quality Managers
internal auditors can provide independent and objective feedback that IT investments are being well-managed and that they are having a positive impact on the organization's operation.
Some important choices depend upon informed judgement that is not easily accessible to people who have not acquired the requisite skills or knowledge....
"Information Technology" is a large specialisation of "computing" concerned with the use of computers in administration. That specialisation doesn't include scientific computing, embedded computing, supercomputers, vision, etc.
IT is about creating computers, Informatics is about using computers.

Australian Standard for Corporate Governance of ICT

ISO/IEC 38500 based on As8015 is due to be published at the end of May 2008

Illustration of Corporate Governance of ICT by Joel Tarling

AS8015 Principles

Establish Responsibilities
Plan ICT
Acquire ICT validly
Ensure that ICT performs
Ensure ICT conforms
Ensure ICT respects human factors

AS8015 Model

Evaluate against Pressure & Needs
Direct Policies & Plans
Monitor Conformance and Performance

Other Standards & Better Practice Guidelines

OECD Security Principles
Record Keeping (ISO 15489)
Information Security (ISO27001)
Service Management (ISO20000)
Interchange of Client Information (AS 4590)
Environmental Impact (ISO14000,Energy Ratings)
PMBOK and Prince II

OECD Security of Information Systems and Networks Principles

Awareness
Responsibility
Response
Ethics
Democracy
Risk Assessment
Security design and implementation
Security Management
Reassessment

Financial Legislation

Goods and Services Tax Business Activity Statement (2000)
Sarbanes Oxley (US - 2002)
CLERP 9 Corporate Reporting & Disclosure (2004)
Company Reports to be provided on websites (2007)
Record Keeping
Compulsory Superannuation

ICT Regulation and Legislation

Commonwealth Criminal Code 1995 -Computer Offences
Telecommunications 1997 (Interception 2006)
Broadcasting Services 1992 (Amendments: Online Services 1999, Digital broadcasting & Datacasting 2000)
Information Privacy 2000
Copyright (Amendments in 2004 for US-Aus FTA)
Do Not Call Register 2006
SPAM 2003
Disability Discrimination 1992 (Accessibility of Websites)
Net Alert - content filtering

Privacy Act 1988 Personal Information Principles

Manner and purpose of collection
Solicitation from individual concerned and generally
Storage and security
Information relating to records kept by record-keeper
Access to records
Alteration of records
Record-keeper to check accuracy etc before use
Limits on Use and disclosure

Experience of Online Credit Card Fraud (aic.gov.au)

Table 3: Number and percent of victims of online credit card fraud by business type in Australia
	Currently trading online		Previously traded online
Business type	n	% victims	n	% victims
Florists	296	28	24	0
Book sellers	181	43	15	33
Recorded music retailers	77	26	15	17
Toy and game retailers	72	33	9	100
Computer hardware retailers	215	30	32	50
Total	841	32	95	34
Source: Australian Institute of Criminology, Online credit card fraud against small business 2003 [computer file, weighted data]

Internet Scams (fido.gov.au)

Online auction & shopping scams
Fake Domain name renewals
Spam (junk mail) offers
Modem jacking & Spyware
Phishing & Card Skimming

Ethics pop up all over the place

AS8015 Principle 1 - Establish Clearly Understood Responsibilities for ICT includes "ensure those given responsibilities are competent"
As8015 Principle 2 - Ensure ICT conforms with formal rules includes "direct that all actions relating to ICT be ethical"
OECD Security Principle 4 - Ethics - participants should respect the legitimate interests of others
ASX Corporate Governance Principles (2007) Principle 6 "Promote Ethical and Responsible decision making"
The Australian Public Service Values "the highest ethical standards";
Australian Ethical Investment Charter Social and Environmental Effects of Investment
Malaysian Islamic Capital Market - Shariah compliant securities and trading

What could ICT professional ethics offer

Distinguish Advice from Sales Pitch
Improve Project Risk and Uncertainty Analysis
Improve Risk and Uncertainty Management
Improve Utilisation of real ICT opportunities
Improve collaboration
More effective Regulation & Policies

References & Further Reading

Straw Poll of Roles and Responsibilities
AS8015-2005 - Australian Standard for Corporate Governance of Information and Communication Technology (ICT)
Survey of IT Governance Instruments, Standards, Guides, Regulations, Laws and Frameworks - ramin.com.au/itgovernance
Ethics, Mike Bowern, Information Age 14/02/2006
Achieving value from ICT: key management strategies (2005)
Building ethics into quality assurance Craig McDonald, Information Age (18/08/2005)
ICT Integrity: bringing the ACS code of ethics up to date, Michael Bowern, Oliver Burmeister, Don Gotterbarn, John Weckert
Striking a balance between Ethics and IT Governance Graeme Pye, Matthew Warren
AS8015-2005 - Australian Standard for Corporate Governance of Information and Communication Technology (ICT) - ramin.com.au/itgovernance/as8015.html
OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security - www.oecd.org
Types of fraud relating to other purchases - www.aic.gov.au
Do Not Call Register - www.donotcall.gov.au
Spam & e-Security - www.acma.gov.au
Protecting Australian Families Online - www.netalert.gov.au
Information Privacy Principles under the Privacy Act 1988 - www.privacy.gov.au
Digital switchover date confirmed (18 December 2007) - www.minister.dbcde.gov.au/
The whole-of-government IT outsourcing initiative - www.aph.gov.au
Unisys Australia Ltd v RACV Insurance Pty Ltd & Anor [2004] VSCA 81 (14 May 2004) - www.austlii.edu.au
Australian Customs - more flak than facts? (14/02/2006) - www.infoage.idg.com.au
Going cheap: One.Tel's last jewel (July 14, 2004) - www.smh.com.au
MoneyTree Venture Capital Profile for United States - PricewaterhouseCoopers/Venture Economics/NVCA - vx.thomsonib.com
ASIC reaches agreement with John Greaves in One.Tel proceedings (6 September 2004) - www.asic.gov.au
Former FAI officer sentenced (1 December 2006) - www.asic.gov.au
ASIC commences investigation into Ansett (14 September 2001) - www.asic.gov.au
Key superannuation information - www.ato.gov.au
Values in the APS
Corporate Law Economic Reform Program (CLERP 9) - www.asic.gov.au
Principles of Good Corporate Governance and Best Practice Recommendations - www.asx.com.au
www.acs.org.au/governance
Australian Ethical Charter - austethical.com.au
Malaysian Islamic Capital Market
"Understanding and Managing Risk Attitude", Hilson and Murray-Webster
Frameworks for IT Management

Professionalisation, Ethics And Integrity Systems: Summary Account

ramin communicationsGovernance of Information and Communication Technology