Competency C
Demonstrate strong understanding of security and ethics issues related to informatics, user interface, and inter-professional application of informatics in specific fields by designing and implementing appropriate information assurance and ethics and privacy solutions;
Personal Definition and Importance
I came to the SJSU Informatics program with a goal and focus of developing user friendly skills around data and information. While I do believe I have developed those skills I feel like I will be pursuing security as a professional as a direct result of this program. Security and ethics go hand in hand when it comes to information systems. Security in the context of informatics is protecting both individual information and organizational information. There is also an organizational reason for robustly considering and implementing security and ethics as part of a business: Laws. Implementing strong security based around ethics will keep an organization ahead of most laws surrounding information assurance and privacy; At the very least, organizations will not have to change too much of how they operate if they have a strong security program in place as new laws are being formed.
Supporting Informatics Courses
Ethics was touched upon in virtually every SJSU Informatics course, especially in the security courses. I did take all 3 of the Cybersecurity and Privacy electives provided by SJSU Informatics along with the 2 required core courses that are explicitly about information security. INFM 208 Information Security: Information Assurance, a required core course, nicely addressed and provided frameworks for privacy and security of information. INFM 203 Big Data Analytics and Management was mainly about the data science process, but we were required to research and write a paper called Privacy and Security in a World that Collects Our Data. Since my project for class was about the stock market, I decided to focus on financial data. The following evidence will touch upon financial privacy laws, ethics for data and business in general, a cybersecurity framework, and ethics around public schools. Many other courses not included in the evidence below addressed health privacy and data.
Evidence
Evidence 1: INFM 203 Research Paper
I selected this research paper to show that I can research laws and ethics around data privacy. This paper was inspired by the mini-project I was completing in the class at the time, stock market data. The paper addressed identifying and classifying financial data which is intricately linked with basic personally identifiable information (PII). This paper also explored institutions that examine data privacy, the National Institute of Technology and Standards (NIST) released a study and guidance called Fair Information Practices that inform many privacy laws about personal data around the world. I present the Gramm-Leach-Bliley Act (GBLA) in the United States, and the General Data Protection Regulation (GDPR) in the European Union. Sector and jurisdiction based laws such as the laws above and different sectors such as the Health Insurance Portability and Accountablity Act (HIPPA) show how different laws apply to different industries and geographic areas. I also present an ethical framework for data and business in the paper. I can consider all of these aspects when analyzing a security and ethics program. This document is a risk assessment that highlights the Confidentiality, Integrity, and Availability (CIA) Triad framework for cybersecurity. This risk assessment highlights data, information, and physical assets. Classification of assets and asset types are displayed as well as control and mitigation strategies.
Evidence 2: INFM 208 Risk Assessment
I selected this risk assessment to demonstrate creation following the NIST Federal Information Processing Standards Publication 199 (FIPS 199). FIPS 199 requires use of the Confidentiality, Integrity, and Availability (CIA) Triad to apply a security categorization (SC) to assets. This risk assessment required asset identification, determination of value of asset, and data classification. This document is a risk assessment that highlights the CIA Triad framework for cybersecurity. The CIA triad is used to understand potential impact if assets are compromised or destroyed. This risk assessment highlights data, information, and physical assets. Classification of assets and asset types are displayed as well as control and mitigation strategies versus potential threats. Threats could be acts of nature, technical obsolescence or lifecycle, human error, or deliberate sabotage from without and within.
NOTE: Redacted to obfuscate personal information.
Evidence 3: INFM 208 Privacy Laws Post
I selected this post in order to highlight a single law called the Federal Educational Rights and Privacy Act (FERPA). This post demonstrates why ethical direction and laws are needed in the context of personal education data. There was a time where parents did not have access to their children's information or an ability to challenge incorrect information. This post highlights ethical issues in regards to information and privacy using FERPA as an example. This also explores how an information and privacy law can be interpreted in different contexts. It also points out how courts interpret the specifics of such laws.
Professional Application Value of Skill
I can analyze the ethics and security requirements of data. Many laws are being created in response to concerns over data privacy and ownership. It is beneficial to understand the ethics and be ahead of any laws that require compliance by the virtue of having an ethical understanding and culture regarding data and privacy. The evidence above shows my ability to apply cybersecurity frameworks and analyze ethics and laws surrounding information and data. I enrolled in all the cybersecurity electives offered, INFM 215 Network Security, INFM 216 Computer/Digital Forensics, and INFM 217 Tools Lab, because I am extremely interested in the cybersecurity and privacy aspect of informatics. I came to SJSU Informatics because of the robustness of the program around data, especially in order to develop user-centered skills, but I am leaving with a goal of becoming a cybersecurity professional.