Skip to ContentGo to accessibility pageKeyboard shortcuts menu
OpenStax Logo
Foundations of Information Systems

6.4 Managing Enterprise Risk and Compliance

Foundations of Information Systems6.4 Managing Enterprise Risk and Compliance

Learning Objectives

By the end of this section, you will be able to:

  • Evaluate policies and discern whether they comply with global frameworks
  • Identify gaps and assess risks in an enterprise’s policies
  • Describe the processes involved in developing, implementing, and monitoring new policies and protocols

As you have learned, the responsibility of safeguarding data security and privacy is not just a regulatory requirement: it is also a cornerstone of business success in our modern data-driven age. For enterprise organizations, this requires compliance --the adherence to laws, regulations, and policies governing an industry or operation --to various frameworks. Additionally, it involves a deeper commitment to understanding and continually aligning internal policies and protocols. An entity’s policy consists of defined guidelines and procedures established by the organization to regulate actions and ensure compliance with legal and ethical standards. Its protocols are the specific, detailed procedures or rules designed to implement policies in practical terms; for example, a data security protocol might specify encryption standards, access controls, and incident response measures to enforce the privacy policy. Aligning policies and protocols with data protection standards is necessary because in today’s digital economy businesses increasingly rely on customer data to drive decision-making, innovation, and personalized services. Therefore, earning and maintaining customer trust by responsibly managing their data is essential. This is all achieved by managing enterprise risk and compliance.

Auditing Policy Compliance to a Global Framework

Aligning with global frameworks such as GDPR is an essential step in ensuring that organizations have strong data security and privacy policies. But how exactly does this alignment occur, and what are the specifics involved in ensuring compliance with such a framework? It starts with understanding the GDPR standards and then auditing how well the company’s data and data processing activities perform against those standards. An audit is a systematic evaluation of an organization’s data privacy and security practices.

Key Principles of GDPR

The GDPR is built around seven key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability. Understanding these principles is the foundation of any GDPR compliance audit. An audit should begin with an assessment of areas of potential need. Table 6.4 shows an example of how a company might identify potential actions to take in each area.

GDPR Principle Facebook’s Actions
Lawfulness, fairness, and transparency Reevaluate user consent mechanisms to ensure transparency and fairness
Provide clearer information on data usage
Purpose limitation Scrutinize third-party app policies to ensure data sharing is for specific, lawful purposes
Data minimization Review whether minimal data transferred policies are fully enforced
Accuracy Improve data accuracy
Storage limitation Implement stricter policies on data storage longevity
Integrity and confidentiality (security) Tighten security measures to prevent unauthorized data access and leaks
Accountability Enhance accountability by increasing interactions with regulators
Communicate compliance with data protection regulations to the public
Table 6.4 Principal Application in Facebook Audit A company can begin an audit by assessing how effectively its policies and protocols are in aligning to the seven key principles of GDPR.

Data Mapping

An audit requires knowing where all types of personal data are stored, processed, and transferred within the organization. Data mapping serves as an essential precursor to effective data governance and compliance. A data mapping tool—which is a software application or platform that enables data professionals to automate the process of mapping data fields, attributes, or elements from source systems to target systems or destinations—can be especially useful here. The tools listed in Table 6.5 can automate this process, identifying various data storage points across the organization’s infrastructure, including cloud services, databases, and even employee devices.

Tool Description
OneTrust Data Mapping Provides a platform specifically designed to help with privacy, security, and data governance, including GDPR compliance; data mapping helps in visualizing data flows and assessing risks
Varonis Focuses on protecting sensitive data and detecting insider threats; data mapping features also help in GDPR compliance by identifying where personal data reside and who has access
Symantec Data Loss Prevention (DLP) Offers robust data mapping capabilities that help in discovering, monitoring, and protecting personal data across endpoints, networks, and storage systems
McAfee Total Protection for Data Loss Prevention Offers robust data mapping, policy enforcement, and reporting capabilities; often used in enterprise settings where there’s a complex landscape of data to manage
Collibra Provides data mapping capabilities as part of its broader data cataloging and governance platform; often used by organizations with more mature data governance needs
IBM Guardium Offers a comprehensive solution for data discovery and classification; particularly robust in dealing with a wide variety of data types and environments, from cloud storage to traditional databases
Informatica Offers data mapping as part of its broader suite of data governance solutions; particularly effective for complex, large-scale enterprise environments
Microsoft Azure Purview Provides a unified data governance service that helps organizations achieve GDPR compliance by mapping data across servers and databases, both on-premises and in the cloud
Talend Offers data mapping as part of its Data Fabric platform, which is useful for enterprises with complex data pipelines
erwin Data Modeling Helps organizations create a physical, conceptual, and logical map of their data landscape, which can be especially useful for GDPR compliance
Table 6.5 Data Mapping Tools Data mapping tools can help facilitate parts of an audit.

These data mapping tools offer advantages that go beyond mere identification. They can also categorize the identified data according to its sensitivity and the privacy risks it presents, thereby aiding in the prioritization of data protection efforts. For instance, personal identifiers such as Social Security numbers or medical records may be flagged as high-risk data requiring stricter security measures. By providing a more structured, visual representation of how data flows and resides within an organization, these tools allow for more effective planning and implementation of data privacy policies.

Data Processing Activities

The GDPR requires organizations to document how they process data. Therefore, understanding what kind of data are being collected, for what purpose, and how it is being processed and stored is essential. Additionally, the regulation mandates that companies maintain a detailed record of their data processing activities, from data collection to storage and eventual deletion.

This recordkeeping is not just a compliance requirement—it also serves a strategic function by fostering a culture of accountability and transparency. Failing to adhere to this detailed level of documentation can lead to significant legal consequences under GDPR.

In the context of Facebook, which faced public scrutiny for its data handling practices during the Cambridge Analytica scandal, GDPR compliance required the company to reevaluate its third-party app policies meticulously. Specifically, Facebook needed to document the kind of user data that was being accessed by third-party apps and for what purpose. This finding led Facebook to make changes in its API permissions, ensuring that data access by third-party apps would be more restricted and better aligned with GDPR principles. For example, apps would need explicit user consent to collect data and would be limited in what types of data they could collect. Not only does this practice protect the rights of individuals, but it also helps organizations minimize risks and liabilities by ensuring that each data processing activity has a lawful basis and specific purpose.

GDPR Compliance Checklist

Checklists can help an organization ensure that it hasn’t missed any critical elements during an audit. Creating a GDPR compliance checklist is an invaluable step in ensuring that all regulatory requirements are met and that no critical elements are overlooked during the audit process. Checklists serve as both a road map for the initial steps of becoming compliant and a measure for ongoing compliance measures. Following that, the checklist usually breaks down GDPR’s key principles and provisions into actionable items. For instance, under the principle of “lawfulness, fairness, and transparency,” items on the checklist could include establishing lawful bases for data processing, drafting clear and transparent privacy notices, and setting up mechanisms for obtaining and recording consents.

Regular reviews and updates to the checklist are necessary for maintaining compliance, especially in a rapidly evolving digital landscape. Creating and following a detailed GDPR compliance checklist demonstrates a proactive approach to data protection and serves as documentary evidence of an organization’s commitment to compliance, which can be particularly useful if regulatory scrutiny ever occurs.

Identifying Gaps and Risks

Aligning with global frameworks is not a one-time task. The dynamic nature of technology, along with changes in regulation and emerging threats, means that organizations must constantly identify and address gaps and risks in their policies. Keeping an enterprise compliant is an ongoing process that demands vigilance, insight, and a proactive approach to risk management. Knowing how to perform a gap analysis, evaluate compliance with global frameworks, and navigate the complex terrain of enterprise risk policies is important for building and maintaining robust and compliant data management systems, and for effectively managing risks in the ever-evolving landscape of enterprise security.

Gap Analysis

The foundation of strong enterprise risk management lies in an organization’s ability to perform a gap analysis, which is an evaluation of existing policies and protocols, identifying weaknesses and areas that might not align with global data security and privacy standards. As international regulations evolve, organizations must be agile, adjusting their policies to ensure they remain in compliance with frameworks such as GDPR, CCPA, HIPAA, and others. The ability to evaluate and adapt to these global frameworks is more than just a legal necessity; it’s a strategic move that can enhance a business’s reputation and consequently its ability to gain and maintain consumer trust.

Risk Assessment

The process of identifying potential risks that could negatively impact an organization’s assets and business operations and evaluating potential negative outcomes and the likelihood of them occurring is called risk assessment. Every data processing activity carries a level of risk, which must be assessed and mitigated. One of the most comprehensive ways to conduct a risk assessment in the context of GDPR is to perform a data protection impact assessment (DPIA). A DPIA is a structured analysis that maps out how personal data are processed and how to minimize the data protection risks to individuals. It often involves evaluating the necessity and proportionality of the data processing activities and requires consultation with relevant stakeholders, including data protection officers (DPOs) and potentially even the data subjects themselves.

For example, an organization would need to conduct a DPIA when changing how user data are shared with third-party apps. This would involve scrutinizing the types of data being shared, the potential risks of this sharing to user privacy, and the measures that could mitigate these risks. They would assess whether the data sharing is necessary for the service to function or whether less intrusive methods are available. Moreover, the DPIA would investigate security measures to ensure the third-party apps have adequate protections in place. After identifying and quantifying risks, the organization then needs to establish measures to mitigate them. These could range from technical solutions such as encryption and access controls to policy measures such as stricter consent requirements or limitations on data sharing. This step also involves determining the residual risks, or the risks remaining after mitigation, to ensure they fall within acceptable levels.

Finally, GDPR requires that risk assessments are not a one-time activity. Risks need to be periodically reviewed and updated, especially when there is a significant change in data processing activities or when there are new insights into potential vulnerabilities and threats. Conducting regular risk assessments and DPIAs demonstrates an organization’s commitment to data protection, and it’s also a key requirement for GDPR compliance.

Developing, Implementing, and Monitoring Policies and Protocols

An assessment of gaps and risks is an audit that helps identify where an organization’s policies and practices align with or deviate from global standards, and it aims to establish the current situation. Once complete, an organization needs to take the findings of the initial audit and use them as a starting point for creating a concrete action plan, which is a detailed outline of steps to be taken to achieve a particular goal. This includes creating new policies and protocols that will bring the organization into compliance with GDPR. This goes beyond mere assessment to provide a road map for achieving compliance, which involves identifying what needs to be done and detailing how to do it.

New Policies and Protocols

The first step involves creating new policies that align with GDPR requirements. For example, this might mean overhauling the company’s existing third-party data sharing agreements to include more explicit consent mechanisms. When Facebook was faced with this need, it introduced a “Privacy Checkup” tool that serves as a proactive measure to empower users to control their personal information and privacy settings.30

This feature guides users through a step-by-step process to review who can see their posts, what kind of personal information is visible to others, and what apps have access to their data. Not only does the Privacy Checkup tool allow users to understand and configure their settings, but it also aligns with Facebook’s obligation under GDPR to make data collection transparent and easily understandable. By implementing such a tool, Facebook is also demonstrating accountability—another key GDPR principle—as it shows the company’s active efforts to help users manage their privacy. Table 6.6 provides some examples of new or updated policies an organization might introduce after an audit of GDPR compliance.

Policy/Action Description
Time-limited data retention policies Develop a policy where user data are deleted or anonymized after a specified period unless renewed consent is obtained, aligning with GDPR’s principles of data minimization and storage limitation
Third-party data handling guidelines Establish stricter policies for third-party developers, including rigorous vetting processes and mandatory compliance checklists, to ensure they handle user data responsibly, in line with GDPR’s accountability principle
Stricter data security measures Implement enhanced encryption methods and two-factor authentication as default settings to better safeguard user data, in accordance with GDPR’s integrity and confidentiality principle
Automated data processing notifications Draft new policies that require explicit notification to users when automated decision-making or profiting based on user data occurs, along with an option to opt out, as mandated by GDPR
Table 6.6 Policies and Actions to Align with GDPR Compliance These examples show potential actions a company might plan to take to improve compliance with GDPR.

Legal and Internal Reviews

Any new policies must undergo a legal review to ensure they are compliant with GDPR standards. They should also be vetted by different departments within the organization to check for feasibility, practicality, and effectiveness.

  • Legal review for GDPR compliance: Before any policy is finalized, it needs to be reviewed by legal experts specializing in data protection and compliance. For instance, Microsoft undertook a comprehensive legal review when GDPR was introduced to ensure all its products and services were complying.31
  • Departmental review for feasibility: Once the legal review confirms the draft policies follow GDPR, the next step is to vet them through the various departments that will be impacted. Each department can give insights into how practicable the new policies are. For example, when Salesforce implemented new privacy policies, it engaged multiple departments, including marketing, sales, and customer service, to ensure operational feasibility.32
  • Executive approval for effectiveness: The final arbiter in the review process is typically the executive leadership of the organization. Its buy-in is critical not just for approval, but also for the effective implementation of the policies. Amazon’s leadership, for example, plays an active role in the review and approval of compliance policies, as evidenced by the company’s public corporate governance guidelines.33

Employee Training

Employees need to be educated about any new policies to ensure company-wide compliance. Training sessions, workshops, and regular updates can serve this purpose. Educating employees about new policies is critical for ensuring that the entire organization adheres to compliance standards. This involves a comprehensive and sustained effort, involving multiple training formats and ongoing updates such as those listed in Table 6.7.

Training Method Description Company Using Method
E-learning courses Development of e-learning courses on GDPR compliance and data privacy, mandatory for all employees. These courses would cover handling user data, responding to data breaches, and upholding GDPR principles in daily tasks. Cisco
Live workshops In addition to digital courses, live workshops offer a platform for employees to ask questions and participate in scenario-based learning. These sessions could be led by internal experts or external consultants. Google
Regular newsletters and updates Distribution of monthly newsletters summarizing changes in data protection laws, best practices, or internal policies. These updates would help keep staff informed and current on policy changes. IBM
Certification programs Introduction of a certification program for roles directly involved in data processing and compliance. Certification could be a requirement for certain positions within the company. Microsoft
Table 6.7 Training Methods and Descriptions Robust employee training works through multiple approaches.

Policy Implementation

Implementing new policies to align data handling practices with GDPR requirements turns assessment findings into actionable practices. For example, if gaps in consent management are identified, systems should be updated to ensure explicit opt-ins and proper recording of user consent. Similarly, if high-risk activities are found, the organization might introduce measures such as encryption or stricter access controls. Effective implementation often requires coordination across multiple systems and departments, ensuring that changes are consistent and integrated throughout the organization. Table 6.8 gives some examples of implementation strategies a company might use.

Implementation Strategy Description
System-wide software updates
  • Implementation of system-wide software updates to enforce new data policies, similar to Apples iOS updates that include privacy settings
  • Could involve changes at the user interface level, such as adding consent checkboxes and transparent data usage notifications
Back-end process overhaul
  • Overhaul of back-end systems, including data storage and retrieval methods, to align with GDPR’s data minimization principle
  • Could include modifying algorithms to anonymize user data, as seen in Google’s approach to reduce privacy law violations
Employee training and change management
  • Employee training sessions to ensure awareness and proper implementation of new policies
  • Addresses the human element of policy changes, like IBM’s comprehensive training programs during major shifts in policy or technology
Table 6.8 IT Implementation Strategies and Descriptions Useful strategies for implementing new data policies include system-wide software updates, back-end process overhauls, and employee training.

Communication

Once new policies are in place, communicating these changes to end users is critical. This could occur via emails, updated terms of service, or in-app notifications, for example. Transparent and timely communication with end users is key to maintaining trust and ensuring that new policies are understood and followed. Here are three ways an organization can communicate these changes effectively:

  • Email notification: An organization can distribute a comprehensive email to all users, providing an executive summary of what changes have been made in the data privacy policy, why these changes were necessary, and what users need to do, if anything, in response. The email should also provide a link to the updated full text of the policy for those who desire to review it in detail. This also includes positive receipt of notification indicating the changes to the policy have been read. An example of such a transparent approach can be found in the way Dropbox communicated its privacy policy changes in 2023.34
  • In-app pop-up: Another effective way of ensuring the message reaches the user base is through an in-app pop-up notification. This notification can appear when users log in to the app after the policy changes have been enacted, offering them a brief overview of the changes, and directing them to more detailed information. X (formerly Twitter), for instance, employed this strategy when the company updated its terms of service in 2023.35
  • Social media announcements: In addition to email and direct communication through the platform, leveraging other social media channels to announce changes can also be useful. A series of posts explaining the key changes in easy-to-understand language can be made on platforms such as Instagram, LinkedIn, or X to broaden the reach. Google took to its blog and social media to explain changes when the company updated its privacy policy in 2020.36

Continuous Monitoring and Auditing

Continuous monitoring and auditing are vital in ensuring that the changes implemented are not merely a one-time fix but are effectively integrated into an organization’s ongoing operations. This involves conducting a mix of automated and manual reviews aimed at regularly validating an organization’s compliance with GDPR. Establishing a schedule for routine audits and assessments is key, as it provides structured intervals for scrutiny, which in turn minimizes the risk of noncompliance creeping back into the organization’s practices over time.

Table 6.9 describes the actions needed to monitor and audit data handling and who is responsible for each action; it also features time frames for the implementation of each task.

Action Item Responsibility Time Frame
1. Develop an audit framework. Legal and compliance teams 1 to 2 months
2. Establish metrics for success. Data analytics team, legal and compliance teams 1 month
3. Conduct quarterly internal audits. Internal audit team Quarterly
4. Conduct annual third-party audits. Compliance team to select third-party auditor Annually
5. Implement real-time monitoring systems. IT security team Ongoing
6. Maintain audit trails. IT and compliance teams Ongoing
7. Review and update policies. Legal and compliance teams After each audit cycle
8. Share audit outcomes. Legal and compliance teams After each audit
Table 6.9 Action Items, Responsible Entity, and Time Frame for Auditing GDPR Compliance Measures An example plan outlines the key action items, responsible teams, and timelines for implementing and auditing GDPR compliance measures.

Case Study: Facebook Gap Analysis, Risk Assessment, and Policy Changes

One real-world example that highlights the need for robust data security and privacy protocols involves the gaps that surfaced in the policies of Facebook (now Meta) during the Cambridge Analytica scandal. In March 2018, it was revealed that the data of around 87 million Facebook users had been harvested without consent by a third-party app and sold to Cambridge Analytica, a political consulting firm. The incident sparked global outrage, leading to intense scrutiny of Facebook’s data privacy practices, and eventually resulting in significant regulatory action.

This case study explores the processes enacted during Facebook’s audit, gap analysis, risk assessment, and policy development and implementation.

Facebook’s approach began by identifying the scope and objectives of its audit. The focus was on how management could address the challenges and gaps in its data privacy practices to align with global standards. The scope was to examine how Facebook’s failure to protect user data led to unauthorized access by Cambridge Analytica, exposing significant flaws in data management and user privacy. The primary objective was to bring Facebook’s data privacy policies into compliance with global standards such as GDPR, ensuring management’s responsibility for implementing necessary changes.

Facebook conducted a detailed examination of existing policies, with a critical eye toward identifying vulnerabilities and areas for improvement. Although the pre-incident policies that allowed third-party apps to access Facebook users’ data were compliant with existing laws, they were found to be risky. This situation highlighted the importance of not only complying with legal requirements, but also adhering to privacy best practices to protect users’ personal information.

The next phase involved comparing Facebook’s practices to the stringent requirements of the EU’s GDPR. GDPR emphasizes principles such as data minimization and transparency, both of which were lacking in Facebook’s existing data sharing approach. The principle of data minimization ensures that organizations only collect, process, and store the minimum amount of personal data necessary for its purpose. Identifying specific areas where compliance with international standards was lacking underscored the need for targeted interventions.37

Next was the process of identifying gaps and weaknesses which involved a meticulous examination of areas where policies, procedures, and practices fell short. This step pinpointed specific areas that needed to be addressed to enhance data protection and user privacy. In the case of Facebook, the company conducted an audit and found gaps in its own user consent management, data sharing controls, and third-party data access monitoring. It then laid out a plan to address these areas systematically.

Risk evaluation considers potential negative consequences resulting from gaps and weaknesses. For Facebook, the risks included substantial regulatory fines (such as a $5 billion fine by the FTC), potential reputational damage, and the loss of user trust. For any organization, understanding these risks is essential in prioritizing and tailoring the response to ensure that the most significant threats are addressed promptly.

Based on the identified gaps and assessed risks, Facebook needed to develop clear and actionable plans to rectify its shortcomings. This included implementing changes to limit third-party access, which is access to data from an external entity to user data, enhancing user consent mechanisms, and increasing transparency regarding data usage.

The implementation phase is where planned changes are executed. Facebook, in response to heightened data privacy concerns, began to conduct more robust audits of third-party developers, enhancing oversight and adhering to stricter data privacy standards. To ensure these changes were not just one-off adjustments but part of a sustained compliance strategy, Facebook instituted continuous monitoring measures. These measures include regular reviews of data access and usage by third-party developers, the use of advanced analytics to detect and respond to unusual patterns indicative of potential data misuse, and ongoing updates to their data privacy policies and practices in line with evolving regulations and user expectations. Continuous monitoring of compliance ensures that the changes not only effectively address identified gaps, but also that ongoing compliance is maintained, adapting to new challenges and regulatory requirements as they arise.

Documenting and reporting are final steps that are vital in maintaining transparency and trust. Facebook increased transparency with users and regulators through public reports and regular updates on privacy measures, reinforcing the importance of management’s role in driving these changes.

Facebook’s reevaluation of its data security and privacy policies after the Cambridge Analytica scandal illustrates the process of aligning corporate practices with global standards. It also serves as a lesson for organizations to be vigilant in protecting user privacy, ensuring compliance with regulatory frameworks, and establishing transparent communication with stakeholders.

Ethics in IS

Ethical Considerations in Gap Analysis

In 2022, Uber faced significant backlash after a data breach exposed the personal information of millions of users. This incident underscores the ethical responsibilities companies have when managing sensitive data. The gap analysis process is not just about compliance but also about upholding ethical standards to protect user trust.

Key ethical considerations before a gap analysis include:

  • Informed consent: Ensure users fully understand and agree to how their data will be used and stored.
  • Transparency: Be clear and open about data collection, storage, and sharing practices.
  • Trust: Protect the trust users place in your organization by implementing robust data protection measures.
  • Accountability: If gaps are found, be transparent and take responsibility to address them immediately.

Ethical actions after a gap analysis include:

  • Communicate clearly: Inform stakeholders promptly if any vulnerabilities are detected.
  • Implement changes responsibly: Address any identified gaps with a focus on ethical responsibility, not just legal compliance.
  • Ongoing monitoring: Continuously audit and monitor data practices to ensure ongoing protection and trust.

By integrating these ethical considerations into your gap analysis, the organization can enhance data security and build a culture of trust and accountability.

Footnotes

  • 30“Guiding You through Your Privacy Choices,” Meta Newsroom, January 6, 2020, https://about.fb.com/news/2020/01/privacy-checkup/
  • 31Julie Brill, “GDPR’s First Anniversary: A Year of Progress in Privacy Protection,” Microsoft On the Issues, May 20, 2019, https://blogs.microsoft.com/on-the-issues/2019/05/20/gdprs-first-anniversary-a-year-of-progress-in-privacy-protection/
  • 32“Full Salesforce Privacy Statement,” Salesforce, July 24, 2023, https://www.salesforce.com/company/privacy/full_privacy/
  • 33“Annual Report,” Amazon, 2022, https://s2.q4cdn.com/299287126/files/doc_financials/2023/ar/Amazon-2022-Annual-Report.pdf
  • 34“Dropbox Terms of Service and Privacy Policy Updates,” Dropbox, updated January 15, 2024, https://help.dropbox.com/security/terms-service-privacy-policy
  • 35X “An Update on Two-Factor Authentication Using SMS on Twitter,” X Blog, February 15, 2023, https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter
  • 36Sundar Pichai, “Keeping Your Private Information Private,” Google: the Keyword, June 24, 2020, https://blog.google/technology/safety-security/keeping-private-information-private/
  • 37Colin J. Bennett, “The European General Data Protection Regulation: An Instrument for the Globalization of Privacy Standards?,” Information Polity 23, no. 2 (April 2018), https://doi.org/10.3233/IP-180002
Citation/Attribution

This book may not be used in the training of large language models or otherwise be ingested into large language models or generative AI offerings without OpenStax's permission.

Want to cite, share, or modify this book? This book uses the Creative Commons Attribution-NonCommercial-ShareAlike License and you must attribute OpenStax.

Attribution information
  • If you are redistributing all or part of this book in a print format, then you must include on every physical page the following attribution:
    Access for free at https://openstax.org/books/foundations-information-systems/pages/1-introduction
  • If you are redistributing all or part of this book in a digital format, then you must include on every digital page view the following attribution:
    Access for free at https://openstax.org/books/foundations-information-systems/pages/1-introduction
Citation information

© Mar 11, 2025 OpenStax. Textbook content produced by OpenStax is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike License . The OpenStax name, OpenStax logo, OpenStax book covers, OpenStax CNX name, and OpenStax CNX logo are not subject to the Creative Commons license and may not be reproduced without the prior and express written consent of Rice University.