Book Title
Business Driven Information Systems 5th Edition

978-0073402987 Chapter 4 Chapter 4 Closing Material Part 1

April 4, 2019
Instructor Note: There are few right or wrong answers in the business world.
There are really only efficient and inefficient, and effective and ineffective
business decisions. If there were always right answers businesses would never
fail. These questions were created to challenge your students to apply the
materials they have learned to real business situations. For this reason, the
authors cannot provide you with one version of a correct answer. When grading
your students’ answers, be sure to focus on their justification or support for their
specific answers. A good way to grade these questions is to compare your
student’s answers against each other.
Organizational information is intellectual capital. Just as organizations protect their
assets - keeping their money in an insured bank or providing a safe working
environment for employees - they must also protect their intellectual capital. An
organization’s intellectual capital includes everything from its patents to its
transactional and analytical information. With security breaches on the rise and
Five steps to creating an information security plan:
1. Develop the information security policies
Simple yet effective types of information security policies include:
Requiring users to log off of their systems before leaving for lunches or
2. Communicate the information security policies
Train all employees and establish clear expectations for following the policies
For example – a formal reprimand can be expected if a computer is left
3. Identify critical information assets and risks
Firewall – hardware and/or software that guards a private network by
analyzing the information leaving and entering the network
Intrusion detection software (IDS) – searches out patterns in network traffic
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 1 of 8
4. Test and reevaluate risks
Continually perform security reviews, audits, background checks, and
security assessments
5. Obtain stakeholder support
Gain the approval and support of the information security policies by the
Board of Directors and all stakeholders
Top 10 Questions Managers Should Ask Regarding Information Security:
1. Does the board of directors recognize information security is a board-level
issue that cannot be left to the IT department alone?
2. Is there clear accountability for information security in the organization?
3. Do the board members articulate an agreed-upon set of threats and critical
assets? How often do they review and update these?
4. How much is spent on information security and what is it being spent on?
5. What is the impact on the organization of a serious security incident?
6. Does the organization view information security as an enabler? (For example,
by implementing effective security, could the organization increase business
over the Internet?)
7. What is the risk to the business of getting a reputation for low information
8. What steps have been taken to ensure that third parties will not compromise
the security of the organization?
9. How does the organization obtain independent assurance that information
security is managed effectively?
10. How does the organization measure the effectiveness of its information
security activities?
The importance of educating employees on information security
Adding to the complexity of information security is the fact that organizations
must enable employees, customers, and partners to access information
electronically to be successful in this electronic world. Doing business
electronically automatically creates tremendous information security risks for
organizations. Surprisingly, the biggest issue surrounding information security
is not a technical issue, but a people issue.
A few samples of employee information security policies specifically
for Making The Grade.
Employees cannot disclose passwords or con#dential information to
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 2 of 8
Employees cannot view illicit Web material when using a Making The Grade
Other major areas the information security plan should address.
identification and Assessment of Risks to Customer Information
Information Security Plan Coordinators
Design and Implementation of Safeguards Program
Employee Management and Training
Signs the company should look for to determine if the Website is
being hacked.
Elevation of privilege is a process by which a user misleads a system into
granting unauthorized rights, usually for the purpose of compromising or
Hoaxes attack computer systems by transmitting a virus hoax, with a real
virus attached. By masking the attack in a seemingly legitimate message,
Malicious code includes a variety of threats such as viruses, worms, and
Trojan horses.
Spoo#ng is the forging of the return address on an email so that the email
message appears to come from someone other than the actual sender. This
Spyware is software that comes hidden in free downloadable software and
tracks online movements, mines the information stored on a computer, or
uses a computer’s CPU and storage for some task the user knows nothing
A sniffer is a program or device that can monitor data traveling over a
network. Sniffers can show all the data being transmitted over a network,
Packet tampering consists of altering the contents of packets as the travel
over the Internet or altering data on computer disks after penetrating a
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 3 of 8
The major types of attacks the company should expect to experience
Hackers—people very knowledgeable about computers who use their
knowledge to invade other people’s computers
oWhite-hat hackers—work at the request of the system owners to #nd
system vulnerabilities and plug the holes.
oBlack-hat hackers—break into other people’s computer systems and may
Viruses—software written with malicious intent to cause annoyance or
oWorm—a type of virus that spreads itself, not only from #le to #le, but
also from computer to computer. The primary difference between a virus
and a worm is that a virus must attach to something, such as an
executable #le, in order to spread. Worms do not need to attach to
anything to spread and can tunnel themselves into computers.
oDenial-of-service attack (DoS)—Hoods a Website with so many requests
for service that it slows down or crashes the site.
oDistributed denial-of-service attack (DDoS)—attacks from multiple
The third kind of authentication, using something that is part of the user such as a
#ngerprint or voice, is by far the best and most effective way to manage
authentication. Biometrics (narrowly de#ned) is the identification of a user based
1. How do you feel about having your 6ngerprints, facial features, and
perhaps more of your biometric features encoded in documents like
your passport? Explain your answer.
Some people are comfortable with the types of invasive procedures required by
biometrics, and some people are not. Some feel that biometrics are not a form
2. Would you feel the same way about having biometric information on
your driver’s license as on your passport? Why or why not?
People will probably feel more strongly against biometric information on a
driver’s license than on a passport. It is far easier to lose a driver’s license
3. Is it reasonable to have di>erent biometric identi6cation requirements
for visitors from di>erent nations? Explain your answer. What would
you recommend as criteria for deciding which countries fall into what
This is a tricky question. Could you enforce biometric identification from
4. The checkpoints U.S. citizens pass through upon returning to the
country vary greatly in the depth of the checks and the time spent.
The simplest involves simply walking past the border guards who may
or may not ask border guards who may or may not ask you your
citizenship. The other end of the spectrum requires that you put up
with long waits in airports where you have to line up with hundreds of
other passengers while each person is questioned and must produce a
passport to be scanned. Would you welcome biometric information on
passports if it would speed the process, or do you think that the
disadvantages of the reduction in privacy, caused by biometric
information, outweighs the advantages of better security and faster
border processing? Explain your answer.
Opinions on these subjects will vary considerably. Will biometric information
help speed up the process? With each invention of a new good technology
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 5 of 8
Ethics are the principles and standards that guide our behavior toward other
people. Technology has created many new ethical dilemmas in our electronic
society. Privacy is the right to be left alone when you want to be, to have control
over your own personal possessions, and not to be observed without your
consent. Privacy is related to con#dentiality, which is the assurance that
messages and data are available only to those who are authorized to view them.
1. A senior marketing manager informs you that one of her employees is
looking for another job and she wants you to give her access to look
through her email.
What are the company’s policies on email? Does this fall into one of the
policies? Did the employee sign an employment contract?
2. A vice president of sales informs you that he has made a deal to
provide customer information to a strategic partner, and he wants you
to burn all of the customer information onto a DVD.
Without permission from several layers of management it would be unethical to
give away corporate information.
3. You are asked to monitor one of your employee’s email to discover if
he is sexually harassing another employee.
What are the company’s policies on email monitoring? What are the company’s
4. You are asked to install a video surveillance system in your oAce to
watch if employees are taking oAce supplies home with them.
What are the company’s policies on employee monitoring and information
technology monitoring? If the company does not have the right policies you
5. You are looking on the shared data drive and discover that your
bosses’ entire hard drive has been copied onto it. What do you do?
Is this an invasion of privacy or since it is posted on a public folder is it now
public material?
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 6 of 8
6. You have been accidentally copied on an email from the CEO, which
details who will be the targets of the next round of layo>s. What
would you do?
Since you have been copied your name is on the distribution list. The CEO will
People make arguments for or against—justify or condemn—the behaviors in the
below figure. Unfortunately, there are few hard and fast rules for always
determining what is and is not ethical. Knowing the law will not always help
It is truly astonishing how many laws are coming into effect in the workplace. This one
is very invasive and seems almost surreal. Be sure to ask your students to review the
Creating a strong password is becoming a work of art. That unique combination of 10
alphanumeric letters and numbers can be a daunting task to remember. Ask your
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 7 of 8
students how they currently create passwords, and more importantly, how are they
remembering them? Here is a great video to get the discussion started. Help
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 8 of 8