978-0073402987 Chapter 4 Chapter 4 Closing Material Part 1

Type

Quiz

Book Title

Business Driven Information Systems 5th Edition

ISBN 13

978-0073402987

April 4, 2019

APPLY YOUR KNOWLEDGE BUSINESS PROJECTS

Instructor Note: There are few right or wrong answers in the business world.

There are really only efficient and inefficient, and effective and ineffective

business decisions. If there were always right answers businesses would never

fail. These questions were created to challenge your students to apply the

materials they have learned to real business situations. For this reason, the

authors cannot provide you with one version of a correct answer. When grading

your students’ answers, be sure to focus on their justification or support for their

specific answers. A good way to grade these questions is to compare your

student’s answers against each other.

AYK 1: GRADING SECURITY

Organizational information is intellectual capital. Just as organizations protect their

assets - keeping their money in an insured bank or providing a safe working

environment for employees - they must also protect their intellectual capital. An

organization’s intellectual capital includes everything from its patents to its

transactional and analytical information. With security breaches on the rise and

Five steps to creating an information security plan:

1. Develop the information security policies

Simple yet effective types of information security policies include:

Requiring users to log off of their systems before leaving for lunches or

meetings

2. Communicate the information security policies

Train all employees and establish clear expectations for following the policies

For example – a formal reprimand can be expected if a computer is left

unsecured

3. Identify critical information assets and risks

Firewall – hardware and/or software that guards a private network by

analyzing the information leaving and entering the network

Intrusion detection software (IDS) – searches out patterns in network traffic

Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 1 of 8

4. Test and reevaluate risks

Continually perform security reviews, audits, background checks, and

security assessments

5. Obtain stakeholder support

Gain the approval and support of the information security policies by the

Board of Directors and all stakeholders

Top 10 Questions Managers Should Ask Regarding Information Security:

1. Does the board of directors recognize information security is a board-level

issue that cannot be left to the IT department alone?

2. Is there clear accountability for information security in the organization?

3. Do the board members articulate an agreed-upon set of threats and critical

assets? How often do they review and update these?

4. How much is spent on information security and what is it being spent on?

5. What is the impact on the organization of a serious security incident?

6. Does the organization view information security as an enabler? (For example,

by implementing effective security, could the organization increase business

over the Internet?)

7. What is the risk to the business of getting a reputation for low information

security?

8. What steps have been taken to ensure that third parties will not compromise

the security of the organization?

9. How does the organization obtain independent assurance that information

security is managed effectively?

10. How does the organization measure the effectiveness of its information

security activities?

The importance of educating employees on information security

Adding to the complexity of information security is the fact that organizations

must enable employees, customers, and partners to access information

electronically to be successful in this electronic world. Doing business

electronically automatically creates tremendous information security risks for

organizations. Surprisingly, the biggest issue surrounding information security

is not a technical issue, but a people issue.

A few samples of employee information security policies specifically

for Making The Grade.

Employees cannot disclose passwords or con#dential information to

outsiders

Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 2 of 8

Employees cannot view illicit Web material when using a Making The Grade

computer

Other major areas the information security plan should address.

identification and Assessment of Risks to Customer Information

Information Security Plan Coordinators

Design and Implementation of Safeguards Program

Employee Management and Training

Signs the company should look for to determine if the Website is

being hacked.

Elevation of privilege is a process by which a user misleads a system into

granting unauthorized rights, usually for the purpose of compromising or

Hoaxes attack computer systems by transmitting a virus hoax, with a real

virus attached. By masking the attack in a seemingly legitimate message,

Malicious code includes a variety of threats such as viruses, worms, and

Trojan horses.

Spoo#ng is the forging of the return address on an email so that the email

message appears to come from someone other than the actual sender. This

Spyware is software that comes hidden in free downloadable software and

tracks online movements, mines the information stored on a computer, or

uses a computer’s CPU and storage for some task the user knows nothing

A sniffer is a program or device that can monitor data traveling over a

network. Sniffers can show all the data being transmitted over a network,

Packet tampering consists of altering the contents of packets as the travel

over the Internet or altering data on computer disks after penetrating a

Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 3 of 8

The major types of attacks the company should expect to experience

Hackers—people very knowledgeable about computers who use their

knowledge to invade other people’s computers

oWhite-hat hackers—work at the request of the system owners to #nd

system vulnerabilities and plug the holes.

oBlack-hat hackers—break into other people’s computer systems and may

destruction.

Viruses—software written with malicious intent to cause annoyance or

damage.

oWorm—a type of virus that spreads itself, not only from #le to #le, but

also from computer to computer. The primary difference between a virus

and a worm is that a virus must attach to something, such as an

executable #le, in order to spread. Worms do not need to attach to

anything to spread and can tunnel themselves into computers.

oDenial-of-service attack (DoS)—Hoods a Website with so many requests

for service that it slows down or crashes the site.

oDistributed denial-of-service attack (DDoS)—attacks from multiple

AYK 2: EYES EVERYWHERE

The third kind of authentication, using something that is part of the user such as a

#ngerprint or voice, is by far the best and most effective way to manage

authentication. Biometrics (narrowly de#ned) is the identification of a user based

1. How do you feel about having your 6ngerprints, facial features, and

perhaps more of your biometric features encoded in documents like

your passport? Explain your answer.

Some people are comfortable with the types of invasive procedures required by

biometrics, and some people are not. Some feel that biometrics are not a form

2. Would you feel the same way about having biometric information on

your driver’s license as on your passport? Why or why not?

People will probably feel more strongly against biometric information on a

driver’s license than on a passport. It is far easier to lose a driver’s license

3. Is it reasonable to have di>erent biometric identi6cation requirements

for visitors from di>erent nations? Explain your answer. What would

you recommend as criteria for deciding which countries fall into what

categories?

This is a tricky question. Could you enforce biometric identification from

4. The checkpoints U.S. citizens pass through upon returning to the

country vary greatly in the depth of the checks and the time spent.

The simplest involves simply walking past the border guards who may

or may not ask border guards who may or may not ask you your

citizenship. The other end of the spectrum requires that you put up

with long waits in airports where you have to line up with hundreds of

other passengers while each person is questioned and must produce a

passport to be scanned. Would you welcome biometric information on

passports if it would speed the process, or do you think that the

disadvantages of the reduction in privacy, caused by biometric

information, outweighs the advantages of better security and faster

border processing? Explain your answer.

Opinions on these subjects will vary considerably. Will biometric information

help speed up the process? With each invention of a new good technology

AYK 3: SETTING BOUNDARIES

Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 5 of 8

Ethics are the principles and standards that guide our behavior toward other

people. Technology has created many new ethical dilemmas in our electronic

society. Privacy is the right to be left alone when you want to be, to have control

over your own personal possessions, and not to be observed without your

consent. Privacy is related to con#dentiality, which is the assurance that

messages and data are available only to those who are authorized to view them.

1. A senior marketing manager informs you that one of her employees is

looking for another job and she wants you to give her access to look

through her email.

What are the company’s policies on email? Does this fall into one of the

policies? Did the employee sign an employment contract?

2. A vice president of sales informs you that he has made a deal to

provide customer information to a strategic partner, and he wants you

to burn all of the customer information onto a DVD.

Without permission from several layers of management it would be unethical to

give away corporate information.

3. You are asked to monitor one of your employee’s email to discover if

he is sexually harassing another employee.

What are the company’s policies on email monitoring? What are the company’s

4. You are asked to install a video surveillance system in your oAce to

watch if employees are taking oAce supplies home with them.

What are the company’s policies on employee monitoring and information

technology monitoring? If the company does not have the right policies you

5. You are looking on the shared data drive and discover that your

bosses’ entire hard drive has been copied onto it. What do you do?

Is this an invasion of privacy or since it is posted on a public folder is it now

public material?

Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 6 of 8

6. You have been accidentally copied on an email from the CEO, which

details who will be the targets of the next round of layo>s. What

would you do?

Since you have been copied your name is on the distribution list. The CEO will

AYK 4: CONTEMPLATING SHARING

People make arguments for or against—justify or condemn—the behaviors in the

below figure. Unfortunately, there are few hard and fast rules for always

determining what is and is not ethical. Knowing the law will not always help

AYK 5: FIRED FOR SMOKING ON THE WEEKEND

It is truly astonishing how many laws are coming into effect in the workplace. This one

is very invasive and seems almost surreal. Be sure to ask your students to review the

AYK 6: DOODLING PASSWORD

Creating a strong password is becoming a work of art. That unique combination of 10

alphanumeric letters and numbers can be a daunting task to remember. Ask your

Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 7 of 8

students how they currently create passwords, and more importantly, how are they

remembering them? Here is a great video to get the discussion started. Help

Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 8 of 8