Introduction:
The Sequential Label and Supply Company (often referred to as SLS) is a national supplier of stock labels as well as a manufacturer of custom labels and distributor of supplies often used in conjunction with labels, such as envelopes, adhesive tape, mailing cartons, and related office supplies. The company was founded by Fred Chin in 1992 and has grown steadily in the intervening years.
As the case study begins, the company has recognized its growing dependence on information technology and has organized its information technology group as shown in Figure D-1. (FOUND ON LAST PAGE)
Trouble:
It started out like any other day for Amy Windahl at Sequential Label and Supply Company. She liked her technical support job at the help desk. Taking calls and helping the office workers with PC problems was not glamorous, but it was challenging and paid pretty well. Some of her friends worked at bigger companies, some at higher-tech companies, but everyone kept up with each other, and they all agreed that technology jobs were a good way to pay the bills. The phone rang. This was not a big deal for Amy. She answered her phone about 35 times an hour, 315 times a day, nine days every two weeks. The first call of the day started out the same as usual, with a worried user hoping Amy could help him out of a jam. The call display on her screen gave her all the facts: the user's name, his phone number, the department in which he worked, where his office was on the company campus, and a list of all the calls he'd made in the past. "Hi, Bob," she said. "Did you get that document formatting problem squared away after our last call?"
"Sure did, Amy. Hope we can figure out what's going on today."
"We'll try, Bob. Tell me about it."
"Well, my PC is acting weird," Bob said. "When I go to the screen that has my e-rnail program running, it doesn't respond to the mouse or the keyboard."
"Did you try a reboot yet, Bob?"
"Sure did. But the window wouldn't close, and I had to turn it off. Once it finished the reboot, and I opened the e-rnail program.Tt's just like it was before-no response at all. The other stuff is working OK, but really, really slowly. Even my Internet browser is sluggish."
"OK, Bob. We've tried the usual stuff we can do over the phone. Let me open a case, and I'll dispatch a tech over as soon as possible."
Amy looked up at the LED tally board on the wall at the end of the room. She saw that there were only two technicians dispatched to desks ide support at the moment, and since it was the day shift, there were four available.
"Shouldn't be long at all, Bob."
She clicked off the line from Bob and typed her notes into ISIS, the company's Information Status and Issues System. She assigned the newly generated case to the deskside dispatch queue, knowing the roving desks ide team would be paged with the details and would attend to Bob's problem in just a few minutes.
A moment later, Amy looked up to see Charles Moody walking briskly down the hall. Charlie was the senior manager of the server administration team. He was being trailed by three of his senior technicians as he made a beeline from his office to the door of the server room where the company servers were kept in a controlled environment. They all looked worried. Just then, Amy's screen beeped to alert her of a new e-mail. She glanced down. It beeped again-and again. It started beeping constantly. She clicked on the envelope icon, and after a short delay, the mail window opened. She had 47 new e-rnails in her inbox. She opened one from Davey Martinez, an acquaintance from the Accounting Department. The subject line said, "Wait till you see this." The message body read, "Look what this has to say about our managers' salaries ... " There was an icon for a file attachment that Amy did not recognize. But, she knew Davey, he often sent her interesting and funny e-rnails. She clicked on the icon. Her PC showed the hourglass pointer icon for a second and then resumed showing its normal pointer. Nothing happened. She clicked on the icon for the next e-mail message. Nothing happened. Her phone rang again. She clicked on the ISIS icon on her computer desktop to activate the call management software, and activated her headset. "Hello, Tech Support, how can I help you?" She couldn't greet the caller by name because
ISIS had not yet opened the screen on her Pc.
"Hello, this is Erin Williams in Receiving."
Amy glanced down at her screen. Still no ISIS. She glanced up to the tally board and was surprised to see the inbound call counter tallying up waiting calls like digits on a stopwatch. Amy had never seen so many calls come in at one time.
"Hi, Erin," Amy said. "What's up?"
"Nothing," Erin answered. "That's the problem." The rest of the call was an exact replay of Bob's earlier call, except Amy couldn't type the notes into ISIS and had to jot them down on a legal pad. She also couldn't dispatch the deskside support team either. She looked at the tally board. It had gone dark. No numbers at all. Then she saw Charlie running down the hall from the server room. He didn't look worried anymore. He looked frantic. Amy picked up the phone. She wanted to check with her supervisor about what to do now. There was no dial tone.
The next day at SLS found everyone in technical support busy restoring computer systems to their former state and installing new virus and worm control software. Amy found herself learning how to install desktop computer operating systems and applications as SLS made a heroic effort to recover from the previous day's attack.
1. Do you think this event was caused by an insider or outsider? Why do you think this?
2. Other than installing virus and worm control software, what can SLS do to be ready for the next incident?
3. Do you think this attack was the result of a virus, or a worm? Why do you think this?
Starting Out:
Fred Chin, CEO of Sequential Label and Supply, leaned back in his leather chair. He propped his feet up on the long mahogany table in the conference room where the SLS Board of Directors had just adjourned their quarterly meeting.
"What do you think about our computer security problem?" he asked Gladys Williams, the company's chief information officer, or CIa. He was referring to last month's outbreak of a malicious worm on the company's computer network.
Gladys replied, "I think we have a real problem this time, and we need to put together a real solution, not just a quick patch like the last time." Eighteen months ago someone had brought an infected floppy disk in from home and infected the network. To prevent this from happening again, all the floppy drives were removed from the company computers. Fred wasn't convinced. "Let's just add another thousand dollars in the next budget to fix it up."
Gladys shook her head. "You've known for some time now that this business runs on computers. That's why you hired me as CIa. I've been researching information security, and my staff and I have some ideas to discuss with you. I've asked Charlie Moody to come in today to talk about it.
He's waiting to speak with us."
Charlie joined the meeting, and Fred said, "Hello, Charlie. As you know the Board of Directors met today. They received a report on the expenses and lost production from the virus outbreak last month, and they directed us to improve the security of our computers. Gladys says you can help me understand what we need to do about it."
"To start with," Charlie said, "instead of setting up a computer security solution, we need to develop an information security program. We need a thorough review of our policies and practices, and we need to establish an ongoing risk management program. There are some other things that are part of the process as well, but these would be a good start." "Sounds expensive," said Fred.
Charlie looked at Gladys, then answered,"Well, there will be some extra expenses for specific controls and software tools, and we may have to slow down our product development projects a bit, but the program will be more of a change in our attitude about security than a spending spree. I don't have accurate estimates yet, but you can be sure we will put cost- benefit worksheets in front of you before we spend any money." Fred thought about this for a few seconds. "OK. What is our next step?" Gladys answered, "To start with, we need to initiate a project plan to develop our new information security program. We'll use our usual systems development and project management approach. There are a few differences, but we can adapt our current models easily. We will need to appoint or hire a person to be responsible for information security."
"Information security? What about computer security?" asked Fred. Charlie responded, "Information security includes all the things we
use to do business: software, procedures, data, networks, our staff, and computers."
"I see," Fred said. "Bring me the draft project plan and budget in two weeks. The audit committee of the board meets in four weeks, and we'll need to report our progress."
Soon after the board of directors meeting, Charlie was promoted to chief information security officer, a new position that reports to the CIa Gladys Williams, and that was created to provide leadership for SLS's efforts to improve its security profile.
Question 1: How do Fred, Gladys, and Charlie perceive the scope and scale of the new information security effort?
Question 2: How will Fred measure success when he evaluates Gladys' performance for this project? How about Charlie's performance?
Question 3: Which of the threats discussed in this chapter should receive Charlie's attention early in his planning process?
Industrial Espionage:
Henry Magruder made a mistake: he left a CD at the coffee station. Later, Iris Majwabu was at the coffee station, topping off her coffee cup, hoping to wrap up her work on the current SQL code module before it was time to go home. As she turned to leave, she saw the unlabeled CD on the counter.
Being the helpful sort, she picked it up, intending to return it to the person who'd left it behind.
Expecting to find perhaps the latest device drivers, or someone's work from the development team's office, Iris slipped the disk into the drive of her computer and ran a virus scan against its contents. She then opened the file explorer program. She had been correct in assuming the CD contained data files, lots of them. She opened a file at random, and names, addresses, and Social Security numbers scrolled down her screen. These were not the test records she expected; instead they looked more like critical payroll data. Concerned, she found a readme.txt file and opened it. It read: Jill, see files on this disc. Hope they meet your expectations. Wire money to my account as arranged. Rest of data sent on payment.
Iris realized that someone was selling sensitive company data to an outside information broker. She looked back at the directory listing and saw that the files spanned the range of every department at Sequential Label and Supply-everything from customer lists to shipping invoices. She saw one file that she knew contained the credit card numbers for every Web customer the company supplied. She opened another file and saw that it stopped about halfway through the data. Whoever did this had split the data into two parts. That made sense: payment on delivery of the first half.
Now, who did this belong to? She opened up the file properties option on the readme.txt file. The file owner was listed as "hmagruder." That must be Henry Magruder, the developer two cubes over in the next aisle. Iris pondered her next action.
Iris called the company security hotline. The hotline was an anonymous way to report any suspicious activity or abuse of company policy, although Iris chose to identify herself. The next morning, she was called to a meeting with an investigator from corporate security, which led to more meetings with others in corporate security, and then finally a meeting with the Director of Human Resources and Gladys Williams, the CIO of SLS.
Question 1. Was Iris justified in determining who the owner of the CD was?
Question 2. Should Iris have approached Henry directly, or was the hotline the most effective way to take action?
Question 3. Should Iris have placed the CD back at the coffee station and forgotten the whole thing? Would that response have been ethical on her part?
Deciding What to Protect:
Charlie Moody called the meeting to order. The conference room was full of developers, systems analysts, IT managers, business users, and business managers.
"All right everyone, let's get started. Welcome to the kick-off meeting of the Sequential Label and Supply Information Security Task Force. That's the name of our new project team, and we're here today to talk about our objectives and to review the initial work plan."
"Why are all of the users here?" asked the manager of sales. "Isn't security a problem for the IT Department?"
Charlie explained, "Well, that used to be the case, but we've come to realize that information security is about managing the risk of using automated systems, which involves almost everyone in the company. In order to make our systems more secure, we will need the participation of people from all departments."
Charlie continued, "1 hope everyone has read the packets we sent out last week with the legal requirements we face in our industry and the background articles on threats and attacks. Today we'll begin the process of identifying and classifying all of the information technology risks that face our organization. This includes everything from fires and floods that could disrupt our business to criminal hackers who might try to steal or destroy our data. Once we identify and classify the risks facing our assets, we can discuss how to reduce or eliminate these risks by establishing controls. Which controls we actually apply will depend on the costs and benefits of each control."
"Wow, Charlie!" said Amy Windahl from the back of the room. "I'm sure we need to do it-I was hit by the last attack, just as everyone here was- but we have hundreds of systems."
"It's more like thousands," said Charlie. He went on, "That's why we have so many people on this team and why the team includes members of every department."
Charlie continued, "Okay, everyone, please open your packets and take out the project plan with the work list showing teams, tasks, and schedules.
Any questions before we start reviewing the work plan?"
As Charlie wrapped up the meeting, he ticked off a few key reminders for everyone involved in the asset identification project.
"Okay, everyone, before we finish, please remember that you should try to make your asset lists complete, but be sure to focus your attention on the more valuable assets first. Also, remember that we evaluate our assets based on business impact to profitability first, and then economic cost of replacement. Make sure you check with me about any questions that come up. We will schedule our next meeting in two weeks, so please have your draft inventories ready."
Question 1: Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of the important issues you think should be covered by the work plan. For each issue, provide a short explanation.
Question 2. Will the company get useful information from the team it has assembled? Why or why not?
Question 3: Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?
1000 words.