FRED CHIN, CEO OF SEQUENTIAL LABEL AND SUPPLY, LEANED BACK in his leather chair. He propped his feet up on the long mahogany table in the conference room where the SLS Board of Directors had just adjourned their quarterly meeting. "What do you think about our computer security problem?" he asked Gladys Williams, the company's chief information officer, or CIO. He was referring to last month's outbreak of a malicious worm on the company's computer network. Gladys replied, "I think we have a real problem this time, and we need to put together a real solution, not just a quick patch like the last time." Eighteen months ago someone had brought an infected floppy disk in from home and infected the network. To prevent this from happening again, all the floppy drives were removed from the company computers. Fred wasn't convinced. "Let's just add another thousand dollars in the next training budget to fix it up." Gladys shook her head. "You've known for some time now that this business runs on technology. That's why you hired me as CIO. I've been researching information security, and my staff and I have some ideas to discuss with you. I've asked Charlie Moody to come in today to talk about it. He's waiting to speak with us." Charlie joined the meeting. Fred said, "Hello, Charlie. As you know the Board of Directors met today. They received a report on the expenses and lost production from the virus outbreak last month, and they directed us to improve the security of our technology. Gladys says you can help me understand what we need to do about it." "To start with," Charlie said, "instead of setting up a computer security solution, we need to develop an information security program. We need a thorough review of our policies and practices, and we need to establish an ongoing risk management program. There are some other things that are part of the process as well, but these would be a good start." "Sounds expensive," said Fred. Charlie looked at Gladys, and then answered, "Well, there will be some extra expenses for specific controls and software tools, and we may have to slow down our product development projects a bit, but the program will be more of a change in our attitude about security than a spending spree. I don't have accurate estimates yet, but you can be sure we will put cost benefit worksheets in front of you before we spend any money." Fred thought about this for a few seconds. "OK. What is our next step?" . Gladys answered, "To start with, we need to initiate a project plan to develop our new information security program. We'll use our usual systems development and project management approach. There are a few differences, but we can adapt our current models easily. We will need to appoint or hire a person to be responsible for information security." "Information security? What about computer security?" asked Fred. Charlie responded, "Information security includes all the things we use to do business: software, procedures, data, networks, our staff, and computers." "I see," Fred said. "Bring me the draft project plan and budget in two weeks. The audit committee of the board meets in four weeks, and we'll need to report our progress." Soon after the board of directors meeting, Charlie was promoted to Chief Information Security Officer, a new position that reports to the CIO Gladys Williams. That was created to provide leadership for SLS's efforts to improve its security profile. Answer the following questions (look for the definitions of terminology when necessary): 1. How do Fred, Gladys, and Charlie perceive the scope and scale of the new information security effort? 2. How will Fred measure success when he evaluates Gladys' performance for this project? How about Charlie's performance? 3. Which of the threats discussed in the class should receive Charlie's attention early in his planning process?