you. I’ve asked Charlie Moody to come in today to talk about it. He’s waiting to speak with us.”
When Charlie joined the meeting Fred said, “Hello, Charlie. As you know, the Board of Directors met today. They received a report on the expenses and lost production from the worm outbreak last month, and they directed us to improve the security of our technology. Gladys says you can help me understand what we need to do about it.” “To start with,” Charlie said, “instead of setting up a computer security solution, we need to develop an information security program. We need a thorough review of our policies and practices, and we need to establish an ongoing risk management program. There are some other things that are part of the process as well, but these would be a good start.” “Sounds expensive,” said Fred.
Charlie looked at Gladys, then answered, “Well, there will be some extra expenses for specific controls and software tools, and we may have to slow down our product development projects a bit, but the program will be more of a change in our attitude about security than a spending spree. I don’t have accurate estimates yet, but you can be sure we’ll put cost-benefit worksheets in front of you before we spend any money.”
The Need for Security
Fred thought about this for a few seconds. “OK. What’s our next step?” Gladys answered, “First, we need to initiate a project plan to develop our new information security program. We’ll use our usual systems development and project management approach. There are a few differences, but we can easily adapt our current models. We’ll need to appoint or hire a person to be responsible for information security.” “Information security? What about computer security?” asked Fred.
Our bad neighbor makes us early stirrers,
Which is both healthful and good husbandry.
WILLIAM SHAKESPEARE (1564–1616),
KING HENRY, IN HENRY V, ACT 4, SC. 1, L. 6-7.
Charlie responded, “Information security includes computer security, plus all the other things we use to do business: procedures, data, networks, our staff, and computers.”
Fred Chin, CEO of sequential label and supply, leaned back in his leather chair and propped his feet up on the long mahogany table in the conference room where the SLS Board of Directors had just adjourned their quarterly meeting. “What do you think about our computer security problem?” he asked Gladys Williams, the company’s chief information officer, or CIO. He was referring to last month’s outbreak of a malicious worm on the company’s computer network.
Gladys replied, “I think we have a real problem, and we need to put together a real solution, not just a quick patch like the last time.” Eighteen months ago, the network had been infected by an employee’s personal USB drive. To prevent this from happening again, all users in the company were banned from using USB drives.
Fred wasn’t convinced. “Can’t we just add another thousand dollars to the next training budget?”
Gladys shook her head. “You’ve known for some time now that this business runs on technology. That’s why you hired me as CIO. I have some experience at other firms and I’ve been researching information security, and my staff and I have some ideas to discuss with
“I see,” Fred said. “Bring me the draft project plan and budget in two weeks. The audit committee of the board meets in four weeks, and we’ll need to report our progress.”
Upon completion of this material, you should be able to:
• Demonstrate that organizations have a business need for information security • Explain why a successful information security program is the responsibility of both an organization’s general management and IT management
• Identify the threats posed to information security and the more common attacks associated with those threats, and differentiate threats to the information within systems from attacks against the information within systems
• Describe the...
Please join StudyMode to read the full document