1. Employee Zenith Customer Master file 1 Yogi Xinthia Willy Valerie 2. Method 1. Build on the right spot 2.

Have redundant utilities 3. Pay attention to walls X Foot-thick concrete walls to limit damage in the case of an explosion. Protect against explosive devices to prevent unauthorized personnel from infiltrating. 4. Avoid windows 5. Use landscaping for protection 6. Keep a 100-foot buffer zone around the site 7. Use retractable crash barriers at vehicle entry points 8. Plan for bomb detection X Must be prepared for bomb sabotages. Vehicles must go through the guardhouse, 9. Limit entry points X Only one entrance so that there are less probability that infiltrators can enter the compound undetected. 10. Make fire doors exit only 11. Use plenty of cameras X X X Manufacturing Organization Extra methods justified at a Bank 2 0 3 0 Inventory Master File 1 0 2 3 0 Payroll Master File 0 0 0 0 0 System Log Files 0 0 0 0 1

X X

Install surveillance cameras around the perimeter of the building and at every access point so that infiltrators can be detected promptly. 12. Protect the buildings machinery 13. Plan for secure air handling X X Ensure that air ventilations system circulates air instead of poison 14. Ensure nothing can hide in the walls and ceilings 15. Use two-factor authentication 16. Harden the core with security layers X X Security guards Inner door that separates visitors from general employees Man traps and floor-to-ceiling turnstiles Door to computer processing room is only accessed as needed X X

17. Watch the exits too 18. Prohibit food in the computer rooms 19. Install visitor restrooms

3. a. A companys programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address. Preventive: Teach programmers secure programming practices, including the need to carefully check all user input. Management must support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Detective: Make sure programs are thoroughly tested before being put into use Have internal auditors routinely test in-house developed software.

b. An accountant successfully logged into the payroll system by guessing the payroll supervisors password. Preventive: Strong password requirements such as at least an 8 character length, use of multiple character types, random characters, and require that passwords be changed frequently. Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a guessing attack, it may have taken more than a few attempts to login. c. An employees laptop was stolen at the airport. The laptop contained personally identifying information about the companys customers that could potentially be used to commit identity theft. Preventive: Policies against storing sensitive information on laptops and requiring that if any such information must exist on the laptop that it be encrypted. Training on how to protect laptops while travelling to minimize the risk of theft. Corrective: Installation of phone home software might help the organization either recover the laptop or remotely erase the information it contains. d. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters. Preventive: Integrate physical and logical security. In this case, the system should reject any user attempts remotely log into the system if that same user is already logged in from a physical workstation. Detective: Having the system notify appropriate security staff about such an incident. e. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger. Preventive: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and corrective: Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system. f. A company purchased the leading off-the-shelf e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code. Preventive: Insist on secure code as part of the specifications for purchasing any 3rd party software. Thoroughly test the software prior to use. Employ a patch management program so that any vendor provided fixes and patches are immediately implemented. g. Attackers broke into the companys information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security. Preventive: Enact a policy that forbids installation of unauthorized wireless access points. Detective: Conduct routine audits for unauthorized or rogue wireless access points.

Corrective: Sanction employees who violate policy and install rogue wireless access points. h. An employee picked up a USB drive in the parking lot and plugged it into their laptop to see what was on it, which resulted in a keystroke logger being installed on that laptop. Preventive: Security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source. Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process. i. Once an attack on the companys website was discovered, it took more than 30 minutes to determine who to contact to initiate response actions. Preventive: Document all members of the CIRT and their contact information. Practice the incident response plan.

j. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the companys system by dialing into that modem. Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone numbers assigned to the company and identifying those connected to modems. k. An attacker gained access to the companys internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies. Preventive: Secure or lock all wiring closets. Require strong authentication of all attempts to log into the system from a wireless client. Employ an intrusion detection system.

4. From the viewpoint of the customer, the opt-out approach would be disadvantageous. This is because the customer has to specify to every company that has been recording his personal information to stop doing so which is more troublesome and time-consuming on his part. The opt-in approach would be advantageous as customers can choose the companies that they are interested in, and permit them to collect their data. From the viewpoint of the organizations surrounding the customer, opting out would definitely be beneficial since they can gather as much data as they want out of their customers till they are notified to stop. Although adopting an opt-in approach instead of an opt-out one could affect the amount of data collected by organizations, it may not be bad as the data gathered by customers who do choose to opt in will be more meaningful, and favorable for the company. 5.Some students will argue that managers have an ethical duty to do no harm and, therefore, should take reasonable steps to protect the personal information their company collects from customers. Others will argue that it should be the responsibility of consumers to protect their own personal information. Another viewpoint might be that companies should pay consumers if they divulge personal information, and that any such purchased information can be used however the company wants. 6. Many people may view biometric authentication as invasive. That is, in order to gain access to a work related location or data, they must provide a very personal image of part of their body such as

their retina, finger or palm print, their voice, etc. Providing such personal information may make some individuals fearful that the organization collecting the information can use it to monitor them. In addition, some biometrics can reveal sensitive information. For example, retina scans may detect hidden health problems and employees may fear that such techniques will be used by employers and insurance companies to discriminate against them. RFID tags that are embedded or attached to a persons clothing would allow anyone with that particular tags frequency to track the exact movements of the tagged person. For police tracking criminals that would be a tremendous asset, but what if criminals were tracking people who they wanted to rob or whose property they wanted to rob when they knew the person was not at home. Cell phones and social networking sites are some of the other technologies that might cause privacy concerns. Most cell phones have GPS capabilities that can be used to track a persons movement and such information is often collected by apps that then send it to advertisers. GPS data is also stored by cell phone service providers. Social networking sites are another technology that creates privacy concerns. The personal information that people post on social networking sites may facilitate identity theft. 7. Highly Confidential (Top Secret) Research Data Product Development Data Proprietary Manufacturing Processes Proprietary Business Processes Competitive Bidding Data Confidential (Internal) Payroll Cost of Capital Tax data Manufacturing Cost Data Financial Projections Public Financial Statements Security and Exchange Commission Filings Marketing Information Product Specification Data Earnings Announcement Data

8. a. Privacy problems which could arise in the processing of input data, and recommended corrective actions, are as follows:

Problem Unauthorized employee accessing paper returns submitted by mail.

Controls Restrict physical access to room used to house paper returns and scanning equipment by Using ID badges or biometric controls Logging all people who enter.

Unauthorized employee accessing the electronic files. Interception of tax information submitted electronically.

Multi-factor authentication of all employees attempting to access tax files. Encrypt all information submitted to the tax website.

b. Privacy problems which could arise in the processing of returns, and recommended corrective actions, are as follows:

Problem

Controls

Operator intervention to input data or to gain output from files.

Limit operator access to only that part of the documentation needed for equipment operation. Prohibit operators from writing programs and designing the system. Daily review of console log messages and/or run times. Encryption of data by the application program.

Attempts to screen individual returns on the basis of surname, sex, race, etc., rather than tax liability.

Training about proper procedures Multi-factor authentication to limit access to system. Encrypt of tax return data stored in system

c.

Privacy problems which could arise in the inquiry of data, and recommended corrective actions, are as follows:

Problem Unauthorized access to taxpayer information on web site

Controls Strong authentication of all people making inquiries via the web site using something other than social security numbers preferably multi-factor, not just passwords. Encryption of all tax return data while in storage Encryption of all traffic to/from the web site

Unauthorized release of information in response to telephone inquiry Disclosure of taxpayer information through improper disposal of old files

Training on how to properly authenticate taxpayers who make telephone inquiries Strong authentication of taxpayers making telephone inquiries Training on how to shred paper documents prior to disposal Training on how to wipe or erase media that contained tax return information prior to disposal

(CMA Examination, adapted)