Business Driven Technology - Instructor’s Manual

BUSINESS PLUG-IN B6
Information Security

LEARNING OUTCOMES
1. Describe the relationship between information security policies and an information security
plan.
The information security plan details how the organization will implement the information
security policies. Information security policies identify the rules required to maintain information
security.

2. Summarize the five steps to creating an information security plan.

1. Develop the information security policies
2. Communicate the information security policies
3. Identify critical information assets and risks
4. Test and reevaluate risks
5. Obtain stakeholder support

3. Provide an example of each of the three primary security areas: (1) authentication and
authorization, (2) prevention and resistance, and (3) detection and response.
1. Authentication and authorization - something the user knows such as a user ID and
password, something the user has such as a smart card or token, something that is part of
the user such as fingerprint or voice signature
2. Prevention and resistance - content filtering, encryption, firewalls
3. Detection and response – antivirus software

4. Describe the relationships and differences between hackers and viruses.

Hackers are people very knowledgeable about computers who use their knowledge to invade
other people’s computers. Viruses are software written with malicious intent to cause
annoyance or damage.

CLASSROOM OPENER
NOT-SO-GREAT BUSINESS DECISIONS – Scrushy Faces 30 Years in Prison
Richard Scrushy, former chief executive of HealthSouth, was convicted of bribing Don Siegelman,
former governor of Alabama, for a seat on the state's hospital regulatory board, which oversaw
some of his company's facilities.

The verdict came a year and a day after Mr. Scrushy was found not guilty of involvement in a $2.7
billion accounting fraud at HealthSouth, which he built from scratch into America's largest provider
of rehabilitative healthcare. Mr. Siegelman, a Democrat who was governor from 1999 to 2003, was
also convicted of bribery and mail fraud, following a seven-week trial and 11 days of jury
deliberations. Prosecutors accused Mr. Siegelman of operating a "pay to play" scheme in which

B6 – Information Security Page 1 of 7

 Business Driven Technology - Instructor’s Manual

companies and contractors gave political donations in return for contracts and favors. The pair
could each face up to 30 years in jail for the crimes.

UBS, the Swiss investment bank, was embroiled in the case through its role as former banker to
HealthSouth. A former UBS banker testified that the bank had helped engineer Mr. Scrushy's
payment to the lottery campaign by forgiving $250,000 in fees it was owed by a healthcare
company through which the donation was funneled.

Mike Martin, HealthSouth's former chief financial officer, told the jury he had put pressure on UBS,
at Mr. Scrushy's behest, to help finance the donation. Mr. Scrushy denied the donation was a bribe,
arguing he wanted to foster good relations with the governor and support his push to improve
public education through a lottery.

HealthSouth was among the raft of US companies where large scale frauds were discovered in the
wake of the accounting scandals at Enron and WorldCom.

CLASSROOM EXERCISE
Discussing Security
Statistics on security issues:
 Identity Theft: According to the Federal Trade Commission – Identity Theft Survey Report:
New Accounts and Other Fraud..................................................................4.7 %
Misuse of Existing Non-Credit Card Account
or Account Number.................................................................................2.0 %
Misuse of Existing Credit Card or Credit Card Number..............................6.0 %
Total Victims..............................................................................................12.7 %
 Network Hacking: Disgruntled employees wrecking havoc upon their employers as an act
of revenge: This is no surprise, given all the statistics that show that the highest
percentage of hacking comes from within companies. According to a
PricewaterhouseCoopers survey, 58 percent of companies surveyed reported authorized
users and employees as the source of a security breach or corporate espionage act within
the past year, while 35 percent said the sources of attack were unknown. All other
statistics and surveys substantiate this, with figures regularly exceeding 50 percent.
 Security Breaches: A survey conducted in 2004 by consulting firm Deloitte & Touche LLP
showed that an amazing 83% of financial-services firms acknowledged that their IT
systems had been compromised by attacks from the outside in the past year. In 2003, only
39% of the companies surveyed admitted to a breach. In addition, 40% of the companies
polled- which included a quarter of the world's top 100 banks, about a third of the top 100
financial-services firms, and 10% of the 100 largest insurance companies - said they had
suffered financial losses due to the attacks.
 Average Reported Computer Security Expenditure per Employee (a total of about $154
combined operating and capital expenditures per employee):

B6 – Information Security Page 2 of 7

 Business Driven Technology - Instructor’s Manual

 Percentage of companies that have yet to implement adequate security 30%.

 As much as 60% of corporate data resides unprotected on PC desktops and laptops.
 Percentage of companies that spend 5% or less of their IT budget on security for their
networks 50%.

CLASSROOM EXERCISE
Analyzing Your School’s Security
Break your students into groups and ask them to research and review your school’s information
security plan and policies. Have them answer the following questions:
 What did the plan address that your students found surprising?
 What is the plan missing or failing to address?
 What policies were missing or not addressed appropriately?
 What policies should be added to the plan?
 How frequently should the plan be updated?
 Who should be responsible for updating the plan?
 Who should be asked for sign-off on the plan?
 How should the plan be communicated with all students and staff?

CORE MATERIAL
The core chapter material is covered in detail in the PowerPoint slides. Each slide contains detailed
teaching notes including exercises, class activities, questions, and examples. Please review the
PowerPoint slides for detailed notes on how to teach and enhance the core chapter material.

CLOSING CASE ONE

Thinking Like the Enemy
1. How could an organization benefit from attending one of the courses offered at the Intense
School?

B6 – Information Security Page 3 of 7

 Business Driven Technology - Instructor’s Manual

Information technology departments must know how to protect organizational information.

Therefore, organizations must teach their IT personnel how to protect their systems, especially
in light of the many new government regulations that demand secure systems, such as HIPAA.
By understanding how hackers work, how they break locks, and what types of information they
steal, an organization can defend itself against such attacks by building more secure IT
infrastructures.

For example, by knowing that most break-ins occur through an unlocked basement window, a
person can place locks on all basement windows, thereby decreasing the chance of having
someone break-in to their home. Without this initial knowledge, it would be difficult for the
person to know where to apply the locks.

2. What are the two primary lines of security defense and how can organizational employees use
the information taught by the Intense School when drafting an information security plan?
The two primary lines of security defense are through people first and technology second.
Employees can use the information taught at the Intense School to draft an information
security plan that details how an organization will implement the information security policies.
The school will most likely teach many of the tricks to social engineering and hacking, which
the employees can use to create the detailed information security policies. For example:
 Employees are not required to reveal authentication information to anyone that does not
have a current corporate IT badge
 Employees are not to leave any computer stations unsecured over lunches or during
meetings
 All employee computers should have screen saver locks set to automatically turn-off
whenever the computer is idle for more than ten minutes
 All employees must have current antivirus software that runs daily at 12:00 noon

3. Determine the difference between the two primary courses offered at the Intense school,
“Professional Hacking Boot Camp” and “Social Engineering in Two Days.” Which course is
more important for organizational employees to attend?
The professional hacking boot camp probably includes topics such as hackers, viruses,
malicious code, hoaxes, spoofing, and sniffers. The Social Engineering in Two Days probably
includes such topics as building trust, dressing appropriately, and using/building relationships.
Determine which course to send employees to would depend on the type of business.
Chances are an organization will benefit from sending its employees to both.

4. If your employer sent you to take a course at the Intense School, which one would you
choose and why?
Student answers to this question will vary. The Professional Hacking Boot Camp would be of
interest to students who want to learn how to technically safeguard an organization from
hackers. The Social Engineering in Two Days course would be of interest to students who
want to learn how to use people to safeguard an organization. Looking at majors might help
students determine which course to attend. Human resources and management majors might
want to attend Social Engineering, while finance, accounting, and marketing majors might want
to attend Hacking Boot Camp. Of course, it is best for everyone to attend both to ensure they
are protected using both people and technology.

B6 – Information Security Page 4 of 7

 Business Driven Technology - Instructor’s Manual

5. What are the ethical dilemmas involved with having such a course offered by a private
company?
There is the opportunity that unethical students will take the course to learn more about
hacking and use course information to perform illegal activities. The Intense school needs to
ensure it screens all students to try to prevent a person attending the school who has the
wrong intent.

CLOSING CASE TWO

Hacker Hunters
1. What types of technology could big retailers use to prevent identity thieves from purchasing
merchandise?
Authentication and authorization technologies such as biometrics could help big retailers
prevent identify theft by ensuring the customer is the customer. Detection and response
technologies could help big retailers identify fraudulent accounts such as multiple
transactions from different locations around the country, or unusually large purchases in a
short period of time. The retailer could then contact the customer directly if account
information looked suspicious to verify the account was being used legally.

2. What can organizations do to protect themselves from hackers looking to steal account
data?
The first step in information security is people. Informing employees about social
engineering, safeguarding against insiders, and implementing information security policies
and procedures is a solid start for any organization looking to prevent information theft. The
second step is technology including:
 Authentication and authorization - something the user knows such as a user ID and
password, something the user has such as a smart card or token, something that is
part of the user such as fingerprint or voice signature
 Prevention and resistance - content filtering, encryption, firewalls
 Detection and response – antivirus software

3. Authorities frequently tap online service providers to track down hackers. Do you think it is
ethical for authorities to tap an online service provider and read people’s e-mail? Why or
why not?
Answers to this question will vary based on each student’s ethics. Privacy is the right to be
left alone when you want to be, to have control over your own personal possessions, and
not to be observed without your consent. E-mail monitoring without the person’s knowledge
can be considered an invasion of that person’s privacy. An organization has the
responsibility to act ethically and legally and must take measures to ensure it does so
according to law, policies, and procedures. Authorities must be able to protect the
community from potentially dangerous situations. Organizations and authorities must be
able to use monitoring technologies to determine if there might be dangerous situation or a
person acting unethically or illegally. There is a fine line between privacy and social
responsibility.

B6 – Information Security Page 5 of 7

 Business Driven Technology - Instructor’s Manual

4. Do you think it was ethical for authorities to use one of the high-ranking officials to trap other
gang members? Why or why not?
Answers to this question will vary based on each student’s ethics. Using any means possible
to catch criminals is typically a valid point of view. However, if those means become
unethical then it is difficult to determine who is breaking the law.

5. In a team, research the Internet and find the best ways to protect yourself from identity theft.
http://www.consumer.gov/idtheft/
This is the Federal Trade Commission national resource about identity theft. The Web site
offers a one-stop national resource to learn about the crime of identity theft. It provides
detailed information to help you Deter, Detect, and Defend against identity theft. While there
are no guarantees about avoiding identity theft, there are steps you can take to minimize
your risk and minimize the damage if a problem occurs:
 Deter identity thieves by safeguarding your information
 Detect suspicious activity by routinely monitoring your financial accounts and billing
statements
 Defend against ID theft as soon as you suspect a problem

MAKING BUSINESS DECISIONS

Instructor Note: There are few right or wrong answers in the business world. There are really only
efficient and inefficient, and effective and ineffective business decisions. If there were always right
answers businesses would never fail. These questions were created to challenge your students to
apply the materials they have learned to real business situations. For this reason, the authors
cannot provide you with one version of a correct answer. When grading your students’ answers, be
sure to focus on their justification or support for their specific answers. A good way to grade these
questions is to compare your student’s answers against each other.

1. FIREWALL DECISIONS
Project Purpose: To analyze a business decision regarding firewalls.
Potential Solution: The total cost of the investment for three years is $125,000 (80 + (15 *3)).
The company is currently losing $250,000 per year resulting from viruses and hackers.
Although the firewalls will only protect against 97 percent of hackers, it should be clear that
buying the firewalls is the best business decision.

2. DRAFTING AN INFORMATION SECURITY PLAN

Project Purpose: To understand how to develop and implement an information security plan.
Potential Solution: An information security policy identifies the rules required to maintain
information security. The information security policies could include reprimands for leaving a
computer unsecured, require users to logoff systems when attending meetings or leaving for
lunch, changing passwords every 30 days, and not allowing spam from company e-mail, and
not giving up passwords or other types of secure information to any individual that does not
have a valid IT badge. An information security plan details how an organization will implement
the information security policies. Creating an information security plan can alleviate people-
based information security issues since all employees will be informed on the plan and its
associated policies. The plan will help identify who is responsible and accountable for
implementing the policies along with the communication path for the plan.

B6 – Information Security Page 6 of 7

 Business Driven Technology - Instructor’s Manual

3. DISCUSSING THE THREE AREAS OF SECURITY

Project Purpose: To explain and identity information security weaknesses.
Potential Solution: An information security policy identifies the rules required to maintain
information security. The information security policies could include reprimands for leaving a
computer unsecured, require users to logoff systems when attending meetings or leaving for
lunch, changing passwords every 30 days, and not allowing spam from company e-mail, and
not giving up passwords or other types of secure information to any individual that does not
have a valid IT badge. An information security plan details how an organization will implement
the information security policies. Creating an information security plan can alleviate people-
based information security issues since all employees will be informed on the plan and its
associated policies. The plan will help identify who is responsible and accountable for
implementing the policies along with the communication path for the plan.

The three primary information security areas include (1) authentication and authorization, (2)
prevention and resistance, and (3) detection and response.
1. Authentication and authorization - something the user knows such as a user ID and
password, something the user has such as a smart card or token, something that is part of
the user such as fingerprint or voice signature
2. Prevention and resistance - content filtering, encryption, firewalls
3. Detection and response – antivirus software

4. COLLEGE SECURITY
Project Purpose: To be able to ask the right questions regarding information security.
Potential Solution: There are many questions a student can ask regarding information
security including:
 Does the college recognize information security is a board-level issue that cannot be left to
the IT department alone?
 Is there clear accountability for information security issues?
 Does the college articulate an agreed upon set of threats and critical assets?
 How much is spent on information security and what is it being spent on?
 What is the impact on the organization of a serious security incident?
 Does the organization view information security as an enabler?
 What is the risk to the business of getting a reputation for low information security?
 What steps have been taken to ensure that third parties will not compromise the security of
the organization?
 How does the organization obtain independent assurance that information security is
managed effectively?
 How does the organization measure the effectiveness of its information security activities?

B6 – Information Security Page 7 of 7