Cases

Case 1

Marcum State University

The personnel department at Marcum State University has recently purchased PCs for individual offices in the various departments so that they can keep their own records. In the past, all records were stored on the university's mainframe computer. By decentralizing this computer function, each department will have better control over its individual records, and the security of these records will be easier to manage. Most of the departments would like to transfer personnel records of faculty, staff, and student employees in their departments to their PCs from the mainframe. Dr. John Gould, Chairperson of the Accounting Department, would like to use the personnel data regarding the people in his department to generate some statistics concerning salaries, vacation days used, and absences. Rather than code the files or use social security numbers, Dr. Gould would like to keep the names of the individuals with the information that is recorded about them.

  1. What are some of the security considerations in this conversion?
  2. What are some of the ethical and legal ramifications of keeping files with a person's name attached?
  3. What might be a better way of extracting (and storing) this information to ensure maximum security and control?

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994, p. 27, Karen A. Forcht)

Case 2

Alderman Electronics

Alderman Electronics is a fictitious international electronics firm that develops computer chips. The building that houses Alderman's facility includes its administrative headquarters, which houses all its senior executives, as well as computer information on their products and research. Fred Alderman, president, is becoming increasingly concerned with the security of the facility. Numerous stories have been made public about research facilities being penetrated and expensive, time-consuming research and development ideas compromised. Mr. Alderman would like to keep the competitive edge that his organization currently enjoys, and he is intent on reassessing the entire facility for possible vulnerabilities.

All the assets of Alderman Electronics are similar to those of most high-tech companies. Its personnel, property, and proprietary information are housed in the executive offices, computer rooms, and archives. The security department's daily concerns include competitor intelligence gatherers and their technology, internal and external theft of information and equipment, and other white-collar crime.

The basic layout of the facility is as follows:

Perimeter

Building

Entrances

Special Considerations

Provide solutions for controlling access to specific areas at Alderman. (Many professionals might caution that it is not feasible to formulate independent security plans for the various sections of the facility-all areas must be considered as a whole. Point out some of the vulnerabilities in this design and suggest solutions.)

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994 pgs. 55-56, Karen A. Forcht).

Case 3

Bishop Enterprises

Bishop Enterprises, located in Seattle, Washington, is a medium-sized business specializing in building concrete structures (storage building, bridges, utility buildings, and various defense-related installations).

Peter Bishop, president of the company, states that security of its computer systems is critical due to the competitiveness of the commercial concrete industry and the need to protect defense-related information. BE's computer system, as is typical of many, grew on an ad hoc basis as the company grew. Security was not an issue in the early days when there were only a few key employees and the day-to-day, hands-on-management style assured constant vigilance. Mr. Bishop now feels that a solid security package should be added to ensure the ongoing protection of the computer operation.

Mr. Bishop has assigned the task of evaluating several security packages to the director of computer operations, James Clarke. The four objectives that Mr. Clarke has defined for the package selected are:

  1. Accountability
  2. Auditability
  3. Integrity
  4. Usability

What factors should be included in an official policy statement sent out with the request for proposal to the vendors? Write a clear and concise statement so that the vendor is able to respond correctly.

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994, pgs. 107-8, Karen A. Forcht)

Case 4

Access for Success

The access control industry has a big future. Its growth is fueled by organizations looking for ways to enhance security. Those organizations have invested time and money in a variety of electronic technologies designed to protect people and property from unauthorized access to building and restricted areas. But as the access control industry evolves to meet future security needs, what will be the fate of such investment decisions? For a variety of reasons, an organization's changing need for security can outlive the access control system installed to meet that need. Some of the factors that lead to this aging process are:

What are some other factors that could add to this aging process in any organization? Is some aging industry-specific? Are some organizations more vulnerable to increased aging than others?

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994, pg. 82, Karen A. Forcht)

Case 5

Joe "Sky" King, President of King Aviation, an independent for-hire flight service headquartered in Chicago, Illinois, recently has become more concerned about computer security due to several breaches in King's system. Even though the breaches were somewhat minor, King is concerned about the vulnerability of the data and information as his clients expect complete discretion. Also of concern is the competition--here are numerous other flight companies in the Chicago area.

A security consultant, on her initial visit to King, mentioned that personnel policies must be addressed first, then technical issues. The consultant observed three distinct personnel areas that need to be rectified:

  1. Employees consistently arriving early and remaining late-without visible signs of extra work being produced.
  2. No debriefing of and no policies related to terminated or resigning employees.
  3. Employees with access to sensitive data who take computers to and from their office in order to do extra work.

Mr. King feels these policies should not be so stringently enforced that employees feel threatened. How could he clean up some of its loose policies to the vulnerability of the system is lessened, yet continue to foster a productive, highly motivated organization?

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994, p. 415, Karen A. Forcht)

Case 6

Stillwater Medical Center

Stillwater Medical Center is a regional hospital, serving a city of 30,000 residents and patients from areas outside of the city. All patients are treated in the hospital facility except in special needs cases, where patients are transferred via ambulance or helicopter to a larger facility.

The Computer Center at SMC processes all records dealing with patients, from the time they are admitted to the hospital until they are discharged. All records are stored in a central mainframe computer, housed in the basement of the hospital. Entries are made by remote terminals located throughout the building in admissions, nursing stations, food services, and other departments. The computer center is off-limits to everyone except authorized employees. When patients are referred to the hospital facility by a physician, their records are created once the referral takes place. All records are then sent to the referring physician, as well as to the individual patient.

The records processed daily are:

  1. Laboratory tests
  2. Financial/accounting data
  3. Nutrition/food service data
  4. Pharmacy data
  5. Surgical data
  6. On-floor nursing staff data
  7. Personal information relating to patient
  8. Physician's records/follow-up
  9. Special needs of individual patients
  10. Insurance billing information
  11. Any other pertinent information

Analyze the various information kept for each patient and assess the level of security that should be attached to each file/record. Bear in mind that some of this information is extremely confidential and some information is somewhat public. What are the legal, moral, and ethical considerations if information is violated or disclosed?

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994, Karen A. Forcht.)

Case 7

Bank of Shenandoah Valley

Today, banks are transferring large sums of money electronically and facing enormous exposure in the process. The Bank of Shenandoah Valley, located in Roanoke, Virginia, is actively involved in this process. The possibility of funds transfer fraud is prompting many banks to adopt protective measures. The two most common techniques used in the banking industry are encryption and message authentication. Encryption involves the scrambling of messages sent-for example, from a commercial bank to the Federal Reserve Bank. An authenticated message is sent clear-anyone who intercepts it can read it. Tacked on to the message is a related secret code that only the receiving party is capable of decoding.

Most observers say that authentication offers more security than encryption because a key is involved.

The Bank of Shenandoah Valley is considering both options and needs to address the following questions:

  1. Are there major differences between the two techniques?
  2. What is the volume of transmittal?
  3. Are all messages critical or would encryption/authentication be applied only to certain transmittals? If so, which ones?
  4. What are the cost factors involved?
  5. Which employees should be authorized to transmit?
  6. Will these processes slow down operations?
  7. What other safeguards should be considered?

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994, p. 132, Karen A. Forcht)

Case 8

Commonwealth Bank

Commonwealth Bank is the largest bank in the city of Alta, Virginia. The home office of Commonwealth is located in Richmond, Virginia, with banks situated throughout the state, Recently, Mrs. Runyon, the Alta Bank manager, discovered that the Commonwealth system had been breached and nearly $5,000 was diverted to a "dummy" account that has yet to be accessed. Mrs. Runyon immediately closed out this account before the funds could be withdrawn; thus, the bank suffered no cash loss. Mrs. Runyon has now called in a team of auditors to trace the original source of this diversion. She suspects that someone within the bank has diverted the funds from several dormant or inactive accounts that are not being closely watched by the depositors. At this point, Mrs. Runyon has not traced the source of the money or the responsible party.

  1. Does Mrs. Runyon have an obligation to inform the public of the existence of this account?
  2. Once the source is found, should Mrs. Runyon notify the account holder of the problem or quietly transfer the money back into the account?
  3. If the responsible party is discovered, what action should be taken with this individual?
  4. What measures can the bank employ to be sure that this does not happen in the future?

(Source: Computer Security Management, Boyd and Fraser Publishing Company, 1994, page 28, Karen A. Forcht)

©1997 James Madison University