Explore BrainMass

Explore BrainMass

    The Sequential Label and Supply Company

    This content was COPIED from BrainMass.com - View the original, and get the already-completed solution here!

    The Sequential Label and Supply Company (often referred to as SLS) is a
    . national supplier of stock labels as well as a manufacturer of custom labels
    and distributor of supplies often used in conjunction with labels, such as
    envelopes, adhesive tape, mailing cartons, and related office supplies. The
    company was founded by Fred Chin in 1992 and has grown steadily in the
    intervening years.
    As the case study begins, the company has recognized its growing
    dependence on information technology and has organized its information
    technology group as shown in Figure D-1. (FOUND ON LAST PAGE)
    It started out like any other day for Amy Windahl at Sequential Label
    and Supply Company. She liked her technical support job at the help desk.
    Taking calls and helping the office workers with PC problems was not gla-
    morous, but it was challenging and paid pretty well. Some of her friends
    worked at bigger companies, some at higher-tech companies, but everyone
    kept up with each other, and they all agreed that technology jobs were a
    good way to pay the bills.
    The phone rang. This was not a big deal for Amy. She answered her
    phone about 35 times an hour, 315 times a day, nine days every two weeks.
    The first call of the day started out the same as usual, with a worried user
    hoping Amy could help him out of a jam. The call display on her screen
    gave her all the facts: the user's name, his phone number, the department
    in which he worked, where his office was on the company campus, and a
    list of all the calls he'd made in the past.
    "Hi, Bob," she said. "Did you get that document formatting problem
    squared away after our last call?"

    "Sure did, Amy. Hope we can figure out what's going on today."
    "We'll try, Bob. Tell me about it."
    "Well, my PC is acting weird," Bob said. "When I go to the screen that
    has my e-rnail program running, it doesn't respond to the mouse or the
    "Did you try a reboot yet, Bob?"
    "Sure did. But the window wouldn't close, and I had to turn it off. Once
    it finished the reboot, and I opened the e-rnail program.Tt's just like it was
    before-no response at all. The other stuff is working OK, but really, really
    slowly. Even my Internet browser is sluggish."
    "OK, Bob. We've tried the usual stuff we can do over the phone. Let me
    open a case, and I'll dispatch a tech over as soon as possible."
    Amy looked up at the LED tally board on the wall at the end of the room.
    She saw that there were only two technicians dispatched to desks ide support
    at the moment, and since it was the day shift, there were four available.
    "Shouldn't be long at all, Bob."
    She clicked off the line from Bob and typed her notes into ISIS, the com-
    pany's Information Status and Issues System. She assigned the newly gener-
    ated case to the deskside dispatch queue, knowing the roving desks ide
    team would be paged with the details and would attend to Bob's problem
    in just a few minutes.
    A moment later, Amy looked up to see Charles Moody walking briskly
    down the hall. Charlie was the senior manager of the server administration
    team. He was being trailed by three of his senior technicians as he made a
    beeline from his office to the door of the server room where the company
    servers were kept in a controlled environment. They all looked worried.
    Just then, Amy's screen beeped to alert her of a new e-mail. She glanced
    down. It beeped again-and again. It started beeping constantly. She
    clicked on the envelope icon, and after a short delay, the mail window
    opened. She had 47 new e-rnails in her inbox. She opened one from Davey
    Martinez, an acquaintance from the Accounting Department. The subject
    line said, "Wait till you see this." The message body read, "Look what this
    has to say about our managers' salaries ... " There was an icon for a file
    attachment that Amy did not recognize. But, she knew Davey, he often sent
    her interesting and funny e-rnails. She clicked on the icon.
    Her PC showed the hourglass pointer icon for a second and then
    resumed showing its normal pointer. Nothing happened. She clicked on
    the icon for the next e-mail message. Nothing happened. Her phone rang
    again. She clicked on the ISIS icon on her computer desktop to activate the
    call management software, and activated her headset. "Hello, Tech Sup-
    port, how can I help you?" She couldn't greet the caller by name because
    ISIS had not yet opened the screen on her Pc.
    "Hello, this is Erin Williams in Receiving."
    Amy glanced down at her screen. Still no ISIS. She glanced up to the tally
    board and was surprised to see the inbound call counter tallying up waiting
    calls like digits on a stopwatch. Amy had never seen so many calls come in
    at one time.
    "Hi, Erin," Amy said. "What's up?"
    "Nothing," Erin answered. "That's the problem." The rest of the call was
    an exact replay of Bob's earlier call, except Amy couldn't type the notes
    into ISIS and had to jot them down on a legal pad. She also couldn't dis-
    patch the deskside support team either. She looked at the tally board. It had
    gone dark. No numbers at all.
    Then she saw Charlie running down the hall from the server room. He
    didn't look worried anymore. He looked frantic.
    Amy picked up the phone. She wanted to check with her supervisor
    about what to do now. There was no dial tone.
    The next day at SLS found everyone in technical support busy restoring
    computer systems to their former state and installing new virus and worm
    control software. Amy found herself learning how to install desktop com-
    puter operating systems and applications as SLS made a heroic effort to
    recover from the previous day's attack.
    1. Do you think this event was caused by an insider or outsider? Why do
    you think this?
    2. Other than installing virus and worm control software, what can SLS
    do to be ready for the next incident?
    3. Do you think this attack was the result of a virus, or a worm? Why do
    you think this?
    Starting Out
    Fred Chin, CEO of Sequential Label and Supply, leaned back in his
    leather chair. He propped his feet up on the long mahogany table in the
    conference room where the SLS Board of Directors had just adjourned their
    quarterly meeting.
    "What do you think about our computer security problem?" he asked
    Gladys Williams, the company's chief information officer, or CIa. He was
    referring to last month's outbreak of a malicious worm on the company's
    computer network.
    Gladys replied, "I think we have a real problem this time, and we need
    to put together a real solution, not just a quick patch like the last time."
    Eighteen months ago someone had brought an infected floppy disk in from
    home and infected the network. To prevent this from happening again, all
    the floppy drives were removed from the company computers.
    Fred wasn't convinced. "Let's just add another thousand dollars in the
    next budget to fix it up."
    Gladys shook her head. "You've known for some time now that this
    business runs on computers. That's why you hired me as CIa. I've been
    researching information security, and my staff and I have some ideas to dis-
    cuss with you. I've asked Charlie Moody to come in today to talk about it.
    He's waiting to speak with us."
    Charlie joined the meeting, and Fred said, "Hello, Charlie. As you know
    the Board of Directors met today. They received a report on the expenses
    and lost production from the virus outbreak last month, and they directed
    us to improve the security of our computers. Gladys says you can help me
    understand what we need to do about it."
    "To start with," Charlie said, "instead of setting up a computer security
    solution, we need to develop an information security program. We need a
    thorough review of our policies and practices, and we need to establish an
    ongoing risk management program. There are some other things that are
    part of the process as well, but these would be a good start."
    "Sounds expensive," said Fred.
    Charlie looked at Gladys, then answered,"Well, there will be some extra
    expenses for specific controls and software tools, and we may have to slow
    down our product development projects a bit, but the program will be
    more of a change in our attitude about security than a spending spree.
    I don't have accurate estimates yet, but you can be sure we will put cost-
    benefit worksheets in front of you before we spend any money."
    Fred thought about this for a few seconds. "OK. What is our next step?"
    Gladys answered, "To start with, we need to initiate a project plan to
    develop our new information security program. We'll use our usual systems
    development and project management approach. There are a few differ-
    ences, but we can adapt our current models easily. We will need to appoint
    or hire a person to be responsible for information security."
    "Information security? What about computer security?" asked Fred.
    Charlie responded, "Information security includes all the things we
    use to do business: software, procedures, data, networks, our staff, and
    "I see," Fred said. "Bring me the draft project plan and budget in two
    weeks. The audit committee of the board meets in four weeks, and we'll
    need to report our progress."
    Soon after the board of directors meeting, Charlie was promoted to chief
    information security officer, a new position that reports to the CIa Gladys
    Williams, and that was created to provide leadership for SLS's efforts to
    improve its security profile.
    1. How do Fred, Gladys, and Charlie perceive the scope and scale of the
    new information security effort?
    2. How will Fred measure success when he evaluates Gladys' perfor-
    mance for this project? How about Charlie's performance?
    3. Which of the threats discussed in this chapter should receive Charlie's.
    attention early in his planning process?
    Industrial Espionage
    Henry Magruder made a mistake: he left a CD at the coffee station. Later,
    Iris Majwabu was at the coffee station, topping off her coffee cup, hoping
    to wrap up her work on the current SQL code module before it was time to
    go home. As she turned to leave, she saw the unlabeled CD on the counter.
    Being the helpful sort, she picked it up, intending to return it to the person
    who'd left it behind.
    Expecting to find perhaps the latest device drivers, or someone's work
    from the development team's office, Iris slipped the disk into the drive of
    her computer and ran a virus scan against its contents. She then opened
    the file explorer program. She had been correct in assuming the CD con-
    tained data files, lots of them. She opened a file at random, and names,
    addresses, and Social Security numbers scrolled down her screen. These
    were not the test records she expected; instead they looked more like critical
    payroll data. Concerned, she found a readme.txt file and opened it. It read:
    Jill, see files on this disc. Hope they meet your expectations. Wire money
    to my account as arranged. Rest of data sent on payment.
    Iris realized that someone was selling sensitive company data to an out-
    side information broker. She looked back at the directory listing and saw
    that the files spanned the range of every department at Sequential Label
    and Supply-everything from customer lists to shipping invoices. She saw
    one file that she knew contained the credit card numbers for every Web
    customer the company supplied. She opened another file and saw that it
    stopped about halfway through the data. Whoever did this had split the
    data into two parts. That made sense: payment on delivery of the first half.
    Now, who did this belong to? She opened up the file properties option
    on the readme.txt file. The file owner was listed as "hmagruder." That must
    be Henry Magruder, the developer two cubes over in the next aisle. Iris pon-
    dered her next action.
    Iris called the company security hotline. The hotline was an anonymous
    way to report any suspicious activity or abuse of company policy, although
    Iris chose to identify herself. The next morning, she was called to a meeting
    with an investigator from corporate security, which led to more meetings
    with others in corporate security, and then finally a meeting with the
    Director of Human Resources and Gladys Williams, the CIO of SLS.
    1. Was Iris justified in determining who the owner of the CD was?
    2. Should Iris have approached Henry directly, or was the hotline the
    most effective way to take action?
    3. Should Iris have placed the CD back at the coffee station and forgot-
    ten the whole thing? Would that response have been ethical on her
    Deciding What to Protect
    Charlie Moody called the meeting to order. The conference room was
    full of developers, systems analysts, IT managers, business users, and busi-
    ness managers.
    "All right everyone, let's get started. Welcome to the kick-off meeting of
    the Sequential Label and Supply Information Security Task Force. That's the
    name of our new project team, and we're here today to talk about our
    objectives and to review the initial work plan."
    "Why are all of the users here?" asked the manager of sales. "Isn't secur-
    ity a problem for the IT Department?"
    Charlie explained, "Well, that used to be the case, but we've come to real-
    ize that information security is about managing the risk of using auto-
    mated systems, which involves almost everyone in the company. In order
    to make our systems more secure, we will need the participation of people
    from all departments."
    Charlie continued, "1 hope everyone has read the packets we sent out
    last week with the legal requirements we face in our industry and the
    background articles on threats and attacks. Today we'll begin the process
    of identifying and classifying all of the information technology risks that
    face our organization. This includes everything from fires and floods that
    could disrupt our business to criminal hackers who might try to steal or
    destroy our data. Once we identify and classify the risks facing our assets,
    we can discuss how to reduce or eliminate these risks by establishing con-
    trols. Which controls we actually apply will depend on the costs and ben-
    efits of each control."
    "Wow, Charlie!" said Amy Windahl from the back of the room. "I'm sure
    we need to do it-I was hit by the last attack, just as everyone here was-
    but we have hundreds of systems."
    "It's more like thousands," said Charlie. He went on, "That's why we
    have so many people on this team and why the team includes members of
    every department."
    Charlie continued, "Okay, everyone, please open your packets and take
    out the project plan with the work list showing teams, tasks, and schedules.
    Any questions before we start reviewing the work plan?"
    As Charlie wrapped up the meeting, he ticked off a few key reminders
    for everyone involved in the asset identification project.
    "Okay, everyone, before we finish, please remember that you should try
    to make your asset lists complete, but be sure to focus your attention on
    the more valuable assets first. Also, remember that we evaluate our assets
    based on business impact to profitability first, and then economic cost of
    replacement. Make sure you check with me about any questions that come
    up. We will schedule our next meeting in two weeks, so please have your
    draft inventories ready."
    1. Did Charlie effectively organize the work before the meeting? Why or
    why not? Make a list of the important issues you think should be
    covered by the work plan. For each issue, provide a short explanation.
    2. Will the company get useful information from the team it has assem-
    bled? Why or why not?
    3. Why might some attendees resist the goals of the meeting? Does it
    seem that each person invited was briefed on the importance of the
    event and the issues behind it?

    939 words

    © BrainMass Inc. brainmass.com April 3, 2020, 9:07 pm ad1c9bdddf


    Solution Preview

    1. The event was caused by an insider. It is possible that someone would have accessed content containing malware from the company's network providing the malware with details stored over the network. These details were used by the malware to send emails to users across the organization thus spreading the virus.
    2. Apart from installing virus and worm control software, SLS can take following actions:
    • Use security conscious Internet Security Provider that implements strong anti-spam and anti-phishing procedures.
    • Enable automatic Windows update to keep the operating system patched against known vulnerabilities
    • Use caution while opening email attachment. Configure the anti-virus software to automatically scan all email and instant message attachments. Never open unsolicited emails, or attachments that one is not expecting—even from people they know.
    • Use caution when engaging in peer-to-peer file sharing
    • Back up files regularly
    • Stay aware of current virus news
    3. The attack was a result of both worm and virus. Thus it was a blended threat which used the server and internet vulnerabilities to initiate and then spread through the network. When Bob had called it was clear that there was a worm in the system which has copied itself to Bob's computer. When Amy downloaded the attachment from a known acquaintance, the virus got downloaded on her system. Thus, worm and virus both got transmitted to one system after another and soon all systems in the ...

    Solution Summary

    The sequential label and a supply company is examined.