The Sequential Label and Supply Company (often referred to as SLS) is a
. national supplier of stock labels as well as a manufacturer of custom labels
and distributor of supplies often used in conjunction with labels, such as
envelopes, adhesive tape, mailing cartons, and related office supplies. The
company was founded by Fred Chin in 1992 and has grown steadily in the
As the case study begins, the company has recognized its growing
dependence on information technology and has organized its information
technology group as shown in Figure D-1. (FOUND ON LAST PAGE)
It started out like any other day for Amy Windahl at Sequential Label
and Supply Company. She liked her technical support job at the help desk.
Taking calls and helping the office workers with PC problems was not gla-
morous, but it was challenging and paid pretty well. Some of her friends
worked at bigger companies, some at higher-tech companies, but everyone
kept up with each other, and they all agreed that technology jobs were a
good way to pay the bills.
The phone rang. This was not a big deal for Amy. She answered her
phone about 35 times an hour, 315 times a day, nine days every two weeks.
The first call of the day started out the same as usual, with a worried user
hoping Amy could help him out of a jam. The call display on her screen
gave her all the facts: the user's name, his phone number, the department
in which he worked, where his office was on the company campus, and a
list of all the calls he'd made in the past.
"Hi, Bob," she said. "Did you get that document formatting problem
squared away after our last call?"
"Sure did, Amy. Hope we can figure out what's going on today."
"We'll try, Bob. Tell me about it."
"Well, my PC is acting weird," Bob said. "When I go to the screen that
has my e-rnail program running, it doesn't respond to the mouse or the
"Did you try a reboot yet, Bob?"
"Sure did. But the window wouldn't close, and I had to turn it off. Once
it finished the reboot, and I opened the e-rnail program.Tt's just like it was
before-no response at all. The other stuff is working OK, but really, really
slowly. Even my Internet browser is sluggish."
"OK, Bob. We've tried the usual stuff we can do over the phone. Let me
open a case, and I'll dispatch a tech over as soon as possible."
Amy looked up at the LED tally board on the wall at the end of the room.
She saw that there were only two technicians dispatched to desks ide support
at the moment, and since it was the day shift, there were four available.
"Shouldn't be long at all, Bob."
She clicked off the line from Bob and typed her notes into ISIS, the com-
pany's Information Status and Issues System. She assigned the newly gener-
ated case to the deskside dispatch queue, knowing the roving desks ide
team would be paged with the details and would attend to Bob's problem
in just a few minutes.
A moment later, Amy looked up to see Charles Moody walking briskly
down the hall. Charlie was the senior manager of the server administration
team. He was being trailed by three of his senior technicians as he made a
beeline from his office to the door of the server room where the company
servers were kept in a controlled environment. They all looked worried.
Just then, Amy's screen beeped to alert her of a new e-mail. She glanced
down. It beeped again-and again. It started beeping constantly. She
clicked on the envelope icon, and after a short delay, the mail window
opened. She had 47 new e-rnails in her inbox. She opened one from Davey
Martinez, an acquaintance from the Accounting Department. The subject
line said, "Wait till you see this." The message body read, "Look what this
has to say about our managers' salaries ... " There was an icon for a file
attachment that Amy did not recognize. But, she knew Davey, he often sent
her interesting and funny e-rnails. She clicked on the icon.
Her PC showed the hourglass pointer icon for a second and then
resumed showing its normal pointer. Nothing happened. She clicked on
the icon for the next e-mail message. Nothing happened. Her phone rang
again. She clicked on the ISIS icon on her computer desktop to activate the
call management software, and activated her headset. "Hello, Tech Sup-
port, how can I help you?" She couldn't greet the caller by name because
ISIS had not yet opened the screen on her Pc.
"Hello, this is Erin Williams in Receiving."
Amy glanced down at her screen. Still no ISIS. She glanced up to the tally
board and was surprised to see the inbound call counter tallying up waiting
calls like digits on a stopwatch. Amy had never seen so many calls come in
at one time.
"Hi, Erin," Amy said. "What's up?"
"Nothing," Erin answered. "That's the problem." The rest of the call was
an exact replay of Bob's earlier call, except Amy couldn't type the notes
into ISIS and had to jot them down on a legal pad. She also couldn't dis-
patch the deskside support team either. She looked at the tally board. It had
gone dark. No numbers at all.
Then she saw Charlie running down the hall from the server room. He
didn't look worried anymore. He looked frantic.
Amy picked up the phone. She wanted to check with her supervisor
about what to do now. There was no dial tone.
The next day at SLS found everyone in technical support busy restoring
computer systems to their former state and installing new virus and worm
control software. Amy found herself learning how to install desktop com-
puter operating systems and applications as SLS made a heroic effort to
recover from the previous day's attack.
1. Do you think this event was caused by an insider or outsider? Why do
you think this?
2. Other than installing virus and worm control software, what can SLS
do to be ready for the next incident?
3. Do you think this attack was the result of a virus, or a worm? Why do
you think this?
Fred Chin, CEO of Sequential Label and Supply, leaned back in his
leather chair. He propped his feet up on the long mahogany table in the
conference room where the SLS Board of Directors had just adjourned their
"What do you think about our computer security problem?" he asked
Gladys Williams, the company's chief information officer, or CIa. He was
referring to last month's outbreak of a malicious worm on the company's
Gladys replied, "I think we have a real problem this time, and we need
to put together a real solution, not just a quick patch like the last time."
Eighteen months ago someone had brought an infected floppy disk in from
home and infected the network. To prevent this from happening again, all
the floppy drives were removed from the company computers.
Fred wasn't convinced. "Let's just add another thousand dollars in the
next budget to fix it up."
Gladys shook her head. "You've known for some time now that this
business runs on computers. That's why you hired me as CIa. I've been
researching information security, and my staff and I have some ideas to dis-
cuss with you. I've asked Charlie Moody to come in today to talk about it.
He's waiting to speak with us."
Charlie joined the meeting, and Fred said, "Hello, Charlie. As you know
the Board of Directors met today. They received a report on the expenses
and lost production from the virus outbreak last month, and they directed
us to improve the security of our computers. Gladys says you can help me
understand what we need to do about it."
"To start with," Charlie said, "instead of setting up a computer security
solution, we need to develop an information security program. We need a
thorough review of our policies and practices, and we need to establish an
ongoing risk management program. There are some other things that are
part of the process as well, but these would be a good start."
"Sounds expensive," said Fred.
Charlie looked at Gladys, then answered,"Well, there will be some extra
expenses for specific controls and software tools, and we may have to slow
down our product development projects a bit, but the program will be
more of a change in our attitude about security than a spending spree.
I don't have accurate estimates yet, but you can be sure we will put cost-
benefit worksheets in front of you before we spend any money."
Fred thought about this for a few seconds. "OK. What is our next step?"
Gladys answered, "To start with, we need to initiate a project plan to
develop our new information security program. We'll use our usual systems
development and project management approach. There are a few differ-
ences, but we can adapt our current models easily. We will need to appoint
or hire a person to be responsible for information security."
"Information security? What about computer security?" asked Fred.
Charlie responded, "Information security includes all the things we
use to do business: software, procedures, data, networks, our staff, and
"I see," Fred said. "Bring me the draft project plan and budget in two
weeks. The audit committee of the board meets in four weeks, and we'll
need to report our progress."
Soon after the board of directors meeting, Charlie was promoted to chief
information security officer, a new position that reports to the CIa Gladys
Williams, and that was created to provide leadership for SLS's efforts to
improve its security profile.
1. How do Fred, Gladys, and Charlie perceive the scope and scale of the
new information security effort?
2. How will Fred measure success when he evaluates Gladys' perfor-
mance for this project? How about Charlie's performance?
3. Which of the threats discussed in this chapter should receive Charlie's.
attention early in his planning process?
Henry Magruder made a mistake: he left a CD at the coffee station. Later,
Iris Majwabu was at the coffee station, topping off her coffee cup, hoping
to wrap up her work on the current SQL code module before it was time to
go home. As she turned to leave, she saw the unlabeled CD on the counter.
Being the helpful sort, she picked it up, intending to return it to the person
who'd left it behind.
Expecting to find perhaps the latest device drivers, or someone's work
from the development team's office, Iris slipped the disk into the drive of
her computer and ran a virus scan against its contents. She then opened
the file explorer program. She had been correct in assuming the CD con-
tained data files, lots of them. She opened a file at random, and names,
addresses, and Social Security numbers scrolled down her screen. These
were not the test records she expected; instead they looked more like critical
payroll data. Concerned, she found a readme.txt file and opened it. It read:
Jill, see files on this disc. Hope they meet your expectations. Wire money
to my account as arranged. Rest of data sent on payment.
Iris realized that someone was selling sensitive company data to an out-
side information broker. She looked back at the directory listing and saw
that the files spanned the range of every department at Sequential Label
and Supply-everything from customer lists to shipping invoices. She saw
one file that she knew contained the credit card numbers for every Web
customer the company supplied. She opened another file and saw that it
stopped about halfway through the data. Whoever did this had split the
data into two parts. That made sense: payment on delivery of the first half.
Now, who did this belong to? She opened up the file properties option
on the readme.txt file. The file owner was listed as "hmagruder." That must
be Henry Magruder, the developer two cubes over in the next aisle. Iris pon-
dered her next action.
Iris called the company security hotline. The hotline was an anonymous
way to report any suspicious activity or abuse of company policy, although
Iris chose to identify herself. The next morning, she was called to a meeting
with an investigator from corporate security, which led to more meetings
with others in corporate security, and then finally a meeting with the
Director of Human Resources and Gladys Williams, the CIO of SLS.
1. Was Iris justified in determining who the owner of the CD was?
2. Should Iris have approached Henry directly, or was the hotline the
most effective way to take action?
3. Should Iris have placed the CD back at the coffee station and forgot-
ten the whole thing? Would that response have been ethical on her
Deciding What to Protect
Charlie Moody called the meeting to order. The conference room was
full of developers, systems analysts, IT managers, business users, and busi-
"All right everyone, let's get started. Welcome to the kick-off meeting of
the Sequential Label and Supply Information Security Task Force. That's the
name of our new project team, and we're here today to talk about our
objectives and to review the initial work plan."
"Why are all of the users here?" asked the manager of sales. "Isn't secur-
ity a problem for the IT Department?"
Charlie explained, "Well, that used to be the case, but we've come to real-
ize that information security is about managing the risk of using auto-
mated systems, which involves almost everyone in the company. In order
to make our systems more secure, we will need the participation of people
from all departments."
Charlie continued, "1 hope everyone has read the packets we sent out
last week with the legal requirements we face in our industry and the
background articles on threats and attacks. Today we'll begin the process
of identifying and classifying all of the information technology risks that
face our organization. This includes everything from fires and floods that
could disrupt our business to criminal hackers who might try to steal or
destroy our data. Once we identify and classify the risks facing our assets,
we can discuss how to reduce or eliminate these risks by establishing con-
trols. Which controls we actually apply will depend on the costs and ben-
efits of each control."
"Wow, Charlie!" said Amy Windahl from the back of the room. "I'm sure
we need to do it-I was hit by the last attack, just as everyone here was-
but we have hundreds of systems."
"It's more like thousands," said Charlie. He went on, "That's why we
have so many people on this team and why the team includes members of
Charlie continued, "Okay, everyone, please open your packets and take
out the project plan with the work list showing teams, tasks, and schedules.
Any questions before we start reviewing the work plan?"
As Charlie wrapped up the meeting, he ticked off a few key reminders
for everyone involved in the asset identification project.
"Okay, everyone, before we finish, please remember that you should try
to make your asset lists complete, but be sure to focus your attention on
the more valuable assets first. Also, remember that we evaluate our assets
based on business impact to profitability first, and then economic cost of
replacement. Make sure you check with me about any questions that come
up. We will schedule our next meeting in two weeks, so please have your
draft inventories ready."
1. Did Charlie effectively organize the work before the meeting? Why or
why not? Make a list of the important issues you think should be
covered by the work plan. For each issue, provide a short explanation.
2. Will the company get useful information from the team it has assem-
bled? Why or why not?
3. Why might some attendees resist the goals of the meeting? Does it
seem that each person invited was briefed on the importance of the
event and the issues behind it?