Page 1

CHAPTER 3: Information Systems: Ethics, Privacy,

and Security
Chapter Overview
3.1 Ethical Issues
3.2 Threats to Information
3.3 Protecting Information Resources

Teaching Tips and Strategies

The subject matter of this chapter is particularly interesting in todays business
environment. One of the considerations is security versus personal privacy in the sense
that technology will allow future employers to watch an employees different movements
in the workplace. It is suggested that your initial discussion begin with the implications
of employers being able to monitor what we as employees do in the workplace.
Bill Gates and Bill Clinton were both charged with crimes based partially on evidence in
emails. (Clinton, with lying under oath, and Gates violating the consent decree his
company signed with the Justice Department). Even more current examples of email
trails left by influential people are the cases of Martha Stewart and her attempt to cover
up her activity right after she ordered her broker to sell her shares of Imclone stock and
the trail left by President Bushs long time adviser and confidant, Karl Rove in the
ongoing investigation of who identified the CIA operative married to former Ambassador
Joseph Wilson IV(who went to Niger to track down whether Iraq tried to get Uranium
from them). Both of these individuals have had to deal with criticism and investigations
based on various contacts and, particularly, emails that were records of their
communications.
If they are in such prominent positions, how is it that their emails are available for others
to hold against them? Is email forever?
A discussion, keeping the class focused away from a political debate is a good way to
explore the reasons we have to be careful in our use of email.
The first two individuals were indicted based on evidence from emails. The point is: if
the President of the United States cannot get rid of damaging emails, it is almost
impossible for anyone else to as well. If the worlds richest man cannot control who gets
his emails then how can anyone expect their emails to not be used against them. It isnt
being suggested that either Clinton or Gates tried to get rid of emails in any type of illegal
way. Martha Stewart did alter her email, but then realized that it would be fruitless, and
changed it back. The point is, if these influential people have had emails used against
them, how in the world do you expect that emails you are writing today will not be used
against you? This can lead to some very heated discussions.

Page 2

A scenario which you might use is to write on the board the following: Is email
forever? Give an example of if Student 1 sends Student 2 an email. How many copies
of that email are out there? Most students will respond, Two. But that is not true;
illustrate on the board how the emails had to go through different servers, etc. This
illustration will usually cause the students ears to perk up.
Then, create the scenario that Student 1 has sent an email to Student 2, we hire someone
to destroy Student 2s computer, and wipe out all of the server information that had that
email on it. What if we burn Student 1s computer to get rid of the email off of the
computer? Could that email still exist? Most students will respond, No way both
computers are destroyed and the servers have been cleared. Then ask, How do we
know if Student 2 when he/she received the email didnt email it to someone else?
Would all of the illegal activity have gotten rid of the email? Then ask what if Student 2
put the email on a disk and mailed it somewhere? Students start to see the complications
and that email really is forever. Let the students know that Student 2 might have simply
thought a joke you sent them was funny and decided to email it to some friends. But, the
problem is the email is spreading, and there is no way we can stop it.
Another scenario is: If we worked for a company and sent each other dirty jokes or
pornographic pictures three years ago at work (violating company policy), but we were
never caught, we might think there was no harm done. But what if the scenario is
followed by actions of someone with whom we used to be friendly but now gets angry
and goes to management with an email we sent from years ago. Could we still be fired?
Most students will get angry and state, No way! That was three years ago. But, the
correct response is, Exactly, but the courts have agreed with employers regarding this
issue. It doesnt matter if it was five years ago, it was still violating company policy. At
this point, students are starting to understand that unlike ten years ago, when workers in
break rooms told dirty jokes, unless someone was offended at that moment, the chance of
getting in trouble was small. Now if employees are using email, employers have the
ability to go back to the day the email was sent and pull it up.
These examples are not intended to scare the students, but get them to realize that
employers can/will be monitoring them at work. A review of the different software
applications that can help employers monitor non-work related use of the Internet is
appropriate at this step. The book has examples of employees that have been fired from
major companies for using the Internet for personal use.
The discussion can end with the following advice. First, never use the computer for
anything but business related work. That will take care of 95% of this problem.
Secondly, do not send an email that you wouldnt want your parents to read. This will
take care of all the problems of figuring out which emails are okay to send and which
arent. Thirdly, limit giving your work email address to friends/relatives. This will help
to keep down on the number of emails (it also helps to avoid having things sent via email
that violate company policy). Fourth, when using your computer, pretend that someone
was hiding behind the screen and watching everything you do. Many programs have

Page 3
been developed over the last couple of years that can monitor everything done on a
computer, down to the keystroke. This will help prevent anyone from having disciplinary
problems due to computer use.
Natural and man-made menaces have become risks that organizations can no longer
dismiss. A scenario was once noted by a colleague and computer expert, The only truly
secure system is powered off, cast in a block of concrete, and sealed in a lead room with
armed guards, and even then I have my doubts. Given this amusing picture, the author is
correct. What if were able to align ourselves with the armed guards and gain access to the
system?
Frankly, there is no way to fully secure an information system against every potential
mishap, but there are lots of ways to significantly reduce the risks and recover the losses.
The best organizations recognize that fast recovery is good business. The days are behind
us when organizations could continue serving their customers for several days or even
weeks without the aid of IT. Information rich industries are totally dependent on the
technology. Imagine a university that cannot bill its students; imagine an insurance
company that has no access to its customers computerized policies; or, imagine a bank
that cannot provide you with your checking account balance! We are reminded of the
familiar request we received from customer service personnel: The computer is down,
could you come back later?, which seems more and more unacceptable as technology
makes its way into every aspect of our lives.
A long-held view of ethics and IT can be shared. Historically, IS professionals are not
bound by law to adhere to any ethical and professional standards. Those of us who
engage in the design, development, implementation and maintenance of ISs are generally
recognized as members of an emerging profession, the IT profession. Many organizations
are depending on us as specialists, who collect and summarize large sums of money for
their services. As more and more businesses have come to depend on IT, we are hearing
more about incidents where IT projects are abandoned, because we professionals have
miscalculated time and money resources, or because they simply lacked the expertise to
develop good systems. Virtually all other professions, including law, medical,
accountancy, and others, have established a code of professional standards under the law.
But what professional rules bind IT professionals? Currently, there are none. Several
professional organizations have issued their own codes of ethics, but none is enforceable
under the law. It may take years for a standard code of ethics to be adopted by the IT
profession. It may take even longer for certification and other measures to be mandated
by law. Until we have these measures in place, it is incumbent upon all of us in the
profession to think ethically about the many issues discussed in this chapter so that we
can exercise our best judgment at all times on all IT projects.

Review Questions
Section 3.1 - Before You Go On

Page 4

1. Define ethics and list its four categories as they apply to IT.
Ethics is a branch of philosophy that deals with what is considered to be right and
wrong. There are many definitions of ethics, such as codes of morals of a
particular profession, agreement among people to do the right thing and to
avoid the wrong, and so on. Ethical issues are categorized into: privacy,
accuracy, property, and accessibility.
2. Describe the issue of privacy as it is affected by IT.
The issue of privacy as it is affected by IT addresses the issues of data collection,
data accuracy, and data confidentiality. The proliferation of personal computers,
powerful software, large databases, and the Internet have created an entirely new
dimension of accessing and using personal data.
3. What does a code of ethics contain?
A code of ethics is a collection of principles intended as a guide for members of a
company or an organization.
4. Describe the relationship between IT and privacy.
Information technology enables companies to gather, maintain, and protect
data/information critical for its operation. A companys information can also
become vulnerable because of technology. It is critical for the organization to
know its vulnerabilities and to be able to ensure its employees, customers, and
other business partners that their private information is protected.
Section 3.2 - Before You Go On
1. Give an example of one type of unintentional threat to a computer system.
Poorly trained employees using computer systems can cause unintentional harm
by entering data incorrectly. Many times the error checking that is built into a
system does not prevent all of the possible ways that bad data can enter a system.
Weather can also cause an unintentional threat. Even poorly positioned computer
rooms can set up a scenario for water from floors above to leak into computer
systems.
2. Describe the various types of software attacks.
Students should list an explanation of viruses, worms, Trojan horses, logic bombs,
back doors, denial or service attacks, alien software such as adware, spyware, etc.
3. Describe the issue of intellectual property protection.

Page 5

Any original work of art, writing, computer program, or music has protection
under trade secret, patent, or copyright laws. This body of law protects the work
product of an individual. It is critical for students to grasp this concept and to
understand that copying these individual works is illegal. The discussion of the
loss of over $30 billion global trade as a result of software piracy alone is
substantial.
Section 3.3 - Before You Go On
1. Describe the two major types of controls for information systems.
General controlsdesigned to protect the system regardless of the type of
applications that are being run. Included are physical controls, access controls,
data security controls, communications controls, and administration controls.
Application controlsdesigned to protect the inputs, processing and outputs of
the application.
2. What is information system auditing?
These are the three (3) classifications of IS auditing procedures:
Auditing around the computer means verifying processing by checking for known
outputs using specific inputs. This approach is fast and inexpensive, but it may
give false results. For example, two errors may compensate for each other
resulting in seemingly correct output.
Auditing through the computer means that input, outputs, and processing are
checked. Auditors review program logic, test data, and controlling processing and
reprocessing.
Auditing with the computermeans using a combination of client data, auditor
software, and client and auditor hardware. It allows the auditor to perform tasks
such as simulating payroll program logic using live data.
3. What is the purpose of a disaster recovery plan?
A disaster recovery plan is a set of procedures that are designed to prevent
damage and to manage the chain of events required to recover if a disaster
impacts a computer system. The main goal of the disaster recovery plan is to keep
the business running after a disaster occurs. Both the IT department and line
management should be involved in preparation of the plan.

ITs About Business Questions

3.1 You Be the Judge
1. Is Childs guilty of the charges against him, namely computer tampering?

Page 6
(a) Discuss this case from the perspective of the Prosecutor of the City of San
Francisco.
(b) Discuss this case from the perspective of Childs defense lawyer.
(c) The class will sit as the jury and vote on Childs innocence or guilt after the
discussion.
No
(a) Childs, as a network administrator, had many responsibilities to protect the
network from intruders and put security policies in place. He did a through job.
However, the city, his employer, has the right to know details about the passwords
and security schemes and may need to have additional access rights. If Childs was
asked for these from higher ups and refused them, then that is a violation of his
employment contract.
(b) Childs, as a network administrator, had many responsibilities to protect the
network from intruders and place security policies in place. While the job he did
seems to be quite through and robust from a technical aspect, it should have been
pointed out to him from his supervisors to get these policies approved by his higher
ups before they were implemented in the network.
This later policy
document/planning document is missing and is a gross negligence of the city
administration and Childs higher ups.
2. A single point of failure is a part of a system which, if it fails, will stop the entire
system from working. A single point of failure is undesirable, whether it is a person,
network, or application. Is Childs an example of a single point of failure? Why or
why not? If so, how should the City of San Francisco (or any organization) protect
itself from such a person?
Yes. Childs is a single point of failure. If he were to face a tragedy, who else knows
about the network and the passwords and security schemes? There needs to be a
delegate, backup, or cross-trained person to handle this crisis.
3.2 CheckFree Hijacked
1. Which company, CheckFree or Network Solutions, is at fault in this successful attack?
Support your answer. Include in your answer a discussion of whether each company is
practicing due diligence with its information security measures.
The evidence shows that hackers were able to hijack the CheckFree Web site by stealing
a user name and password needed to make account changes at the Web site of Network
Solutions (www.networksolutions.com), CheckFrees domain registrar. The user name
and password could have been stolen after a CheckFree employees computer was
infected with password-stealing malware. Another possibility is that an employee was
tricked into giving his or her user name and password through a phishing scam. The facts

Page 7
show that CheckFree was not the only site that the attackers hijacked and redirected back
to the Ukrainian server. Internet Identity (www.internetidentity.com), an anti-phishing
company, found at least 71 other domains pointing to the same Ukrainian Internet address
during the period of the CheckFree attack. Hence, the finger should point to Network
Solutions and their security policies perhaps not being robust enough.
Checkfree should also be required to audit its security policies and see where they might
be beefed up.
2. How should the two companies, working together, prevent further attacks of this
nature?
With better intrusion detection tools coupled with monitoring their network activity and
defining better security policies and enforcement of them, the two companies can prevent
further attacks.
3.3 Vulnerabilities in Supervisory Control and Data Acquisition Systems
1. Will legislation be enough to strengthen SCADA defenses against cyber-attacks?
Support your answer. If not, what do you think utility companies should do to protect
their SCADA systems?
Utility companies should design and enforce better security policies. How could a bunch
of responsible business IS managers give access to their entire network to consulting
without doing their due diligence? Clearly some IS management changes and lots of
training are necessary at these Old model companies in addition to legislation.
2. Discuss the trade-offs for utility companies between having their control systems
connected to their business systems or not.
Advantages are clear- more flexibility and faster configuration and changes.
The disadvantage is the exposure to cyber attacks and hacking and break in security
issues.
3.4 Cignas Approach to Least Privilege
1.

Why is it so important for organizations to provide least privilege to employees?

It is important for Cigna to keep information private. Proprietary company
information is also an important set of data to protect. The advantage of this least
privilege policy is that Cigna is able to keep its information tightly controlled and
only provide access to those who need it. Better safe than sorry!

2.

What are possible disadvantages of least privilege?

Page 8
Bureaucracy and time delays can result from this policy. Employees may be
frustrated from the controls and having to apply for permissions to access
information.

DISCUSSION QUESTIONS
1. Why are computer systems so vulnerable?
The level of complexity makes it difficult to understand all of the vulnerabilities.
There are many threats internal and external, intentional and unintentional.
2. Why should information security be of prime concern to management?
Most companies would be severely impacted if their systems were interrupted.
3. Is security a technical issue? A business issue? Both? Support your answer.
Hint: Read Kim Nash, Why Technology Isnt the Answer to Better Security,
CIO (www.cio.com), October 15, 2008.
Both. Technology creates security holes and allows hackers to break in, but
businesses must adopt policies and controls to minimize these break-ins.
4. Compare information security in an organization with insuring a house.
We pay for insurance but hope that we never have to worry about using it.
5. Why are authentication and authorization important to e-commerce?
Authentication confirms the identity of the individual and authorization determines
what they are allowed to do.
6. Why is cross-border cyber-crime expanding rapidly? Discuss possible solutions.
International organized crime is taking over cybercrime which is illegal activity
taking place over computer networks. The online commerce industry is not
particularly willing to install safeguards that would make it harder to complete
transactions. It would be possible to demand passwords or personal ID numbers for
all credit card transactions. Companies are developing software and services that
deliver early warnings of trouble. These early-warning systems are proactive,
scanning the Web for new viruses and alerting companies to the danger.

7. Discuss why the Sarbanes-Oxley Act is having an impact on information security.

Page 9
The Sarbanes-Oxley Act requires certain safeguards to be built into systems and has
strict audit requirements.
8. In 2008, the Massachusetts Bay Transportation Authority (MBTA) obtained a
temporary restraining order barring three Massachusetts Institute of Technology
students from showing what they claimed to be a way to get free subway rides
for life. The 10-day injunction prohibited the students from revealing
vulnerabilities of the MBTAs fare card. The students were scheduled to present
their findings in Las Vegas at the Defcon computer hacking conference. Are the
students actions legal? Are their actions ethical? Discuss your answer from the
perspective of the students and then from the perspective of the MBTA.
The students found a way to exploit the systems vulnerability. Not paying the fare
and riding the subway is clearly an unethical activity, if not illegal. It does not matter
what perspective one takes, these types of activities cannot be tolerated.
9. What types of user authentication are used at your university and/or place of
work? Do these authentication measures seem to be effective? What if a higher
level of authentication were implemented? Would it be worth it, or would it
decrease productivity?
Students can answer based on their environments.
PROBLEM SOLVING ACTIVITIES
1. An information security manager routinely monitored the Web surfing among her
companys employees. She discovered that many employees were visiting the sinful
six Web sites. (Note: The sinful six are Web sites with material related to
pornography, gambling, hate, illegal activities, tastelessness, and violence). She then
prepared a list of the employees and their surfing histories and gave the list to
management. Some managers punished their employees. Some employees, in turn,
objected to the monitoring, claiming that they should have a right to privacy.
a. Is monitoring of Web surfing by managers ethical (It is legal.) Support your
answer.
Yes, monitoring of web surfing is ethical and moreover, it is an important duty of the
network security person. Unethical use of the system is only detected by this
scrutiny. If this is not done on a professional basis, the company is open to legal
action should someone be harmed as a result of an employees use of the system.
Moreover, there is potential for malware to be introduced into the companys
network.
b. Is employee Web surfing on the sinful six ethical? Support your answer
Personal use of the companys internet system, while not illegal, is normally
stipulated in the company policies as unauthorized, therefore unethical. Employees

Page 10
are supposed to be working, not wasting company resources. Even during their lunch
hour or after hours, they are still stealing resources, e.g., disk space, bandwidth, etc.
Visiting sites with pornographic material, gambling sites, etc. could also lead to other
actions which could jeopardize the company since the tracking of IP addresses is
something that would lead an investigation right back to the company equipment
which was being used at the time.
c. Is the security managers submission of the list of abusers to management
ethical? Why or why not?
While it is not unethical to turn this information over to management, a better way to
handle the situation might be to first send a communication out to all employees
reiterating what is okay and not okay in terms of internet usage and put them on
notice that infraction will be made known to management. If there are employees
that continue to operate out of policy, then they would be dealt with by submitting
their details to management.
d. Is punishing the abuses ethical? Why or why not? If yes, then what types of
punishment are acceptable?
Punishment is just as ethical for an infraction of the internet use policy as it would be
for any abuse of company policy, from tardiness to absenteeism to any other stated
policy on the books. Employers need to act in good faith. A policy needs to be
circulated along employees with a clear description of what the consequences will be
if an employee commits an offense. Monitoring by upper management to ensure
consistent handling by the managers would make the future handling fair and
consistent. Once the policy and consequences are clear, the security manager should
notify the immediate manager and copy upper management with details of problem
situations. Possible warning, suspension, and ultimate termination may be
appropriate punishment for violation of any company policy not limited to improper
internet usage.
e. What should the company do in order to rectify the situation?
The company should institute a policy for personal internet use and review
with their employees. Employees should be allowed some flexibility,
such as allowing two or three 15 minutes intervals of personal surfing
during the day. Objectionable sites cannot be visited. This allows
for employees to take a break from their work and perform some personal
surfing, while confining their activity to small blocks of time.
2.
Frank Abignale, the criminal played by Leonardo di Caprio in the motion picture
Catch Me If You Can up in prison. However, when he left prison, he went to work as a
consultant to many companies on matter of fraud.
a. Why do so many companies not report computer crimes?

Page 11

Companies often under report such crimes to protect their reputation with their
customer base. Banks especially want their customers to feel that their money is
safe. They dont want anyone to know they their systems were compromised.
b. Why do these companies hire the perpetrators (if caught) as consultants? Is this a
good idea?
In some cases, they hire the individual who broke into their system, because that
person knows the weak spots in the security. Whether it is a good idea or not
depends on the situation. Students can offer some opinions on pros and cons.
c. You are the CEO of a company. Discuss the ethical implications of hiring Frank
Abignale as a consultant to your company.
Students can offer some opinions on pros and cons. It may seem as if rewarding
a person for their past criminal behavior is not an ethical precedent that a
company should set in its hiring policies. The wrong message may be sent to
customers about the quality and background of their employees and endanger
other employees working with Frank Abignale.
3.
A critical problem is assessing how far a company is legally obligated to
go in order to secure personal data. Because there is no such thing as perfect
security (i.e., there is always more that you can do), resolving this question can
significantly affect cost.
a. When are security measures that a company implements sufficient to
comply with the obligations?
Security measures are sufficient when they have completed a
comprehensive risk analysis and determined that they have covered all threats that
have a reasonable likelihood of happening and provided protection against those
threats.

b. Is there any way for a company to know if its security measures are
sufficient? Can you devise a method for any organization to determine if its
security measures are sufficient?
There is nothing absolute in this world of technology, knowing that some
individuals consider it a challenge to see if they can break through any safeguard
that is implemented. The only sure way to know is if there are no breaches.
Monitoring and staying vigilant are the best ways to protect against intrusions.
4.
Assume that the daily probability of a major earthquake in Los Angeles is .07
percent. The chance of your computer center being damaged during such a quake is 5
percent. If the center is damaged, the average estimated damage will be $4.0 million.

Page 12

a. Calculate the expected loss in dollars.

Expected Annual Damage = .07 * .05 * $4,000,000 = $14,000
b. An insurance agent is willing to insure your facility for an annual fee of $25,000.
Analyze the offer, and discuss whether to accept it.
Insurance is costing more than the expected damage. Should refuse the offer.
5.
A company receives 50,000 messages each year. Currently, the organization has
no firewalls. On the average, there are 2 successful hackings each year. Each successful
hacking results in loss to the company of about $150,000. A firewall is proposed at an
initial cost of $75,000 and an annual maintenance fee of $6,000. The estimated useful
life is 3 years. The chance that an intruder will break through this firewall is 0.00002.
In such a case, there is a 30 percent chance that the damage will total $100,000, a 50
percent chance that the damage will total $200,000, and a 20 percent chance that there
will be no damage at all.
a. Should management buy this firewall?
YES
Estimated Loss from hacking = $300,000/yr
Estimated cost of firewall = 25000 + 6000 + .00002 *(.3 * 100000 + .5 * 200000)
= 31000/yr.
b. An improved firewall that is 99.9988 percent effective and that costs $90,000, with
a useful life of 3 years and annual maintenance cost of $18,000 is available. Should
the company purchase this firewall instead of the first one?
Estimated cost of firewall = 30000 + 18000 + .000012 *(.3 * 100000 + .5 * 200000)
= 48000/yr.
NO
6. Complete the computer ethics quiz at
http://web.cs.bgsu.edu/maner/xxocee/html/welcome.htm.
7.
Enter www.scambusters.org Find out what the organization does. Learn about email scams and Web site scams. Report your findings.
ScamBusters Has Helped People Protect Themselves From Clever Internet Scams,
Identity Theft and Urban Legends Since 1994
Students responses will vary.

Page 13
8. Visit www.dhs.gov/dhspublic (Department of Homeland Security). Search the site for
National Strategy to Secure Cyberspace and write a report on their agenda and
accomplishments to date.
Students will use the search function on the site to locate the document. It is a 76 page
document which will provide material student responses.
9.
Enter www.alltrustnetworks.com and other vendors of biometrics. Find the
devices they make that can be used to control access into information systems. Prepare a
list of products and major capabilities of each.
When students use the link, they can select merchants and it will take them to a menu
which will allow them to select Biopay technology.
10. Access The Computer Ethics Institutes Web site at www.cpsr.org/issues/ethics/cei.
The site offers the Ten Commandments of Computer Ethics. Study these 10 and decide
if any should be added.
Students should provide thoughtful answers to the above.
11. Software piracy is a global problem. Access the following Web sites:
http://www.bsa.org and http://www.microsoft.com/piracy/ What can organizations do
to mitigate this problem? Are some organizations dealing with the problem better than
others?
Students should enter a search argument of software piracy after entering the bsa.org
site and access any number of links on the topic to complete their assignment. The
Microsoft site offers a variety of links to explore options available to organizations.
12.
Access www.eightmaps.com.. Is the use of data on this Web site illegal?
Unethical? Support your answer.
To display the personal address of individuals if that information is not publicly available
in another place is an issue. Donations for political causes need to be posted so that the
general public is aware of who is behind what initiative.
TEAM ASSIGNMENTS
1.
Access www.ftc.gov/sentinel to learn more about how law enforcement agencies around
the world work together to fight consumer fraud. Each team should obtain current statistics on
one of the top five consumer complaint categories and prepare a report. Are any categories
growing faster than others? Are any categories more prevalent in certain parts of the world?

Page 14
2.
Read In the Matter of BJs Wholesale Club, Inc., Agreement containing Consent Order,
FTC File No. 042 3160, June 16, 2005 at www.ftc.gov/opa/2005/06/bjswholesale.htm. Describe
the security breach at BJs Wholesale Club. What was the reason for this agreement? Identify
some of the causes of the security breach and how BJs can better defend itself against hackers
and legal liability.
3. Read the article: The Security Tools You Need at
http://www.pcworld.com/downloads/collection/collid,1525/files.html. Each team should
download a product and discuss its pros and cons for the class. Be sure to take a look at all
the comments posted about this article.

Closing Case
Information Security at the International Fund for Animal Welfare
The Business Problem
The IFAW has three characteristics that impact the organizations information security. First, as
an extremely dispersed organization, the IFAW must deal with information security on a large,
international scale. Second, the IFAWs mobile users carry laptops that must be protected for
use outside the IFAWs network, yet remain safe enough to return to the network without
causing damage when the user returns from trips out in the field. Third, the IFAW is a
controversial force in conservation and therefore finds itself targeted by individuals,
organizations, and even governments who object to the organizations activities.
The IT Solution
IFAW has deployed various security software to limit its threats and protect its
information assets (1) anti-malware software, (2) IDS, (3) network access control
software, (4) software preventing suspect programs from executing. If a program is not
whitelisted, it will not run until someone in the IFAWs IT department allows it to run
The Result
IFAW needed to control what got access into its network as well as detect and deactivate
any malicious programs that may have brought back by its travelling employees. If a
program is not whitelisted, it will not run until someone in the IFAWs IT department
allows it to run. Their security incidents dropped by some 75 percent. In addition, the
whitelisting system enabled the IFAW to improve its software licensing compliance,
because the organization now knew exactly what software was running on its computers.
Questions:
1. Does the whitelisting process place more of a burden on the IT group at IFAW?
Why or why not? Support your answer.

Page 15
More burden is not necessarily placed. It is important for IT to have control over
what is installed and executed on employee computers. Since the computers are
taken off their network often and placed into other networks, potential for various
programs and content to get installed is a big threat. Hence, this program is just
helping the IT department manage its resources.
2. Analyze the risk involved in the IFAW allowing users from its partner
organizations to access the IFAW network.
Opening their network to the outside to any user from its partners can lead to major
problems. Intrusions are more likely and can cause disruptions to network service.