Question

In: Computer Science

Securing Information Systems Chapter eight in the Laudon text is filled with many examples of how...

Securing Information Systems

Chapter eight in the Laudon text is filled with many examples of how computer systems are vulnerable due to failure, destruction, errors, and abuse. And the never ending onslaught of security breaches continues to escalate despite the lessons learned. It is evident that maintaining good information systems security is a full time endeavor.

By doing a search of the Internet or by other research methods, find an example of an organization that faced an information systems security issue or crisis.

Ponder these questions:

1) How did the organization identify that there was a security problem?

2) What, if any, security infrastructure and policies were in place when the problem occurred?

3) What initial actions were taken to deal with the situation?

4) From a management perspective, what, if any, new organizational policies and procedures did they institute?

5) Were any new security tools and technologies eventually implemented to further safeguard their systems?

6) What was the business impact? How did they recover? Were there any legal ramifications, loss of customers, or damage of reputation?

7) Generally speaking, how can a business determine the value of investing in security and control?

Solutions

Expert Solution

Ans 1)
UBER data breach
The company learned in late 2016 that two hackers were able to get names, email addresses, and mobile phone numbers of 57 million users of the Uber app. They also got the driver license numbers of 600,000 Uber drivers.No other data such as credit card or Social Security numbers were stolen. The hackers were able to access Uber’s GitHub account, where they found username and password credentials to Uber’s AWS account. Those credentials should never have been on GitHub.

Ans 2)
If Uber had taught its developers not to hard-code credentials, or used code-scanning to identify such mistakes during the development process, the keys to the AWS account never would have been stored on GitHub.The breach could have been avoided by taking simple multifactor authentication for those accounts.

Ans3)
Uber coverd up the breach, after two former senior Uber executives — since fired — paid the two hackers $100,000 through its bug bounty to destroy the data that they obtained but without notifying customers or regulators.

Ans 4)
Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark,over their role in the handling of the incident. Sullivan, formerly the top security official at Facebook and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Ans 5)
Uber was investigated by multiple State AGs. Eventually, Uber settled the case through an agreement that included all 50 states and the District of Columbia, requirubg Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices. It also required Uber to pay a record penalty of $148 million.
The settlement required Uber to:
-Maintain and store GPS-based location information in a password-protected environment, and encrypt the information when in transit.
-Limit access to geo-location information to designated employees with a legitimate business purpose, and enforce this limitation through technical access controls, and a formal authorization and approval process;
-Conduct annual employee training to inform employees who are responsible for handling private information about Uber’s data security practices;
-Maintain a separate section in its consumer-facing privacy policy describing its policies regarding location information collected from riders.
-Adopt leading data security protection practices to protect its riders’ personal information; designate one or more employees to coordinate and supervise its privacy and security program; and conduct regular assessments of the effectiveness of Uber’s internal controls and procedures related to the securing of private information and geo-location information and the implementation of updates to such controls based on those assessments;
-Adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices.
Ans 6)
The data breach has become the icing on a cake of bad publicity for Uber, as stories of Uber’s workplace environment and its treatment of employees preceded the breach. Then, the breach itself was compounded by a significant delay in announcing and an attempt to cover up the breach.

This case highlights the many types of costs resulting from a data breach. Beyond the initial clean-up cost, there are longer-term costs like:

-Impact to brand value and reputation
-Impact to customer trust and satisfaction
-Loss of customers; a Gemalto study of over 10,000 people worldwide, Data Breaches and Customer Loyalty, found that if a company suffered a data breach, 70% of consumers would stop doing business with it.
-Regulatory decisions that impact ability to do business, such as the ability for Uber to do business in the UK.

Ans 7)
The question of measuring the value of security in an organisation has not been fully answered since the creation of information security discipline. And this fact is, in my opinion, one of the reasons security teams find it difficult to convince business to invest in security, except perhaps immediately after an incident.

The management of any organisation is typically good at managing based on information (metrics, KPIs, scorecards, traffic lights and others) available to them. However, the information needs to be at an appropriate level. Consider a CEO. Is s/he really interested in a number of vulnerabilities in all IT systems? Or would he be more interested in knowing how much exposure (in monetary terms) these vulnerabilities present?

There should be three types of security risk metrics in an organisation (top to bottom): a) Monetary-based risk exposure for an organisation, b) policy compliance scorecard, and c) detailed technology and procedural metrics. This systems needs to be connected from top down and bottom up as outputs from the bottom feed into the upper level metrics.


Related Solutions

Provide examples of each of the eight types of waste described in this chapter for the...
Provide examples of each of the eight types of waste described in this chapter for the following service operations: Types of wastes: Waste resulting from overproduction, setup time, processing time, waiting time, transportation, movement, inventory, poor quality 1. A supermarket 2. A campus cafeteria 3. A library 4. A dentists office
This chapter is filled with examples of statutes that have been struck down by the courts. A Texas
This chapter is filled with examples of statutes that have been struck down by the courts. A Texas law banning flag burning was rejected by the Supreme Court, as was a Louisiana death penalty statute. The Affordable Healthcare Act has been voided by two lower court judges, and the Supreme Court may or may not agree with the action. Do you like the fact that courts can void laws that they determine to be in violation of the Constitution? Or...
n chapter four of the text, the authors present eight different topics that have been subject...
n chapter four of the text, the authors present eight different topics that have been subject to some type of criminal law reform. Some of them are established reforms; others are still changing with the times. Select one of the eight topics presented in the text, and answer the following questions in the form of an essay: What caused the perceived need for the law or change in the law? If laws were passed was the goal they intended to...
Compare the economic systems described in Chapter 22 of the text. Evaluate the most attractive feature...
Compare the economic systems described in Chapter 22 of the text. Evaluate the most attractive feature and least attractive feature of capitalism. Next, do the same for socialism.
Chapter 12: How was the author of the News Wire (chapter 12 of your text) so...
Chapter 12: How was the author of the News Wire (chapter 12 of your text) so confident that a recession was coming? (Be sure and include what happened to the job market, the stock market, the housing market and anything else you consider to be pertinent) Chapter 13: Does the fact that your bank keeps only a fraction of your account balance in reserve worry you? Why don't people rush off to the bank and retrieve their money? What would...
List the eight influence tactics described in this chapter in terms of how they are used...
List the eight influence tactics described in this chapter in terms of how they are used by students to influence their university instructors. Which influence tactic is applied most often? Which is applied least often, in your opinion? To what extent is each influence tactic considered legitimate behavior or organizational politics? The eight influence tactics are silent authority, assertiveness, information control coalition formation, upward appeal, persuasion, ingratiation and impression management, and exchange.
From the examples found within Chapter 2 of the text (Public Health Risk Assessment for Human...
From the examples found within Chapter 2 of the text (Public Health Risk Assessment for Human Exposure to Chemicals by D. Kofi Asante-Duah ), select 2 carcinogens, 2 non-carcinogens, and 2 developmental toxins list the six chemicals and compose a short paragraph on why you chose those compounds. PS. I dont not have the text for this question hence the name of the text in bracket in the question posted. Please help me out. Thanks!
Consider examples in Chapter 11 of the Galanti text where cultural behaviors and personality traits were...
Consider examples in Chapter 11 of the Galanti text where cultural behaviors and personality traits were diagnosed as signs of mental illness. Which examples would you foresee as possibly being present in your geographical area of the United States (or elsewhere, if you are outside of the United States)? While working in health care, how might you best watch for and be prepared for these potential issues with patients in your area? Parameters: The journal submission will be a minimum...
The chapter discusses alternative methods for building information systems including the traditional systems life cycle, prototyping,...
The chapter discusses alternative methods for building information systems including the traditional systems life cycle, prototyping, application software packages, end-user development, and outsourcing. How do these methods compare to the “new approaches” for system building in the digital firm era discussed in the chapter? Should all organizations utilize the “new approaches”? Why or why not? Which method do you think is the best? Why do you think the method you chose is the best method for developing information systems? Explain...
Describe a business process and explain how information systems can improve process quality. Give examples of...
Describe a business process and explain how information systems can improve process quality. Give examples of how information systems improve process quality. please try with no plagiarism
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT