Fred Chin, CEO of sequential label and supply, leaned back in his leather chair and propped his feet up on the long mahogany table in the conference room where the SLS Board of Directors had just adjourned their quarterly meeting. “What do you think about our computer security problem?” he asked Gladys Williams, the company’s chief information officer, or CIO. He was referring to last month’s outbreak of a malicious worm on the company’s computer network. Gladys replied, “I think we have a real problem, and we need to put together a real solution, not just a quick patch like the last time.” Eighteen months ago, the network had been infected by an employee’s personal USB drive. To prevent this from happening again, all users in the company were banned from using USB drives. Fred wasn’t convinced. “Can’t we just add another thousand dollars to the next training budget?” Gladys shook her head. “You’ve known for some time now that this business runs on technology. That’s why you hired me as CIO. I have some experience at other firms and I’ve been researching information security, and my staff and I have some ideas to discuss with you. I’ve asked Charlie Moody to come in today to talk about it. He’s waiting to speak with us.” When Charlie joined the meeting Fred said, “Hello, Charlie. As you know, the Board of Directors met today. They received a report on the expenses and lost production from the worm outbreak last month, and they directed us to improve the security of our technology. Gladys says you can help me understand what we need to do about it.” “To start with,” Charlie said, “instead of setting up a computer security solution, we need to develop an information security program. We need a thorough review of our policies and practices, and we need to establish an ongoing risk management program. There are some other things that are part of the process as well, but these would be a good start.” “Sounds expensive,” said Fred. Charlie looked at Gladys, then answered, “Well, there will be some extra expenses for specific controls and software tools, and we may have to slow down our product development projects a bit, but the program will be more of a change in our attitude about security than a spending spree. I don’t have accurate estimates yet, but you can be sure we’ll put cost-benefit worksheets in front of you before we spend any money.” Fred thought about this for a few seconds. “OK. What’s our next step?” Gladys answered, “First, we need to initiate a project plan to develop our new information security program. We’ll use our usual systems development and project management approach. There are a few differences, but we can easily adapt our current models. We’ll need to appoint or hire a person to be responsible for information security.” “Information security? What about computer security?” asked Fred. Charlie responded, “Information security includes computer security, plus all the other things we use to do business: procedures, data, networks, our staff, and computers.” “I see,” Fred said. “Bring me the draft project plan and budget in two weeks. The audit committee of the board meets in four weeks, and we’ll need to report our progress.” Soon after the board of directors meeting, Charlie was promoted to Chief Information Security Officer, a new position that reports to the CIO, Gladys Williams, and that was created to provide leadership for SLS’s efforts to improve its security profile. Questions: 1. How do Fred, Gladys, and Charlie perceive the scope and scale of the new information security effort? 2. How will Fred measure success when he evaluates Gladys’ performance for this project? How will he evaluate Charlie’s performance? 3. Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?
Fred Chin, CEO of sequential label and supply, leaned back in his leather chair and propped his feet up on the long mahogany table in the conference room where the SLS Board of Directors had just adjourned their quarterly meeting.
“What do you think about our computer security problem?” he asked Gladys Williams, the company’s chief information officer, or CIO. He was referring to last month’s outbreak of a malicious worm on the company’s
Gladys replied, “I think we have a real problem, and we need to put together a real solution, not just a quick patch like the last time.” Eighteen months ago, the network had been infected by an employee’s personal USB drive. To prevent this from happening again, all users in the company were banned from using USB drives.
Fred wasn’t convinced. “Can’t we just add another thousand dollars to the next training budget?”
Gladys shook her head. “You’ve known for some time now that this business runs on technology. That’s why you hired me as CIO. I have some experience at other firms and I’ve been researching
When Charlie joined the meeting Fred said, “Hello, Charlie. As you know, the Board of Directors met today. They received a report on the expenses and lost production from the worm outbreak last month, and they directed us to improve the security of our technology. Gladys says you can help me understand what we need to do about it.”
“To start with,” Charlie said, “instead of setting up a computer security solution, we need to develop an information security
“Sounds expensive,” said Fred.
Charlie looked at Gladys, then answered, “Well, there will be some extra expenses for specific controls and software tools, and we may have to slow down our product development projects a bit, but the program will be more of a change in our attitude about security than a spending spree. I don’t have accurate estimates yet, but you can be sure we’ll put cost-benefit worksheets in front of you before we spend any money.”
Fred thought about this for a few seconds. “OK. What’s our next step?”
Gladys answered, “First, we need to initiate a project plan to develop our new information security program. We’ll use our usual systems development and project management approach. There are a few differences, but we can easily adapt our current models. We’ll need to appoint or hire a person to be responsible for information security.”
“Information security? What about computer security?” asked Fred.
Charlie responded, “Information security includes computer security, plus all the other things we use to do business: procedures, data, networks, our staff, and computers.”
“I see,” Fred said. “Bring me the draft project plan and budget in two weeks. The audit committee of the board meets in four weeks, and we’ll need to report our progress.”
Soon after the board of directors meeting, Charlie was promoted to Chief Information Security Officer, a new position that reports to the CIO, Gladys Williams, and that was created to provide leadership for SLS’s efforts to improve its security profile.
Questions:
1. How do Fred, Gladys, and Charlie perceive the scope and scale of the new information security effort?
2. How will Fred measure success when he evaluates Gladys’ performance for this project? How will he evaluate Charlie’s performance?
3. Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?
Trending now
This is a popular solution!
Step by step
Solved in 4 steps