Deck 10: Computer Crime and Information Technology Security

The chapter discussed eleven examples of risks and threats to information systems and seven enablers from the COBIT framework.Consider the items below, each of which pairs risk with an enabler; explain how the two are related.The first item is done as an example.
a.Fraud/Processes.Every organization should have a process in place for reporting suspected fraud.
b.Information theft/Information.
c.Malicious software/Services, infrastructure and applications.
d.Disclosure of confidential information/Culture, ethics and behavior.
e.Service interruptions and delays/Organizational structures.
f.Fraud/People, skills and competencies.

The chapter discussed the four elements of Carter's taxonomy of computer crime and eleven business risks/threats to information systems.Classify each item below using each of them.

In each statement that follows, circle the business risk or threat that most clearly applies based on the list provided in the text.
a.Disclosure of confidential information or intrusion: Employee data are made available on the Internet.
b.DOS attacks or extortion: Prevent computer systems from functioning in accordance with their intended purpose.
c.Error or web site defacement: Digital graffiti.
d.Fraud or error: Losses can vary widely depending on where the problem originated.
e.Information theft or information manipulation: An employee creates fake refunds to benefit a family member.
f.Intrusion or extortion: Main objective is to gain access to a network.
g.Intrusion or service interruption: Classified as accidental, willful neglect or malicious behavior.
h.Malicious software or information theft: Logic bombs, replicating worm, Trojan horse.
i.Service interruption or disclosure of confidential information: Can lead to missed deadlines for receivables or payables.
j.Web site defacement or extortion: Criminal contacts an organization after successfully stealing information.

For each IT control listed below, indicate the group which most clearly applies: (a) physical security control, (b) technical security control or (c) administrative security control.1.Audible alarm when a computer detects a virus-infected e-mail attachment
2.Conflict of interest policy
3.Different passwords for each ERP module
4.Filing cabinets requiring keys
5.Fire suppression systems
6.Keystroke monitoring software
7.Locking compartments in desks
8.Log-ins requiring fingerprint identification
9.Mandatory password rotation
10.Periodic internal audits

The COBIT framework comprises five principles and seven enablers.In your own words, explain the relationship between each principle and enabler paired below; the first one is done as an example.
a.Meeting stakeholder needs/People, skills and competencies.People inside and outside the organization are stakeholders.
b.Covering the enterprise end-to-end/Processes.
c.Applying a single integrated framework/Principles, policies and frameworks.
d.Enabling a holistic approach/Information.
e.Separating governance from management/Culture, ethics and behavior.
f.Meeting stakeholder needs/Processes.

List the elements of Carter's taxonomy of computer crime.

Which element of Carter's taxonomy of computer crime is associated with each item below?
a.Computer is not required for the crime but is related to the criminal act
b.Computer is used to commit the crime
c.Computer use may make a crime more difficult to trace
d.Growth of the Internet creates new ways of reaching victims
e.Objective is to impact the confidentiality, availability and/or integrity of data
f.Presence of computers has generated new versions of fairly traditional crimes
g.Targets the system or its data
h.Technological growth creates new crime targets
i.Use of the computer simplifies criminal actions
j.Uses the computer to further a criminal end

Fill in the blanks below according to the principles and enablers of the COBIT framework.
a.___, policies and frameworks.
b.Applying a ___.
c.Covering the enterprise ___.
d.Culture, ___ and behavior.
e.Enabling a ___ approach.
f.Meeting ___ needs.
g.Organizational ___.
h.People, ___ and ___.
i.Separating ___ from ___.
j.Services, infrastructure and ___.

Ethan is an information technology security consultant.He has been asked to speak to a local professional organization about ways to strengthen internal controls against computer crime, and wants to relate his comments to the COBIT framework.Prepare a short summary of the key points Ethan should make in his presentation; ensure that each one has a clear relationship to the COBIT framework.

Information technology controls can be classified as physical, technical or administrative.Consider each independent situation below; suggest one control from the indicated classification that would address (prevent/detect/correct) the risk.a) A bank's customer database is hacked.Administrative: _____________________________________________
b) A careless employee spills coffee on a network server.Physical: _____________________________________________
c) A corporation's sales data are manipulated by a member of the sales staff.Technical: _____________________________________________
d) A former employee introduces a logic bomb to a company's payroll system.Administrative: _____________________________________________
e) A political candidate's web site is defaced.Technical: _____________________________________________
f) A senior citizen sends money to a fake religious organization based on a fraudulent e-mail.Administrative: _____________________________________________
g) A waitress steals a customer's credit card number.Physical: _____________________________________________
h) An employee uses work time to shop online using the company's computer.Administrative: _____________________________________________
i) Corporate spies steal research and development information.Technical: _____________________________________________
j) Fake compromising photos of a corporate CEO are posted to a social networking site.Technical: _____________________________________________

The CoBIT framework can be used to strengthen internal controls against computer crime in various ways.Indicate whether each statement below is (a) always true, (b) sometimes true or (c) never true.1.As a form of internal control, each step of the systems development life cycle focuses on one of CoBIT's enablers.2.CoBIT can be used in conjunction with the COSO internal control framework to identify appropriate control activities.3.CoBIT's principles provide detailed standards for evaluating information inputs and outputs that can help strengthen internal control.4.As defined in CoBIT, organizational stakeholders include management and employees.5.The COSO enterprise risk management framework requires the use of CoBIT to identify risks.

A private university maintains sensitive information about its donors in both a paper file and an electronic database.Using the three-part control taxonomy discussed in the chapter, identify and describe two controls in each category that should be implemented to prevent/detect/correct the risk that such information might be compromised.