Ch 5 Homework
2. Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?
Answer: Confidential: Client bank and credit card statements, tax information
Sensitive but unclassified: Client contact information (addresses, phone numbers, etc.)
Public: General company documents
4. How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.
Answer: XYZ probably employed an economic feasibility study or cost-benefit analysis to arrive at the values in the table.
For each entry in the table, the cost per incident and frequency of occurrence could have been reached through various methods, including benchmarking, best practices, and baselining. These techniques encompass internal investigation and asset valuation, along with information that has been gathered by other sources in the industry, such as frequency of virus, worm, or Trojan attacks. All of these methods can be combined to provide the information listed in the table.
As Charlie wrapped up the meeting, he ticked off a few key reminders for everyone involved in the asset identification project.
“Okay, everyone, before we finish, please remember that you should try to make your asset lists complete, but be sure to focus your attention on the more valuable assets first. Also, remember that we evaluate our assets based on business impact to profitability first, and then economic cost of replacement. Make sure you check with me about any questions that come up. We will schedule our next meeting in two weeks, so please have your draft inventories ready.”
Answer: Yes, Charlie can organize the work before the meeting because he identified the needs of the work and prepared a work plan for design and submitted it to each employee. He planned everything properly and assessed the needs of the group and identified key aspects of the work plan and how it affected each individual.
Answer: Yes, the company can get useful information from the team because the main purpose of the meeting is to deliver work plan for securing assets.
Ethical Decision Making
Suppose Amy Windahl left the kickoff meeting with a list of over 200 assets that needed to be evaluated. When she looked at the amount of effort needed to finish assessing the asset values and their risk evaluations, she decided to “fudge” the numbers so that she could attend a concert and then spend the weekend with her friends. In the hour just before the meeting in which the data was due, she made up some values without much consideration beyond filling in the blanks. Is Amy’s approach to her assignment ethical?
Answer: No, Amy's approach to the assignment is not ethical. If she wants to leave for a concert or enjoy her weekend then it is ethical to ask the permission for postponement of submission. There is more probability for giving the permission because it is just a kickoff meeting (not very urgent).
After the kickoff meeting, suppose Charlie had said, “Amy, the assets in your department are not that big of a deal for the company, but everyone on the team has to submit something. Just put anything on the forms so we can check you off the list, and then you will get the bonus being paid to all team members. You can buy me lunch for the favor.”
Is Amy now ethically justified in falsifying her data? Has Charlie acted ethically by establish- ing an expected payback for this arrangement?
Answer: No, she is not ethically justified in falsifying the data. Just because she was told to write something by her immediate superior (Charlie) it doesn’t mean to do, because she works for the organization not for a single person. Even if they were told to be not important, it is the moral responsibility of her to perform the work as mentioned in the meeting or she may submit the work by mentioning the approximate values; No, Charlie did not act ethical. If the work given to Amy is not really important then he should have mentioned it in the meeting or he should have never encouraged to give the work (as it is of no use by falsifying the data). Charlie moreover expected a payback form Amy, which clearly says that he skipped some rules of his work ethics and he wanted a payback for this activity.