ais chapter 11 case 1-3
DESCRIPTION
AIS CasesTRANSCRIPT
7/18/2019 AIS Chapter 11 Case 1-3
http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 1/7
Chapter 11Computer Crime, Fraud, Ethics and Privacy
Submitted by:
Group 4Queennie CATALUÑA
Mhelizza CORPUSLhezel CUADRA
Mary Joy DE LEONErika DE TORRES
John Ray DEL MUNDOHarold DELA FUENTEErly Mae DESCALZOAngelo DULDULAO
Lady ESPIRITUJerome ESPINA
7/18/2019 AIS Chapter 11 Case 1-3
http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 2/7
Case 1. Ashley Company (Diskless PC System and Security Threats)
To address the need for tighter data controls and lower support costs, the Ashley Company has adopted
a new dislikes Pc system. It is little more than a mutilated personal computer described as a “gutless
wonder.” The basic concept behind thediskless PC is simple: LAN server-based file system of high-
powered diskless workstation is spread throughout a company and connected with a central repository or
mainframe. The network improves control by limiting user access to a company data previously stored on
a desktop hard disks. Since, the user can destroy or delete only the information currently on the screen,
an organization‟s financial data are protected from user-instigated catastrophes. The diskless, computer
also saves money in user support costs by distributing application and upgrades automatically, and by
offering online help.
1. What threats in the information processing and storage system do diskless PCs minimize?
Diskless PCs minimize the threat of a virus entering the system from a floppy disk, the theft ofcompany data or software by copying it on a floppy disk, the installation and use of unauthorizedsoftware, data being downloaded from the system, changed, and never re-entered into thecentralized system because it is stored on the user's hard disk. Thus two versions of the datanow exist and all other users who access the data from the main system use a different versionthan the one stored on the hard disk. There is also more security of data as it is located at server. Aside from this, Computer virus cannot attack diskless computers as they do not have any harddisk. Virus cannot do any damage to diskless computers. Only one single server box need to beprotected against virus attack. Moreover, Server can optimize the usage of disk space via sharingby many diskless computer users. Fault tolerance of hard disk failure is possible by using RAID(redundant array of independent disks) on main server. Furthermore, Zero administration atdiskless client side. Diskless computers are absolutely maintenance free and troublefree.Likewise, diskless PC eliminates cost of CDROM, floppy, tape drive, modem, UPS battery, Printerparallel ports, serial ports. It also prevents pilferage of hardware components as diskless nodehas very little RAM and low-cost CPU. The server has lots of memory and many powerful CPUs.
2. Do the security advantage of the new system outweigh potential limitations? Discuss.
• These security advantages have to be weighed against the risks of storing all information in one
location (If the mainframe or the network goes down, no one can use their computers since there
is no data to work with), and the lack of flexibility that arises from the inability to use the
microcomputer to enter data, store it locally, and process it. (In essence, it takes away some of
the advantages of end-user computing.)
• There is no way to know whether the security advantages outweigh the disadvanta ges,
inasmuch as it will depend on the company and the specific circumstances.
Case 2. Mark Goodwin Resort (Valuable-Information Computer Offense)
The Mark Goodwin Resort is an elegant summer resort located in a remote mountain setting. Guests
visiting the resort can fish, hike, go horseback riding, swim in one of three hotel pools, or simply sit in one
of the many lounge chairs located around the property and enjoy the spectacular scenery. There are also
three dinning rooms, card rooms, nightly movies, and live weekend entertainment.
7/18/2019 AIS Chapter 11 Case 1-3
http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 3/7
The resort uses a computerized system to make room reservations and bill customers. Following
standard policy for the industry, the resort also offers authorized travel agents a 10 percent commission
on room bookings. Each week, the resort prints an exception report of bookings made by unrecognized
travel agents. However, the managers usually pay the commission anyway, partly because they don‟t
want to anger the travel agencies and partly because the computer file that maintains the list of
authorized agents is not kept up to date.
Although management has not discovered it, several employees now exploit these fact to their own
advantage. As often as possible, they call the resort from outside phones, pose as travel agents, book
rooms for friends and relatives, and collect the commissions. The incentive is obvious: room costing as
little as $100 per day result in payments of $10 per day to the “travel agencies” that book them. The
scam has been going on for years, and several guests now book their rooms exclusively through these
employees, findings these people particularly courteous and helpful.
1. Would you say this a “computer crime”? Why or why not?
Computer crime is defined as offences that are committed against individuals or groups of
individuals with a criminal motive to intentionally harm the reputation of the victim or causephysical or mental harm to the victim directly or indirectly, using modern telecommunication
networks such as Internet. For us, the case indeed involves Computer crime because the
employees commit the manipulation of a computer or computer data, by whatever method, to
dishonestly obtain money, property, or some other advantage of value, or cause a loss. Several
employees now exploit these facts to their own advantage. As often as possible, they call the
resort from outside phones, pose as travel agents, book rooms for friends and relatives, and
collect the commissions. Ergo, the employees gain an illegal financial advantage and causes
measurable loss to the company.
2. What controls would you recommend that would enable the resort‟s managers to thwart such
offenses?
To prevent the crime, the computer security should begin with the top management and security
policies. This would help to employee (a) compliance with security procedures (b) sensitivity to
potential problems (c) awareness of why computer abuse is important. First, for compliance with
security procedures, the manager should justify the correctness and accuracy of their exception
report to detect exceptions to the bookings made by unrecognized travel agents. Also, they must
update the computer file that maintains the list of authorized agents. Likewise, the company must
have sensitivity to potential problems and awareness why computer abuse is important can be
resolve through employee education. The resort manager should also inform employees of the
significance of computer crime and abuse, the amount it costs, and the work disruption it creates
help employees understand why computer offenses are a serious matter. Also, the management
should allow employees to report any suspicious activity anonymously to the management. This
would help to detect fraud and embezzlement.
3. How does the matter of “accountability” (tracing transactions to specific agencies) affect the
problem?
Ethical executives acknowledge and accept personal accountability for the ethical quality of their
decisions and omissions to themselves, their colleagues, their companies, and their communities.
7/18/2019 AIS Chapter 11 Case 1-3
http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 4/7
For this reason, accountability is one of the major factors that cause the problem, by allowing
exception to the rule (e.g paying commissions to the unrecognized agents) making the check and
balance of the company becomes weak. Accountability is a critical factor in the level of trust and
confidence of transaction and reports. Mismanagement, waste, and lack of transparency in
operations can affect the business.
Case 3. The Department of Taxation (Data Confidentiality)
The Department of Taxation of one state is developing a new computer system for processing state
income tax returns of individuals and corporations. The new system features direct data input and inquiry
capabilities. Identification of taxpayers is provided by using the Social Security numbers of individuals
and federal identification numbers for corporations. The new system should be fully implemented in time
for the next tax season. The new system will serve three primary purposes:
Data will be input into the system directly from tax returns through CRT terminals located at the
central headquarters of the Department of Taxation.
The returns will be processed using the main computer facilities at central headquarters. Theprocessing includes (1) verifying mathematical accuracy; (2) auditing the reasonableness of
deductions, tax due, and so forth, through the use of edit routines; these routine also include a
comparison of the current year‟s data with prior years‟ data; (3) identifying returns that should be
considered for audit by revenue agents of the department; and (4) issuing refund checks to
taxpayers.
Inquiry service will be provided to taxpayers on request through the assistance of Tax
Department personnel at five regional offices. A total of 50 CRT terminals will be placed at the
regional offices.
A taxpayer will be able to determine the status of his or her return or to get information from the last three
years‟ returns by calling or visiting one of the department „s regional offices. The stat commissioner of
taxation is concerned about data security during input and processing over and above protection againstnatural hazards such as fires or floods. This includes protection against the loss or damage or data
during data. In addition, the tax commissioner and the state attorney general have discussed the general
problem of data confidentiality that may arise from the nature and operation of the new system. Both
individuals want to have all potential problems identified before the system is fully developed and
implemented so that the proper controls can be incorporated into the new system.
1. Describe the potential confidentiality problems that could arise in each of the following three
areas of processing and recommend the corrective action(s) to solve the problems: (a) data input,
(b) processing returns, (c) data inquiry.
a. Confidentiality problems which could arise in the processing of input data, and recommended
corrective actions, are as follows:
7/18/2019 AIS Chapter 11 Case 1-3
http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 5/7
ProblemControls
Unauthorized user of
terminal.
Limit physical access to terminal room used for
data input and/or require data input personnel to
wear color-coded badges for identification.
Use different passwords for each operator and
change them frequently.
On-line modification of
program by operator to by-
pass controls.
Prohibit program modification from input or
inquiry terminals.
Secure the documentation that indicates how to
perform operations other than input of tax
returns.
Use of equipment for
unauthorized processing orsearching through files.
User and terminal passwords that limit access to
only that part of the system needed for input ofcurrent tax data.
Secure the documentation that indicates how to
perform operations other than input of tax
returns.
b. Confidentiality problems which could arise in the processing of returns, and recommended
corrective actions, are as follows:
ProblemControls
Operator intervention to input
data or to gain output from
files.
Limit operator access to only that part of the
documentation needed for equipment
operation.
Prohibit operators from writing programs and
designing the system.
Daily review of console log messages and/or
run times.
There might be attempts to
screen individual returns on
Institute programming controls such that there
is a definite sequence to creating or
7/18/2019 AIS Chapter 11 Case 1-3
http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 6/7
the basis of surname, sex,
race, etc., rather than tax
liability.
maintaining programs. This sequence should
contain reviews at general levels and
complete trial runs.
c. Confidentiality problems which could arise in the inquiry of data, and recommended
corrective actions, are as follows:
ProblemControls
Unauthorized user
with a valid taxpayer
ID using the system.
Use a sign-in/sign-out register for persons using the
system.
Require users to show some form of identification.
Use a programmed sequence of questions which
only valid users are likely to be able to answer.
Prohibit phone responses.
Taxpayer or regional
state employee use of
equipment for
unauthorized
processing or
searching through
files.
User and terminal passwords to limit terminals tooutput of tax information.
Secure the documentation that indicates how to
perform other than taxpayer inquiries.
Have the terminals lock out for repeated errors or
attempts to break security.
Have a code system that logs each entry and data
inquiry by user.
Daily activity reporting to supervisors and/or auditors
showing terminal numbers, user numbers, type of
processing, name of files accessed, and
unacceptable requests.
7/18/2019 AIS Chapter 11 Case 1-3
http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 7/7
2. The State Tax Commission wants to incorporate controls to provide data security against the
loss, damage, or improper input or use of data during data input and processing. Identify the
potential problem (outside of natural hazards such as fire or floods) for which the Department of
Taxation should develop controls, and recommend possible control procedures for each problem
identified.
Potential problems and possible controls to provide data security against loss, damage, and
improper input or use of data are as follows:
ProblemControls
Loss of tax return
data before any file
updates.
Keep copies of tax returns in a safe location and
(temporarily) organized in a fashion for reprocessing if
necessary.
Maintain a transaction log on magnetic tape for possible
recall.
Improper input or use
of data during
processing.
Verify data entry or enter twice by different operators.
Prohibit data entry through inquiry terminals.
Process routine items at specified times thus preventing
unauthorized runs of vital information.
Incomplete
processing of tax
returns.
Computer prompting of terminal operators for
appropriate input.
Balancing of computer processing at each stage back to
input and run control totals.
Fraudulent program
modifications entered
from input or inquiry
terminals.
Prohibit programming from input or inquiry terminals;
log all such attempts on console log for immediate
supervisory action.
Periodic checks of all packages so that any illegal
modifications can be detected.