ais chapter 11 case 1-3

7/18/2019 AIS Chapter 11 Case 1-3

http://slidepdf.com/reader/full/ais-chapter-11-case-1-3 1/7

Chapter 11Computer Crime, Fraud, Ethics and Privacy

Submitted by:

Group 4Queennie CATALUÑA

Mhelizza CORPUSLhezel CUADRA

Mary Joy DE LEONErika DE TORRES

John Ray DEL MUNDOHarold DELA FUENTEErly Mae DESCALZOAngelo DULDULAO

Lady ESPIRITUJerome ESPINA



Case 1. Ashley Company (Diskless PC System and Security Threats)

To address the need for tighter data controls and lower support costs, the Ashley Company has adopted

a new dislikes Pc system. It is little more than a mutilated personal computer described as a “gutless

wonder.” The basic concept behind thediskless PC is simple: LAN server-based file system of high-

powered diskless workstation is spread throughout a company and connected with a central repository or

mainframe. The network improves control by limiting user access to a company data previously stored on

a desktop hard disks. Since, the user can destroy or delete only the information currently on the screen,

an organization‟s financial data are protected from user-instigated catastrophes. The diskless, computer

also saves money in user support costs by distributing application and upgrades automatically, and by

offering online help.

1. What threats in the information processing and storage system do diskless PCs minimize?

Diskless PCs minimize the threat of a virus entering the system from a floppy disk, the theft ofcompany data or software by copying it on a floppy disk, the installation and use of unauthorizedsoftware, data being downloaded from the system, changed, and never re-entered into thecentralized system because it is stored on the user's hard disk. Thus two versions of the datanow exist and all other users who access the data from the main system use a different versionthan the one stored on the hard disk. There is also more security of data as it is located at server. Aside from this, Computer virus cannot attack diskless computers as they do not have any harddisk. Virus cannot do any damage to diskless computers. Only one single server box need to beprotected against virus attack. Moreover, Server can optimize the usage of disk space via sharingby many diskless computer users. Fault tolerance of hard disk failure is possible by using RAID(redundant array of independent disks) on main server. Furthermore, Zero administration atdiskless client side. Diskless computers are absolutely maintenance free and troublefree.Likewise, diskless PC eliminates cost of CDROM, floppy, tape drive, modem, UPS battery, Printerparallel ports, serial ports. It also prevents pilferage of hardware components as diskless nodehas very little RAM and low-cost CPU. The server has lots of memory and many powerful CPUs.

2. Do the security advantage of the new system outweigh potential limitations? Discuss.

• These security advantages have to be weighed against the risks of storing all information in one

location (If the mainframe or the network goes down, no one can use their computers since there

is no data to work with), and the lack of flexibility that arises from the inability to use the

microcomputer to enter data, store it locally, and process it. (In essence, it takes away some of

the advantages of end-user computing.)

• There is no way to know whether the security advantages outweigh the disadvanta ges,

inasmuch as it will depend on the company and the specific circumstances.

Case 2. Mark Goodwin Resort (Valuable-Information Computer Offense)

The Mark Goodwin Resort is an elegant summer resort located in a remote mountain setting. Guests

visiting the resort can fish, hike, go horseback riding, swim in one of three hotel pools, or simply sit in one

of the many lounge chairs located around the property and enjoy the spectacular scenery. There are also

three dinning rooms, card rooms, nightly movies, and live weekend entertainment.



The resort uses a computerized system to make room reservations and bill customers. Following

standard policy for the industry, the resort also offers authorized travel agents a 10 percent commission

on room bookings. Each week, the resort prints an exception report of bookings made by unrecognized

travel agents. However, the managers usually pay the commission anyway, partly because they don‟t

want to anger the travel agencies and partly because the computer file that maintains the list of

authorized agents is not kept up to date.

Although management has not discovered it, several employees now exploit these fact to their own

advantage. As often as possible, they call the resort from outside phones, pose as travel agents, book

rooms for friends and relatives, and collect the commissions. The incentive is obvious: room costing as

little as $100 per day result in payments of $10 per day to the “travel agencies” that book them. The

scam has been going on for years, and several guests now book their rooms exclusively through these

employees, findings these people particularly courteous and helpful.

1. Would you say this a “computer crime”? Why or why not?

Computer crime is defined as offences that are committed against individuals or groups of

individuals with a criminal motive to intentionally harm the reputation of the victim or causephysical or mental harm to the victim directly or indirectly, using modern telecommunication

networks such as Internet. For us, the case indeed involves Computer crime because the

employees commit the manipulation of a computer or computer data, by whatever method, to

dishonestly obtain money, property, or some other advantage of value, or cause a loss. Several

employees now exploit these facts to their own advantage. As often as possible, they call the

resort from outside phones, pose as travel agents, book rooms for friends and relatives, and

collect the commissions. Ergo, the employees gain an illegal financial advantage and causes

measurable loss to the company.

2. What controls would you recommend that would enable the resort‟s managers to thwart such

offenses?

To prevent the crime, the computer security should begin with the top management and security

policies. This would help to employee (a) compliance with security procedures (b) sensitivity to

potential problems (c) awareness of why computer abuse is important. First, for compliance with

security procedures, the manager should justify the correctness and accuracy of their exception

report to detect exceptions to the bookings made by unrecognized travel agents. Also, they must

update the computer file that maintains the list of authorized agents. Likewise, the company must

have sensitivity to potential problems and awareness why computer abuse is important can be

resolve through employee education. The resort manager should also inform employees of the

significance of computer crime and abuse, the amount it costs, and the work disruption it creates

help employees understand why computer offenses are a serious matter. Also, the management

should allow employees to report any suspicious activity anonymously to the management. This

would help to detect fraud and embezzlement.

3. How does the matter of “accountability” (tracing transactions to specific agencies) affect the

problem?

Ethical executives acknowledge and accept personal accountability for the ethical quality of their

decisions and omissions to themselves, their colleagues, their companies, and their communities.



For this reason, accountability is one of the major factors that cause the problem, by allowing

exception to the rule (e.g paying commissions to the unrecognized agents) making the check and

balance of the company becomes weak. Accountability is a critical factor in the level of trust and

confidence of transaction and reports. Mismanagement, waste, and lack of transparency in

operations can affect the business.

Case 3. The Department of Taxation (Data Confidentiality)

The Department of Taxation of one state is developing a new computer system for processing state

income tax returns of individuals and corporations. The new system features direct data input and inquiry

capabilities. Identification of taxpayers is provided by using the Social Security numbers of individuals

and federal identification numbers for corporations. The new system should be fully implemented in time

for the next tax season. The new system will serve three primary purposes:

Data will be input into the system directly from tax returns through CRT terminals located at the

central headquarters of the Department of Taxation.

The returns will be processed using the main computer facilities at central headquarters. Theprocessing includes (1) verifying mathematical accuracy; (2) auditing the reasonableness of

deductions, tax due, and so forth, through the use of edit routines; these routine also include a

comparison of the current year‟s data with prior years‟ data; (3) identifying returns that should be

considered for audit by revenue agents of the department; and (4) issuing refund checks to

taxpayers.

Inquiry service will be provided to taxpayers on request through the assistance of Tax

Department personnel at five regional offices. A total of 50 CRT terminals will be placed at the

regional offices.

A taxpayer will be able to determine the status of his or her return or to get information from the last three

years‟ returns by calling or visiting one of the department „s regional offices. The stat commissioner of

taxation is concerned about data security during input and processing over and above protection againstnatural hazards such as fires or floods. This includes protection against the loss or damage or data

during data. In addition, the tax commissioner and the state attorney general have discussed the general

problem of data confidentiality that may arise from the nature and operation of the new system. Both

individuals want to have all potential problems identified before the system is fully developed and

implemented so that the proper controls can be incorporated into the new system.

1. Describe the potential confidentiality problems that could arise in each of the following three

areas of processing and recommend the corrective action(s) to solve the problems: (a) data input,

(b) processing returns, (c) data inquiry.

a. Confidentiality problems which could arise in the processing of input data, and recommended

corrective actions, are as follows:



ProblemControls

Unauthorized user of

terminal.

Limit physical access to terminal room used for

data input and/or require data input personnel to

wear color-coded badges for identification.

Use different passwords for each operator and

change them frequently.

On-line modification of

program by operator to by-

pass controls.

Prohibit program modification from input or

inquiry terminals.

Secure the documentation that indicates how to

perform operations other than input of tax

returns.

Use of equipment for

unauthorized processing orsearching through files.

User and terminal passwords that limit access to

only that part of the system needed for input ofcurrent tax data.


perform operations other than input of tax

returns.

b. Confidentiality problems which could arise in the processing of returns, and recommended


ProblemControls

Operator intervention to input

data or to gain output from

files.

Limit operator access to only that part of the

documentation needed for equipment

operation.

Prohibit operators from writing programs and

designing the system.

Daily review of console log messages and/or

run times.

There might be attempts to

screen individual returns on

Institute programming controls such that there

is a definite sequence to creating or



the basis of surname, sex,

race, etc., rather than tax

liability.

maintaining programs. This sequence should

contain reviews at general levels and

complete trial runs.

c. Confidentiality problems which could arise in the inquiry of data, and recommended


ProblemControls

Unauthorized user

with a valid taxpayer

ID using the system.

Use a sign-in/sign-out register for persons using the

system.

Require users to show some form of identification.

Use a programmed sequence of questions which

only valid users are likely to be able to answer.

Prohibit phone responses.

Taxpayer or regional

state employee use of

equipment for

unauthorized

processing or

searching through

files.

User and terminal passwords to limit terminals tooutput of tax information.


perform other than taxpayer inquiries.

Have the terminals lock out for repeated errors or

attempts to break security.

Have a code system that logs each entry and data

inquiry by user.

Daily activity reporting to supervisors and/or auditors

showing terminal numbers, user numbers, type of

processing, name of files accessed, and

unacceptable requests.



2. The State Tax Commission wants to incorporate controls to provide data security against the

loss, damage, or improper input or use of data during data input and processing. Identify the

potential problem (outside of natural hazards such as fire or floods) for which the Department of

Taxation should develop controls, and recommend possible control procedures for each problem

identified.

Potential problems and possible controls to provide data security against loss, damage, and

improper input or use of data are as follows:

ProblemControls

Loss of tax return

data before any file

updates.

Keep copies of tax returns in a safe location and

(temporarily) organized in a fashion for reprocessing if

necessary.

Maintain a transaction log on magnetic tape for possible

recall.

Improper input or use

of data during

processing.

Verify data entry or enter twice by different operators.

Prohibit data entry through inquiry terminals.

Process routine items at specified times thus preventing

unauthorized runs of vital information.

Incomplete

processing of tax

returns.

Computer prompting of terminal operators for

appropriate input.

Balancing of computer processing at each stage back to

input and run control totals.

Fraudulent program

modifications entered

from input or inquiry

terminals.

Prohibit programming from input or inquiry terminals;

log all such attempts on console log for immediate

supervisory action.

Periodic checks of all packages so that any illegal

modifications can be detected.

ais chapter 11 case 1-3

Documents