Deck 11: Computer Crime and Information Technology Security

Fill in the blanks below with appropriate terminology from CoBIT.
A. ______ auditors exchange information with one another to maintain strong corporate and IT governance.
B. ______ is directly responsible for choosing a public accounting firm to do external audits.
C. _______ holds IT and information security management accountable for value delivery, an element of IT governance.
D. __________ should provide information about risk management, an element of IT governance, to the board of directors.
E. Information about internal control flows two ways between the audit committee and ______.
F. Internal auditors exchange various kinds of information with corporate employees in ______.
G. Stakeholders rely on _____ for assurance about various forms of control.
H. The board of directors provides information about _____ to shareholders and employees.
I. Through the ___, external auditors interact with the corporate board of directors.j. Ultimately, ____ hold the board of directors accountable with respect to corporate governance.
A. internal and externalb. the audit committeec. the board of directorsd. information technology and information security managemente. external auditorsf. information technology and information security managementg. external auditorsh. financial a

Based on the list provided in the text, indicate the type of computer criminal described in each of the following.
A. A young, inexperienced hacker who uses tools written by others for the purpose of attacking systems
b. Could seriously disrupt power grids, telecommunications and transportation
c. Hackers driven by financial gain
d. Recruit talented hackers to handle the technical aspects of crime
e. Someone who invades an information system for malicious purposes
f. Take advantage of networked systems by turning to computer intrusion techniques to gather the information they desire
g. The largest threat to a company's information systems

List the elements of Carter's taxonomy of computer crime.

The CoBIT framework can be used to strengthen internal controls against computer crime in various ways. Indicate whether each statement below is
(a) always true,
(b) sometimes true or
(c) never true.
a. As a form of internal control, each step of the systems development life cycle focuses on one of CoBIT's information criteria.
b. CoBIT can be used in conjunction with the COSO internal control framework to identify appropriate control activities.
c. CoBIT provides standards for evaluating information inputs and outputs that can help strengthen internal control.
d. The board of directors, as part of the CoBIT accountability framework, helps create a strong environment that values internal control and risk management.
e. The COSO enterprise risk management framework requires the use of CoBIT to identify risks.

Jack conducted an Internet search for examples of computer crime that resulted in the items listed below. Which type of computer criminal is described in each? Be as specific as possible in your responses.
A. Boris and Natasha coordinated ten people who sent out e-mails asking the recipients to purchase fake lottery tickets.
B. Gil, an IT consultant for DMM Corporation, stole personal information about corporate executives and sold it to tabloid newspapers.
C. Marie, the chief information officer of RBC Corporation, planted a logic bomb in case she ever lost her job.
D. Timothy shut down traffic lights on a major street in his city in an effort to cause serious traffic accidents.
E. Zachary used a computer program he found on the Internet to "kill" characters in an online game.

The chapter discussed the four elements of Carter's taxonomy of computer crime, eleven business risks / threats to information systems and seven common types of computer criminals. Classify each item below using each of them.

Information technology controls can be classified as physical, technical or administrative. Consider each independent situation below; suggest one control from the indicated classification that would address (prevent / detect / correct) the risk.a) A bank's customer database is hacked.Administrative: _____________________________________________
b) A careless employee spills coffee on a network server.Physical: _____________________________________________
c) A corporation's sales data are manipulated by a member of the sales staff. Technical: _____________________________________________
d) A former employee introduces a logic bomb to a company's payroll system.Administrative: _____________________________________________
e) A political candidate's web site is defaced.Technical: _____________________________________________
f) A senior citizen sends money to a fake religious organization based on a fraudulent e-mail.Administrative: _____________________________________________
g) A waitress steals a customer's credit card number.Physical: _____________________________________________
h) An employee uses work time to shop online using the company's computer. Administrative: _____________________________________________
i) Corporate spies steal research and development information. Technical: _____________________________________________
j) Fake compromising photos of a corporate CEO are posted to a social networking site. Technical: _____________________________________________
A. regular security auditsb. encase the server in a cabinetc. system access logd. policy to remove employees from the system when they leave the companye. password rotationf. security trainingg. customers pay at the registerh. appropriate use poli

The CoBIT framework identifies seven information criteria. In each example below, indicate one criterion that is met AND one that is not met in the space provided.

Which element of Carter's taxonomy of computer crime is associated with each item below?
A. Computer is not required for the crime but is related to the criminal act
b. Computer is used to commit the crime
c. Computer use may make a crime more difficult to trace
d. Growth of the Internet creates new ways of reaching victims
e. Objective is to impact the confidentiality, availability and / or integrity of data
f. Presence of computers has generated new versions of fairly traditional crimes
g. Targets the system or its data
h. Technological growth creates new crime targets
i. Use of the computer simplifies criminal actions
j. Uses the computer to further a criminal end

In each statement that follows, circle the business risk or threat that most clearly applies based on the list provided in the text.
A. Disclosure of confidential information or intrusion: Employee data are made available on the Internet.
B. DOS attacks or extortion: Prevent computer systems from functioning in accordance with their intended purpose.
C. Error or web site defacement: Digital graffiti
d. Fraud or error: Losses can vary widely depending on where the problem originated.
E. Information theft or information manipulation: An employee creates fake refunds to benefit a family member.
F. Intrusion or extortion: Main objective is to gain access to a network.
G. Intrusion or service interruption: Classified as accidental, willful neglect or malicious behavior.
H. Malicious software or information theft: Logic bombs, replicating worm, Trojan horse.
I. Service interruption or disclosure of confidential information: Can lead to missed deadlines for receivables or payables.j. Web site defacement or extortion: Criminal contacts an organization after successfully stealing information.

Ethan is an information technology security consultant. He has been asked to speak to a local professional organization about ways to strengthen internal controls against computer crime, and wants to relate his comments to the CoBIT framework. Prepare a short summary of the key points Ethan should make in his presentation; ensure that each one has a clear relationship to the CoBIT framework.

The chapter discussed seven types of computer criminals and eleven examples of risks and threats to information systems. Consider the items below, each of which pairs a type of computer criminal with a risk; provide a specific example based on both items.
A. Organized crime, extortion
b. Terrorist, service interruption / delay
c. Insider, error
d. Cyber-criminal, information theft

In your own words, explain the relationship between each of the following groups found in the CoBIT accountability framework:
A. Audit committee, external audit
b. Board of directors, IT and information security management
c. Employees, board of directors