UNIVERSITAS INDONESIA

CASE STUDY 5
INFORMATION SYSTEMS SECURITY: SHANGHAI WIRELESS CAFE

SISTEM INFORMASI DAN PENGENDALIAN INTERNAL

Chitarani Kartikadewi - 1406524682

Desi Susanti - 1406524695
Karina Ayu Ditriani - 1406524713

FAKULTAS EKONOMI
PROGRAM MAKSI-PPAK

OKTOBER 2014

CHAPTER I
INTRODUCTION

CHAPTER II
META-PERSPECTIVE OF MANAGING INFORMATION RESOURCES AND
SECURITY

The Information System Vulnerability

Information resources (physical resources, data, software, procedures, and other information
resources) are scattered throughout the firm. Information is transmitted to and from the firms
components. Therefore vulnerabilities exist at many points and at any time.

System Vulnerability
A universal vulnerability is a state in a computing system which either: allows an attacker to
execute commands as another user; allows an attacker to access data that is contrary to the access
restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to
conduct a denial of service.
An exposure is a state in a computing system (or set of systems) which is not a universal
vulnerability, but either: allows an attacker to conduct information gathering activities; allows an
3

attacker to hide activities; includes a capability that behaves as expected, but can be easily
compromised; is a primary point of entry that an attacker may attempt to use to gain access to the
system or data; and is considered a problem according to some reasonable security policy.
The vulnerability of information systems is increasing as we move to a world of networked and
especially wireless computing. Theoretically, there are hundreds of points in a corporate
information system that can be subject to some threats. These threats can be classified as:
1. Unintentional
a. Human errors
b. Environmental hazards
c. Computer system failures
2. Intentional
a. Theft of data
b. Inappropriate use of data
c. Theft of mainframe computer time
d. Theft of equipment and/or programs
e. Deliberate manipulation in handling
f. Entering data
g. Processing data
h. Transferring data
i. Programming data
j. Labor strikes
k. Riots
l. Sabotage
4

m. Malicious damage to computer resources

n. Destruction from viruses and similar attacks
o. Miscellaneous computer abuses
p. Internet fraud.
q. Terrorists attack
Protecting Information Resources
Information security problems are increasing rapidly, causing damage to many organizations.
Protection is expensive and complex. Therefore, companies must not only use controls to prevent
and detect security problems, they must do so in an organized manner. An approach similar to
TQM (total quality management) would have the following characteristics:

Aligned. The program must be aligned with organizational goals.

Enterprisewide. Everyone in the organization must be included.

Continuous. The program must be operational all the time.

Proactive. Use innovative, preventive, and protective measures.

Validated. The program must be tested to ensure it works.

Formal. It must include authority, responsibility & accountability

The difficulties in protecting information resources are:

Hundreds of potential threats exist
Computing resources may be situated in many locations
Many individual control information assets
Computer networks can be outside the organization and difficult to protect

 Rapid technological changes make some controls obsolete as soon as they are installed
Many computer crimes are undetected for a long period of time, so it is difficult to learn
from experience
People tend to violate security procedures because the procedures are inconvenient
Many computer criminals who are caught go unpunished, so there is no deterrent effect
The amount of computer knowledge necessary to commit computer crimes is usually
minimal. As a matter of fact, one can learn hacking, for free, on the internet
The cost of preventing hazards can be very high. Therefore, most organizations simply
cannot afford to protect against all possible hazards
It is difficult to conduct a cost-benefit justification for controls before an attack occurs
since it is difficult to assess the value of a hypothetical attack
Defense Strategy (Protecting, Controls, and Information Security)
Knowing about potential threats to IS is necessary, but understanding ways to defend against
these threats is equally critical. Because of its importance to the entire enterprise, organizing an
appropriate defense system is one of the major activities of the CIO. It is accomplished by
inserting controls (defense mechanisms) and developing awareness. The major objectives of a
defense strategy are:
1. Prevention and deterrence.
2. Detection.
3. Limitation of damage.
4. Recovery.
5. Correction
6. Awareness and compliance
6

Any defense strategy involves the use of several controls. These controls are divided into two
categories general controls that protect the system regardless of the specific application and
application controls that safeguard specific applications. Over the Internet, messages are sent
from one computer to another. This makes the network difficult to protect, since there are many
points to tap into the network. The major objective of border security is access control. Then
authentication or proof of identity and finally authorization which determine the action or
activities a user is allowed to perform.
Business Continuity
An important element in any security system is the business continuity plan, also known as the
disaster recovery plan. Such a plan outlines the process by which businesses should recover from
a major disaster.

The purpose of a business continuity plan is to keep the business running after a disaster
occurs.

Recovery planning is part of asset protection.

Planning should focus on recovery from a total loss of all capabilities.

Proof of capability usually involves some kind of what-if analysis that shows that the
recovery plan is current.

All critical applications must be identified and their recovery procedures addressed.

The plan should be written so that it will be effective in case of disaster.

The plan should be kept in a safe place; copies should be given to all key managers; or it
should be available on the Intranet and the plan should be audited periodically.

Internal Control
Internal control is a process, affected by an entitys board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance. Internal control helps entities achieve
important objectives and sustain and improve performance.
COSOs Internal ControlIntegrated Framework (Framework) enables organizations to
effectively and efficiently develop systems of internal control that adapt to changing business
7

and operating environments, mitigate risks to acceptable levels, and support sound decision
making and governance of the organization. Designing and implementing an effective system of
internal control can be challenging; operating that system effectively and efficiently every day
can be daunting. New and rapidly changing business models, greater use and dependence on
technology, increasing regulatory requirements and scrutiny, globalization, and other challenges
demand any system of internal control to be agile in adapting to changes in business, operating
and regulatory environments.
An effective system of internal control demands more than rigorous adherence to policies and
procedures: it requires the use of judgment. Management and boards of directors use judgment to
determine how much control is enough. Management and other personnel use judgment every
day to select, develop, and deploy controls across the entity. Management and internal auditors,
among other personnel, apply judgment as they monitor and assess the effectiveness of the
system of internal control.
Internal control is not a serial process but a dynamic and integrated process. The Framework
applies to all entities: large, mid-size, small, for-profit and not-for-profit, and government bodies.
However, each organization may choose to implement internal control differently. For instance, a
smaller entitys system of internal control may be less formal and less structured, yet still have
effective internal control.

CHAPTER III
PROBLEM CASE
Questions:
1. What particular exposures and vulnerabilities can you identify for information
technologies at The Wireless Caf? As the restaurants information systems become
automated, what are some intentional and unintentional threats the information is exposed
to?
2. Youd like to suggest that Jade and Jimmy institute a formal set of security controls
covering all of their computerized information. What physical and application controls
would be appropriate in a restaurant? Consider that the restaurant workers are in a
different setting than an office worker, they are quite mobile, and they often dont have
full computer access to information.
3. Restaurants are much more prone to physical disasters, such as kitchen fires, that typical
offices are. You want to recommend to Jimmy and Jade that they prepare a disaster
recovery plan for the cafs data and software assets. What steps will you take to help
them prepare a disaster recovery plan? Consider the web site, web-based applications, onsite applications, and all of the associated databases
Answer to Question 1
The Shanghai Wireless Caf serves as a restaurant as well as a hotspot for wireless users.
Information is transmitted to and from the firms components; therefore vulnerabilities exist at
many points and at any time. Exposures and vulnerabilities that Shanghai Wireless Caf can
encounter are:
1. There is an error in the companys website, if we choose the Employee Login screen in
the website, by default there is an employee ID and password which already been input
on the screen. Therefore anyone can enter the employee site without having the employee
ID and password.
2. Accidental errors in the storage and database system, such as software failures,
installation error, and error that caused by installation of unauthorized software.

3. Virus that can cause by free internet access from Local Area Network provided by the
Shanghai Wireless Caf.
4. Virus that can cause by inserting data storage device or other mobile disks and minimum
anti-virus software that installed in the system.
5. Unauthorized access to the Local Area Network as well as the main database in the
storage system can cause information leakage that can compromise the company.
6. Abuse of controls that can caused by minimum supervisor and low internal control of the
company, such as theft of confidential material, copying and transmitting important
information to the competitor, and duplication of confidential reports.
7. Minimum security mechanisms from the system program, such as bypassing security
mechanisms, disabling security mechanisms, and installing or initializing insecure
system.
8. Physical theft of the PC or other hardware caused by located in insecure environment
9. Natural disasters, such as earthquake, fire, or flood.
Theoretically, there are hundreds of points in a corporate information system that can be subject
to some threats. As the restaurants information systems become automated, here are the threats
that jeopardize the safety of the Information System in Shanghai Wireless Caf:
Intentional Threats
o Theft of data
o Inappropriate use of data
o Theft of equipment and/or programs
o Deliberate manipulation in handling the data (entering the data, processing the
data, transferring the data, and programming the data)
o Labor strikes
o Sabotage
o Malicious damage to computer resources
10

o Destruction from viruses and programming attacks

o Miscellaneous computer abuses
o Internet fraud
Unintentional Threats
o Human errors
o Environmental hazards
o Computer system failures
Answer to Question 2
Physical and application controls which would be appropriate in a restaurant are as follows:
1. Physical controls

Every computer must be stored in secure office room.

CCTV must be placed in front of the room, inside the room facing the PC, and
inside the room facing the front door.

The office room must be locked at all times using Smart Cards and Fingerprints,
and the Smart Cards are held by Person in Charge (PIC of every room). Though
the spare Smart Cards must be held by the securities.

Take in turns holding the Smart Cards for office room in order to minimize the
risk of burglary.

Having Chief Information Security Officer on Senior Level Management who is

responsible to secure companys relevant information. The Chief Information
Security is responsible holding the Master Smart Cards for all office room.

Holding annual meeting and training about System Protection Awareness for
senior supervisors and officers.

2. Application controls

11

The management must protect their companys website, especially for the
Employee Login Screen. Every person that enter the employees site must sign in
their own employee ID and password (not set by default).

Installing the latest anti-virus

Maintaining the application system regularly

Back up the data regularly

Having encrypted computers, which cannot share internal data to third parties

Installing firewall on the server to prevent data thief

Analyzing systems application log regularly

Creating Intrusion Detection System to alert if there is any suspicious activity

of companys Local Area Network

Answer to Question 3
Disaster recovery plan for the cafs data and software assets:
-

Having all risk insurance for the restaurant, including the office equipment

Back-up data regularly on different database which is connected online to the server that
placed on other location (ie: rented house)

Use cloud computing to eliminate the cost of losing the companys database (using multilevel authentication process and having the latest firewall)

12