PTD10 Flashcards
Melanie Hogsbath has started a successful pet lodging, grooming, care and entertainment, e.g., dog walking, business, Hogsbath’s PetPoria. Many of Melanie’s transactions are executed by credit card at her website. A customer of Melanie’s recently expressed concerns regarding entering credit card information into Melanie’s website. Melanie has called you to ask about the possibility of providing her with a more secure credit card processing system. More specifically, she has recently read an article about “encryption” and asks your opinion of its value to her business. Please write Ms. Hogsbath a memo that discusses encryption - what it is and how it may be useful to her business. Explain what system risks it may help her address. Briefly describe symmetric versus asymmetric encryption and the implications to Melanie for implementing either type of encryption for credit card information at her website.
Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key (source: Wikipedia). Encryption technology uses a mathematical algorithm to translate cleartext (plaintext) - text that can be read and understood - into ciphertext (text which has been mathematically scrambled so that its meaning cannot be determined). A key is then required to translate the ciphertext back into plaintext.
An effective implementation of encryption can guard against risks to privacy, i.e., protection of data against unauthorized access, and authentication, i.e., user identification. Hence, well designed and implemented encryption would be useful in lessening the likelihood of the theft of credit card numbers and personal information from her website.
Symmetric encryption – also called Single-key encryption or private-key encryption uses a single algorithm to encrypt and decrypt the text. The sender uses the encryption algorithm to create the ciphertext and sends the encrypted text to the recipient; the sender must also let the recipient know which algorithm was used to encrypt the text; the recipient then uses the same algorithm (essentially running it in reverse) to decrypt the text.
Asymmetric encryption – also called public/private-key encryption and private-key encryption uses two paired encryption algorithms to encrypt and decrypt the text. If the public key is used to encrypt the text, the private key must be used to decrypt the text; conversely, if the private key is used to encrypt the text, the public key must be used to decrypt the text.
To acquire a public/private key pair, the user applies to a certificate authority (CA); the CA registers the public key on its server and sends the private key to the user; when someone wants to communicate securely with the user, they access the public key from the CA server, encrypt the message and send it to the user; the user then uses the private key to decrypt the message.
Although the ciphertext created with symmetric encryption can be very secure, the symmetric encryption methodology itself is inherently insecure because the sender must always find a way to let the recipient know which encryption algorithm to use.
Asymmetric encryption is more complicated, cumbersome, and secure. With asymmetric encryption the transmission is more secure because only the private key can decrypt the message and only the user has access to the private key. Hence, well designed asymmetric encryption offers a higher level of security but would also demand more effort from Hogsbath’s customers. In addition, as computing moves towards ubiquitous or mobile computing (e.g., m-commerce), asymmetric encryption can create compatibility problems since the certificate authority system may not yet be adapted to the latest technology platforms. Examples, as of this writing, of recently offered technologies - that may not support asymmetric encryption - are the Ipad and the iphone4.
To summarize, your online customers may desire the level and type of assurance that is provided by encryption. Specifically, encryption can be useful in reducing consumer concerns about credit card number and identity theft in online transactions. A number of alternatives exist for implementing encryption technology into online transactions. The best alternative for your business would need to be assessed based upon the level of encryption you desire and the corresponding costs associated with that level of encryption.
Sincerely,
Accountant
Willie Dixon, the President and CEO of “The Back Door Man” has a growing and successful business repairing and replacing screen doors, entry doors, and garage doors. His business includes about 1000 employees at a headquarters and 23 branch offices. The business does not have business continuity (BCPs) or disaster recovery plans (DRPs). President Dixon has requested that you draft a letter suggesting the motivation, and a process, for creating a BCP.
Type your communication in the response area below.
A business continuity plan (BCP) is critical to enabling your business to recover in the event of a natural or human-based disaster, or a disruption of services. Creating a BCP is one element of organizational risk management. Hence, developing a BCP should be part of a broader strategy and approach to addressing significant strategic and business threats and risks. The following six steps present one model of the process for developing a BCP.
Step one is to create a business continuity policy and program. Create a framework and structure for the BCP, based on an overall risk management strategy. Also identify the scope of the plan, its key roles, and assign individuals to roles.
The next step is to understand and evaluate organizational risks. Identify key organizational activities and processes to determine the activities, and their costs, that are needed to prevent their interruption, and, ensure their restoration in the event of interruption. Also, identify the maximum tolerable interruption periods by function and organizational activity.
Step three is to choose business continuity strategies. Define alternative methods to ensure sustainable delivery of products and services. Key decisions will likely include desired recovery times, distance to recovery facilities, required personnel, supporting technologies, and impact on stakeholders.
Step four is to develop and complete a BCP response by document and formalizing the BCP plan. Define protocols for defining and handling crisis incidents and create, assign roles to, and train the incidence response team(s).
Next, exercise, maintain and review the plan. Test the required technology and implement all proposed recovery processes. Update the plan as business processes and risks evolve.
Finally, embed the plan in the organization’s culture. Design and deliver education, training and awareness materials to enable effective responses to identified risks. Manage change processes to ensure that the BCP integrates into the organization’s culture.
Following these steps should enable the creation of a BCP that greatly reduces the threat of key organizational risks disrupting future business success.
Sincerely,
Accountant
The Cup-O-Cake Company manufactures cupcakes, wedding cakes, and other baked desserts which are delivered through grocery stores, caterers, and restaurants. Cupcake company has recently begun a complex IT project, built around an enterprise resource planning system, to replace accounting, customer relations management, supply chain management, and inventory control systems. Although the system is built around SAP, management decided to customize many of the SAP modules to ensure a better fit with existing organizational processes. Unfortunately, the implementation is not going well. Implemented modules, after initial testing, are evidencing difficulties, including transactions failing to execute, and data errors emerging in the enterprise-wide databases. Please write a memo to the head of the IT steering committee that considers the major roles of each of the following in resolving the above issues and problems: the IT steering committee, the lead systems analyst, applications programmers, and end-users. Also consider what processes, within the systems development lifecycle, may have led to such failures.
In relation to the issues that are emerging in the SAP implementation at Cup-O-Cake Company, we will first address the roles of the IT steering committee, the lead systems analyst, applications programmers, and end-users. We will discuss each role and its relation to the difficulties you are experiencing.
The IT steering committee bears primary responsibility for approving and prioritizing information technology projects. Their responsibility in relation to implementation failures would depend upon how their role was defined in relation to the project. Hence, it is not clear from the case what the role of the IT steering committee would be in resolving these issues.
The lead systems analyst is responsible for developing overall programming logic and functionality. Failures of the system may be an indicator of problems in this responsibility. Should be interviewed regarding why the implementation is not proceeding smoothly.
Given that considerable customization is occurring in the implementation, pinpointing the causes of these failures will be a critical diagnostic activity. Hence, interview applications programmers to help determine why these implementation failures are occurring, particularly in relation to customized programming.
Gathering additional information from end-users about when, why and how the system is failing to operate as promised will be an additional critical diagnostic activity. Hence, interviewing end users as to these issues should be informative in resolving them, by allowing for more precise diagnosis of the nature of the failures.
Failures at the implementation stage may be traced back to one of several possible failures earlier in the systems development process. We will look at the all stages for consideration.
Feasibility may have been mis-assessed in the planning and feasibility assessment stage. Hence, the system, as conceived and implemented, may be infeasible.
The assessment of system requirements may have been poorly executed, meaning that actual system requirements do not match those proposed in the system planning documents.
Failure at the design stage would lead to an improper specification of the technical system architecture or the definition of the interfaces between modules and subsystems. This could also explain the system failure.
Failure at the development stage could result in inadequate hardware and IT infrastructure for the system. This would mean that the hardware and other IT (for example network) resources may be inadequate to the demands of the system.
A failure at the testing stage may result from inadequate testing at normal operational loads, meaning that the system may work in a test environment but may fail in the more demanding, actual environment within which the system must work.
A failure at the implementation stage may result from inadequate training of users in the new system or in insufficient time to allow users to gain a complete working knowledge of the new system.
Please consider the above and let us know if you have further questions or would like to discuss further.
Sincerely,
Accountant
report a content error
