Words: 964
The nformation system shutdown was caused by extensive traffic entering IVK’s network of CRM servers from many locations”an organized attack designed to prevent IVK’s security systems from identifying the attempted intrusion into its corporate network. As a result of the attack, the CRM system will not reboot; customer records cannot be accessed; the CRM system is jammed. Immediately after the attack, top management asks if these symptoms mean that an actual intrusion into its customer database has occurred; has someone exploited a security hole in the CRM system?
Is the customer database corrupted? Have customer records been compromised? Comments made by various members of the management team included the following: “There’s danger in overreacting as well as underreacting. ” “John thinks iMs malicious. ” “The attack is under control and the CRM system is backed up. ” “Is there any way to tell if bad guys were involved? ‘ “It depends on how careful they were, if they were there at all. We’re checking on that. ” “No smoking gun yet. ” “If it’s bad guys, they re very, very good. “If it was intruders, they had been deep enough into IVK’s CRM production servers to rename database files, which meant they could have also stolen customer data or corrupted it subtly. Unfortunately, the company’s CRM database does retain Social Security numbers and other information useful to identity thieves. ” “l think we need to disclose publicly that something has happened; I think we’re legally obliged to do so, in fact. ” “Actually, it is if we suspect we have. ” “So you suspect we have been compromised, maybe I don’t. “Maybe its an inside job. ” “What you’re telling me is that we are not going to know whether this is a security event by tomorrow that we may never know, at least for a long time. ” Management must decide on a course of action, such as one of the following: Do nothing”assume that the past mischief (jamming the CRM system) was the worst that the bad guys had intended”if in fact there had been bad guys. Either there were no intruders or the intruders were merely tricksters who had no malicious intentions.
Shut down the company, except for operations that could run manually, as soon as possible and rebuild critical production systems from development files”the playing-it- safe option to get the CRM system up and running. But the company would be down long enough for the public to observe and the situation will have to be explained to the stakeholders. If the customer data had been stolen, this option would do nothing to negate that action. The company could lose big time in the marketplace. Build a mirror CRM system from backed up files, then shut down the original CRM system and have it repaired while running on the mirror system.
This would be costly and would take a couple of weeks, but would result in fixing any problems possibly left behind by the bad guys and the business will not have to be shut down; IVK will not have to explain to stakeholders why the business Was being shut down. A last issue Was that CIO Barton was in New York City waiting for a conference with Wall Street nalysts. He would be explaining the strategic vision of the company and assure them that their recent successes were an indication of growth and profitability over the next few years.
A successful meeting would assure increased capital investments for IVK and an increase in stock valuation for the corporation. Should Barton mention the possible intrusion? What would be the reaction of the analysts to this news? In order to protect stockholder investments in IVK, management made the following decisions in response to the crisis: Build a mirror CRM production system over the next two weeks so hat a rebuilding of the main CRM system could occur to plug security holes and assure that another DOS attack would not be successful. Keep secret from the public that this possible security breach occurred.
Make no mention of the occurrence in the analyst conference. “Hold our breath” and hope for the best”that customer data were not compromised. Analyze the case from an ethics perspective: a. Identify the ethical dilemma faced by the CIO in this situation using the three normative theories of business ethics. Identify all stakeholders involved. How will each stakeholder group be affected by the decision taken y the management? b. Apply Mason’s PAPA framework to this situation. c. If you were the CIO, what would you have done differently to protect all stakeholders?
Write a 2-3 page (single spaced, Times New Roman, 12-point font size) report answering each of the questions above. use APA format for references. Each reference should have a matching in-text citation and vice versa. Analyses which integrate the material from the text book, class discussions, and external reference sources will receive higher points than those which don’t. Today’s senior executives are confronted with situations with multiple ncertainties, requiring collaboration and judgment from experts who know more about many aspects of the situation.
Moreover there is also very less time for them to make important decisions. Quite often they have to act in real time. With modern IT few decisions can be made in secret. While the CEO is on the ultimate “hot seat,” the pressure to provide the analysis and judgment is over to the senior executive team members (in this case it is CIO). would suggest CIO to build a foundation of trust with a well-rounded management team making sure that strong management capabilities reside n the team, and that technical expertise is accessible to the team.