Presentation is loading. Please wait.

Presentation is loading. Please wait.

The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco.

Similar presentations


Presentation on theme: "The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco."— Presentation transcript:

1 The ChoicePoint Attack – Case Study

2 Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco

3 Toni

4 ChoicePoint exposed itself to considerable expense, problems and possible loss of brand confidence. What are the ethical issues? What is ChoicePoint’s response? Did ChoicePoint choose wisely?

5 Full disclosure o Legal  California Security Breach Notice Law  Security Freeze Law  www.annualcreditreport.com. www.annualcreditreport.com  www.consumersunion.org/campaigns/Breach_laws_Ma y05.pdf www.consumersunion.org/campaigns/Breach_law  www.consumer.gov/idtheft.com www.consumer.gov/idtheft.com  ww.privacyrights.org

6 Consider the question from the viewpoint of o Customers  The customers had a right to know that their information had been compromised.  It was the morally right thing for ChoicePoint to do. o Law enforcement personnel  Law enforcement personnel needed to know so that they could conduct their own investigation and possibly catch the criminals. o Investors  The price of their stock would decline when the news would be disclosed, but long term it would help that ChoicePoint did not hide the facts.

7 Management o Senior Mgmt must make prudent decisions in light of available information. o They must consider the factors and take cost- effective action to reduce probable losses.  Every company must periodically evaluate its security program.

8 A corporation has obligations, not just to its stockholders, but also to all the other constituencies that affect or are affected by its behavior, that is, to all parties that have a stake in what a corporation does or doesn’t do.

9 Corporations have responsibilities beyond simply enhancing their profits because, as a matter of fact, they have such great social and economic power in our society. With that power must come social responsibility.

10 Beata

11 Given ChoicePoint’s experience, what is the likely action of similar companies whose records are compromised in this way? - this crime is an example of a failure of authentication not a network break in, ChoicePoint's firewalls and other safeguards were not harmed; - the likely action that should be taken by the similar companies to avoid such problems in the future could be issuing more authenti- cation methods. Given your answer, do you think federal regulations and additional laws are required?

12 for example: include an username, password, include some sample questions that the answers will be known only to a given individual. - also, evaluating the security program of the given com- pany at a given time; - keeping an eye on the activity of the accounts so every abnormality will be quickly spotted.

13 * Given your answer, do you think federal regulations and additional laws are reguired? - regarding to the fact that there is an increasing level of identity theft in this country even though companies are trying to find security solution for that, there is a definite need for issuing tougher laws that will protect people, when the information about them is stolen, or simply somebody is using that information without their consent. - regulations must be clear that identity theft is a serious crime, and there is a punishment for those who do this.

14 What other steps could be taken to ensure that data vendors notify people harmed by data theft? - security needs to be applied closely to the information it is protecting to be effective - make the information less available for "third parties" google documents - ensuring that protection cannot be arbitrarily removed by end-users or system administrator. - controlling access and usage privilegies

15 Ingrid

16 Visit http://choicepoint.comhttp://choicepoint.com Summarize the products that ChoicePoint provides. What seems to be the central theme of this business?

17 Business and Non-Profit Solution LexisNexis® Risk Solutions delivers comprehensive credentialing, background screening, authentication, direct marketing and public records services to businesses and nonprofit organizations.

18 Government Solutions LexisNexis® Risk Solutions provides information, analysis and distribution solutions to advance the efforts of law enforcement, public safety, health care, child support enforcement, entitlement and other public agencies.

19 Central theme The LexisNexis Risk Solutions delivers actionable intelligence to help clients make critical business decisions with confidence and speed. Their solutions are designed to serve the multi- billion dollar risk information industry, which includes professionals and organizations in areas such as insurance, law enforcement.............

20 Nafisah

21 Review the security policy material in this chapter and reflect on an appropriate program policy for ChoicePoint. Describe why ChoicePoint needs a security policy. Who and what should be governed by such a policy?

22 Consider not only employees, but also o Data subjects o Customers o Data sources o & Partners

23 Why ChoicePoint Needs a Security Policy? In order to meet its business mission which is to provide risk-management and fraud-prevention data. ChoicePoint's most important asset is information. Data sources must feel confident that ChoicePoint can ensure the confidentiality, integrity and availability of this asset. Security should be integrated into ChoicePoint's business processes to protect information and assets that support its business.

24 Goal of Security Program To protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Assets to be protected are computer facilities, programs, and sensitive data. This policy will ensure the enforcement of security programs and policies. The Office of the Chief Information Officer will be responsible for managing security programs and policies.

25 Who will be governed by the security policy? Employees Customers Data Sources (public & private) Partners (City of Denver's Vital Records Dept) Data Subjects (those on whom data is maintained)

26 Human Safeguards ChoicePoint Should Consider Customers would have to enter into contracts that set up security measures that are appropriate to the sensitivity of the data they are supplied. Customers would be subjected to screening / background checks for authenticity of their business. Customers receive security training Provide accounts and passwords for customers (low level security level and temporary access)

27 Susan

28 Suppose that ChoicePoint decides to establish a formal security policy on the issue of inappropriate release of personal data. Summarize the issues that ChoicePoint should address.

29


Download ppt "The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco."

Similar presentations


Ads by Google