Discussion 1Small Business RiskTanya's Toy Shop is a small business that makes and sells wooden toys in Detroit, Michigan. The business consists of a manufacturing plant in Dearborn, Michigan, where t

Discussion 1

Small Business Risk

Tanya's Toy Shop is a small business that makes and sells wooden toys in Detroit, Michigan. The business consists of a manufacturing plant in Dearborn, Michigan, where the toys are created, an assembly area at the back of the shop in Detroit where the toys are assembled, and a storefront area where the toys are sold. Tanya has struggled to keep her business running since the downturn in the economy devastated her home state. Tanya hires out-of-work GM workers to run the lathes and other equipment in the manufacturing plant and hires disabled workers to assemble the toys in the back of her shop. Tanya and her daughter run the storefront, which is open from 9AM to 3PM on Mondays, Wednesdays, and Fridays. They keep the key to the shop in a fake rock beside the door of the shop so the workers can let themselves in to work when they arrive ahead of either Tanya or her daughter.

The equipment that is installed at the Dearborn plant includes a CAD system that runs the lathes and an inventory and order management system that was created by a former employee, who was subsequently fired for stealing money from the cash registers in the shop. Tanya recently learned that he had been arrested and was to be tried on embezzlement charges relating to work he had done for another business following his firing from her business. She was surprised to find him waiting for her in the store one day recently but was happy when he told her that he felt badly and was there to apologize for his behavior and was looking for development work while he was out on bail. She took his contact information and told him she would let him know if she needed any support with the software he had developed.

Tanya, in her attempt to keep the business alive and to prevent job loss for her family of workers, has cut corners in all other areas of the business. She has eliminated the consultants who were helping support the IT infrastructure at the manufacturing plant. She runs the shop with a manual cash register and stores receipts in a canvas bag and has begun doing her own taxes because she can no longer afford the services of an accountant. She is so overwhelmed with her financial situation that she took out a second mortgage on her house and filed an extension on her taxes because she just cannot cope with trying to figure out why it seems as though business is better than what is showing up in her cash receipts.

Use the study materials and engage in any research needed to fill in knowledge gaps. Discuss the following:

· Where are the areas of vulnerability identified in this scenario?

· What is the total risk associated with the developer turned embezzler that Tanya may not have yet discovered?

· How would you approach determining exactly what the level of risk is and the potential damage that has been done by the former software developer?

Minimum 350 words

Discussion 2

Determining Jurisdiction

John Miller is the information security and privacy officer of a local county-owned teaching hospital. He is new to his position and began his work by evaluating the existing security and privacy controls that are in place in the institution. He is also new to information security, having only recently graduated with a BS in information security with professional experience as an active-directory administrator for two years. This work with active directory created his interest in pursuing a position in the field of security. Because he has most experience in the area of account management, user creation and management, groups, roles and group policy, these are the areas where he began his work. He found literally hundreds of idle accounts indicating that users are created but are not properly discontinued when medical students, nursing students, and other employees move on and no longer need access to the data collected and stored by the hospital. This discovery inspired him to begin digging into other aspects of the security controls, and he found evidence of malware on the servers that house the data collected and stored for use by the hospitals clinical systems. His next discovery was the most alarming. The objective of the malware that had deeply infested the hospital systems was to package and transmit all available data to a remote host located in North Korea. John is clearly in over his head at this point and needs to act quickly to resolve this situation and stop the flow of personally identifiable health information to an unauthorized third party.

Use the study materials and any additional research needed to fill in knowledge gaps. Then discuss the following:

• What primary laws, regulations, or statutes have been violated by this lack of attention to controls, leading to this serious breach of security?
• What channels of communication should John enlist to assist him in resolving this matter, and in what order should those communication sources be contacted?
• What tools and any supporting resources are available to John to determine the breadth of the breach and the mitigations available to secure those assets?

Minimum 350 words