Read the opening and closing cases very carefully and answer the case discussion and ethical decision-making questions. Make sure to answer the questions thoughtfully and completely in paragraph format and with proper English (grammar and punctuation matters). Do not write out the questions or put your answers in a bulleted format. A header for the Discussion Question section and one for the Ethical Decision Making section would be appropriate. Thoroughly explain your answers. For example, tell WHY the categories you picked best describe what is going on in the situation, don't just list categories.

Opening Scenario

JJ had become quite bored with the discussion that was taking place in the conference room and had let his mind wander as he stared out the window. Paul frowned at him while repeating the question JJ had not heard. "Which sensor placement strategy do you think will get us the best network performance? For the IDPSyou knowthe project we're working on in this meeting?" "Well," said JJ, "truth be told, I wonder if the network approach is the right way to go. I think we should move toward a host-based model and limit the network intrusion system to a few critical subnetworks." Paul thought about it for a second. "Good point," he said, then paused again before saying, "Funny, I thought you were daydreaming, but that's an interesting observation. I would like you to work up a new rough design based on a host-centric approach. We can review it tomorrow when we continue this meeting." "OK, Paul," said JJ. Later that day, JJ came into Paul's office. "I've got a couple of ideas that I'd like your opinion on." "Shoot," said Paul. "I just attended a presentation where a CIO discussed ways to cut information security spending," JJ said. "There were some, well, radical ideas that paid off for that company." "I'm all ears," Paul replied. The idea of going into this process with a cost-effective strategy had his undivided attention. "Well, this CIO indicated that the firm had invested quite a large amount of money in proprietary security technologieseverything from firewalls to scanners to intrusion detectors. They then discovered that the maintenance and upgrade packages were costing more than the initial equipment purchase had." "I know that feeling," said Paul. "Well, they discovered that there is a lot of open source software out there; you know, the Linux and UNIX stuff," JJ continued. "Uh, oh," Paul said, stopping JJ in his tracks. "I see a potential problem there. We don't have any UNIX or Linux people on staff." "That was the point," JJ said, leaning over and tapping Paul's desk for emphasis. "With the money that could be saved from ending the service contracts, they were able to hire three good systems people and still save about half of the $1 million budget." "And if I don't have a million-dollar budget?" "Then we just hire one or two people, or hire one, and send one of our current network admins off to training. At the top of the list is OSSEC for host-based IDPS, and Snort for network-based IDPS. I found several local places that offer open source software training for both right here in town." "I think you're on to something," Paul said, obviously intrigued by JJ's suggestion. "Tell you what, I want you to write a business case by reviewing the current expenditures, add the projected additions from the meeting earlier today, and then balance those against the cost of a plan for an open source approach, including a new hire and training for one to two of our staff. Be brutally honest; we don't want to chase vaporware on this one. We need solid, tested stuff and the skills to support it." "Can do, Paul." JJ grinned. He liked it when Paul got behind his ideas. "And have it to me by the end of business tomorrow," Paul added. The grin disappeared from JJ's face.

Closing Scenario

"Good work, JJ!" Amanda Wilson, HAL's CIO, was pleased. And when Amanda was pleased, everybody was pleased. Only a few days after seeing JJ's preliminary findings, Paul took JJ to present again to Amanda at her request. "So, we can save almost $150,000 using these open source packages?" she asked. "Yes, ma'am," JJ replied. "I wouldn't recommend using all of them at once, but I think we could implement the top two or three within six months, once we get a new hire and a couple of our staff trained up." "And you have a personal interest in being involved in the Snort transition and in getting the corresponding training?" Amanda asked, looking at JJ across the conference table. She smiled at Paul. JJ suppressed a groan. "Uh, I would be happy to help out wherever needed," he managed to reply. "Just kidding!" Amanda laughed. "Paul said that UNIX gave you headaches. I thought I'd test the theory." "Thanks, Paul," JJ said, visibly relieved. "So, how soon can you and Paul start the job hunt for the new person?" Amanda asked. Paul spoke up. "I have drafted a job description for your review," he said. "Then it goes to Personnel. We could start interviewing by the end of next week." "Great," she said. "Get us a good one. He or she has a lot of work to do. If we're going to use Snort for the NIDPS, we still need to determine if we are going to stick with our HIDPS or look at alternatives," Amanda added. "We'll get on that right away," Paul said. As the meeting came to a close, Paul stood up and looked over at JJ to congratulate him. When he saw the look in JJ's eyes, though, he looked for a back door to the conference room.

Discussion Questions

What is one reason to avoid using open source software? If open source software is free to use without licensing costs, what other factors should be considered when evaluating the total cost of operating such software? What technologies could JJ recommend to Paul? Where could JJ go for more information on open source software? Training?

Ethical Decision Making

Suppose JJ had a close personal friend who was a very experienced IDPS specialist, with broad and deep experience with a specific IDPS software vendor. JJ thought she would be an excellent candidate for the new position. JJ told her about the opportunity, but she was not quite as enthused about applying for it as JJ had hoped. You see, there was a referral bonus, and JJ would get a tidy sum of cash if she were hired based on his recommendation. JJ told her that she needed to get on board and that he would split the referral bonus with her. Do you think that is an ethical way to encourage the candidate to apply?