Discuss about the Security Program for FoodLand.
In this report, the security aspects of FoodLand Supermarkets, a retail store in South Australia is evaluated and highlighted. FoodLand has been witnessing strong growth during the past decades and there is a need to establish strong security measures to protect their systems and data from threats. The growth of the internet and related technologies has benefitted the company to expand their operations using the world-wide-web. At the same time as threats and attacks on transactions, systems are on the rise, FoodLand is facing the threat of cyber security attack in their operations. In order to establish, a strong security mechanism for the company, the existing security scenario in FoodLand is first examined .
FoodLand Supermarkets perform business transactions through their website. The recent security incidents and breaches on the internet show there has been an increase in cyber crime (Roberts, et al. 2012) particularly targeting e-commerce sites, where hackers target financial accounts and customer data along with personal details like credit card numbers, passwords, and bank details. The company has a good reputation, and also respects the privacy of its customers using the website, but concerned due to data breach their customers personally identifiable information could be compromised and misused by hackers (Weber, 2010). In addition to this, the company also shares their customer data with vendors and other partners who offer extended offers, coupons, and promotions for FoodLand’s customers. This is again a threat because the company does not have control of their customer data. However, the website offers authentication by username and password, and after verification, the customer can make an online purchase transaction.
Many consumers in Australia prefer to make online purchases on a daily basis for its convenience and ease of use (McHenry, 2013). At the same time the online fraud is also on the rise. There are numerous cases to show hackers steal important credit card information when a user is making an online transaction, and hackers more find it easy when consumers make use of open wireless networks for transacting (Hu et al. 2011).
The following security challenges are faced by the retailer in their services.
The objectives of the report are as follows:
Having understood the threats faced by FoodLand, the report provides details on the security program required by the company. The report also explores the need for security structure in their organization and identifies training needs on security (Puhakainen and Siponen, 2010). The use of ISO standards in the implementation of a security plan is explored for its suitability in FoodLand. The need for security certifications in the implementing good security practices and procedures may help in improving its security posture. The need for security certification as an option is examined. Lastly, the report provides a risk assessment that identifies key threats for FoodLand and the type of controls required to mitigate risks to bring them to a minimum level is provided.
As mentioned earlier, customers make use of unsecured wireless networks to make online transactions. In addition to this, the number of customers using their online services is increasing. It is important to understand that unsecured wireless networks pose serious threats to data when they are transmitted (Cavallari et al. 2014). Due to unsecured networks, there are many top threats and vulnerabilities that exist and make retailers like FoodLands Supermarket an easy target for attackers and hackers (Romanosky et al. 2011). Therefore, it is crucial for FoodLands to safeguard their customer details, data and protect against security threats.
The large proliferation of Internet of Things (IoT) devices used in retail business processes (Haller and Magerkurth, 2011) adds to the existing threat landscape. Retailers make use of IoT devices to manage inventory, perform mobile transactions, measure temperature of certain food stuff, monitor store temperature, and so on. IoT devices are connected to the main IT network infrastructure and transmit data constantly in the network. These devices are easily vulnerable to attacks, particularly when IoT devices participate in wireless networks, their level of vulnerability increases. This is one important challenge the company has to make adequate security measures.
In addition to the wireless networks and use of IoT device, the company is vulnerable to credit-card payment fraud which is another major problem worldwide (Dal Polozzo et al. 2014). Credit card theft is quite common when it is not protected by a chip and as well as PIN (Personal Index Number) (Asani, 2014). The security issues arising out of credit card fraud has resulted in deterioration of brands and customer trust (Rao et al. 2014). FoodLands is aware of these concerns in their PoS systems and online portal. Data security breach is another significant threat where attackers steal customer data and misuse it for their gains. Normally customer data is more vulnerable and may be exposed to POS systems at the time of purchasing products or while making an online payment (Murdoch and Anderson, 2010). This is another important aspect of security in FoodLands.
Security vulnerabilities and attacks can have a huge negative impact on business operations, reputation and profits. A review of overall security indicated that business could be impacted by
Loss of value with shareholders reduced profits, the decline in trust with customers, deterioration of brand and reputation. This can further result in significant reduction in online transactions thus reducing profits for the company. In addition to these effects, hackers make use of holiday season to exploit a maximum number of vulnerabilities in retailer systems (Burner, 2014).
Therefore, security data involves not only overcoming technical flaws in systems but also involves many aspects such as customer service, awareness of security issues, user training and protection of individual rights. Comprehensive security measures required for FoodLands will include,
The overall security program (Norman, 2016) will consist of the following
The overall security program will take into consideration the above aspects along with user training on security is required so they are aware of the security implementation.
Security implementations may require following new procedures like authentication or validation. A successful security project implementation will assimilate the proposed changes in the organization. When new technologies and policies are implemented in FoodLands, there is a need for employee training and education. The training is mostly done after the new policies and procedures in security are already implemented and in place. It is also highly important to note that untrained users can work around to bypass controls and this can create additional vulnerabilities in the system (Whitman and Mattord, 2012). FoodLands must plan for training within three weeks before the new policies and security systems are implemented and they are online. In addition to training, the security project must ensure compliance documents are made available to all employees or them to read, understand and agree on new policies.
Training plans will also ensure users to follow certain procedures while using IT systems and are aware of the importance of information in the company. The following points can be fulfilled through training,
Training is an inherent part of ensuring a culture of security (Tsohou et al, 2010) in the company.
FoodLands can consider the best practices and global standards in implementing their systems security and ensure data protection. International Standards Organization (ISO) provides the requirements for products and services to meet world markets in a transparent manner. ISO security framework also offers assessment mechanisms to verify if the security standards measure up to the standards. The ISO/IEC 27001:2013 is a set of requirements for implementing, maintaining and improving information security management within the context of any type of organization (ISO, 2013). This standard provides a method to evaluate security risks which can be customized for FoodLands. The requirement in ISO 27001:2013 is generic and they are advantageous for information systems security by
These three advantages are highly required for FoodLands, because when they operate their business in the world-wide-web catering to online users, their systems and applications must function consistently and efficiently when users are accessing from a variety of devices. In addition to this, FoodLands will also comply with global standards in information security which can benefit the organization in the long run, like while planning to move to a cloud service and so on.
By implementing the standards in ISO 27001: 2013, the company will be able to enhance their security standards through their information security standards concept, interlinks, and categories (Berr, 2010). This standard is a framework that will serve two purposes for FoodLands, that include
The ISO standards provide a framework for FoodLands to organize effective security management procedures and implement practices in accordance with security standardization activities.
FoodLands, in order to enhance their security systems for data protection, can also consider hiring security personnel with specialized certifications (Merkow and Breithaupt, 2014). There are a variety of information security certifications available from international bodies compiled below:
Certified Information Systems Security Professional (CISSP) which is recognized globally and a standard for all IT professionals.
Certified Information Systems Auditor (CISA) is suitable for staff interested in auditing, monitor, control and in the access of an organization’s business IT.
Certified Information Security Manager (CISM) is focused on designing, managing and evaluate information security in organizations.
Certified Ethical Hacker (CAH) is for individuals interested in specific network security from the neutral perspective of vendors. This certification program will provide knowledge for security officers, auditors, administrators and any expert specializing in the integrity of network infrastructure.
In addition to the above certifications, there are many more accreditation programs provided by vendors such as CISCO, CompTIA, and so on.
In the case of FoodLands, the security program is to design, manage, monitor and evaluate information security for the company to protect their data from attacks. Hence the security certification recommended for the CSO of FoodLands can be either CISM or CISSP.
The risk assessment activity for FoodLands follows a development lifecycle. A risk management framework is used to continually evaluate the risk management by observing the following steps:
The risk management framework considered for FoodLands is shown in figure 1.
Figure 1: Security risk management framework (Whitman and Mattord, 2012)
Risk assessment is an ongoing activity and highly crucial for business operations. It is important to note that implementing security policies and procedures require the need for certification for the individual in FoodLands.
Conclusion
In this report, the risk assessment and an overall risk management plan for FoodLands are provided for its information security system. Due to the expansion of their operations to cater to online customers, the company allows online transactions for its customers. Since customers on the internet can make use of any type of device (computers, tablets, smartphones) to access the system and perform online transactions it has become highly crucial to protect the information stored in the company’s system from attacks on the internet. It is highly important for FoodLands to protect their online customer data. It is also seen the existing systems are not well protected and vulnerabilities can be found in those areas while analyzing the existing IS scenario in the company.
The report provides the overall security program by evaluating possible risks which are due to open wireless networks and credit card thefts. Usually, these issues are found on the internet in addition to another type of attacks. The company decided to implement robust security policies and procedures, however, there is a need for security certification program to be completed by their existing IT staff to gain expertise. The security certification programs available are highlighted and appropriate certification is recommended in the context of FoodLands. The importance of ISO risk management processes for information security is considered for the chosen company because it provides flexible risk management processes which can be tailored and can incorporate existing security practices in place. The report also provides a risk management framework which can be implemented for FoodLands.
References
Asani, E.O., 2014. A Review Of Trends Of Authentication Mechanisms For Access Control. Computing, Information Systems, Development Informatics & Allied Research Journal, 5(2).
BERR. 2008. “Information Security Breaches Survey”, Technical Report,
PriceWater House Coopers, in association with Symantec, HP and The Security Company,
Bruner, C.M. 2014. Authorized Investigation: A Temperate Alternative to Cyber Insecurity. Seattle UL Rev., 38, p.1463.
Cavallari, R., Martelli, F., Rosini, R., Buratti, C. and Verdone, R. 2014. A survey on wireless body area networks: technologies and design challenges. IEEE Communications Surveys & Tutorials, 16(3), pp.1635-1657.
Dal Pozzolo, A., Caelen, O., Le Borgne, Y.A., Waterschoot, S. and Bontempi, G. 2014. Learned lessons in credit card fraud detection from a practitioner perspective. Expert systems with applications, 41(10), pp.4915-4928.
Haller, S. and Magerkurth, C. 2011. The real-time enterprise: Iot-enabled business processes. In IETF IAB Workshop on Interconnecting Smart Objects with the Internet.
Hu, N., Liu, L. and Sambamurthy, V. 2011. Fraud detection in online consumer reviews. Decision Support Systems, 50(3), pp.614-626.
ISO. 2013. ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements. [ONLINE] Available at: https://www.iso.org/iso/catalogue_detail?csnumber=54534. [Last Accessed 17-Sep-2016].
McHenry, MP. 2013. ‘Technical and governance considerations for advanced metering infrastructure/smart meters: Technology, security, uncertainty, costs, benefits, and risks’, Energy Policy, vol. 59, pp.834-842.
Merkow, M.S. and Breithaupt, J., 2014. Information security: Principles and practices. Pearson Education.
Murdoch, S.J. and Anderson, R. 2010. Verified by visa and mastercard secure-code: or, how not to design authentication. In International Conference on Financial Cryptography and Data Security (pp. 336-342). Springer Berlin Heidelberg.
Norman, T.L. 2016. Risk Analysis and Security Countermeasures Selection. 2nd ed. London: CRC Press. Taylor & Francis Group.
Puhakainen, P. and Siponen, M. 2010. Improving employees’ compliance through information systems security training: an action research study. Mis Quarterly, pp.757-778.
Rao, D.N., GopiKrishna, T. and Subramanyam, M. 2014. Electronic commerce environment: (Economic Drivers and Security Issues). Compusoft, 3(2), p.572.
Roberts, L.D., Indermaur, D., and Spiranovic, C. 2012. Fear of Cyber-Identity Theft and Related Fraudulent Activity. Psychiatry, Psychology and Law, Copyright Taylor & Francis, (Available at: https://www.tandfonline.com/10.1080/13218719.2012.672275).
Romanosky, S., Telang, R. and Acquisti, A., 2011. Do data breach disclosure laws reduce identity theft?. Journal of Policy Analysis and Management, 30(2), pp.256-286.
Tsohou, A., Kokolakis, S., Lambrinoudakis, C., Gritzalis, S., (2010). A security standards’ framework to facilitate best practices’ awareness and conformity. Information Management & Computer Security. 18 (5), pp.350-362
Weber, R.H. 2010. Internet of Things–New security and privacy challenges.Computer Law & Security Review, 26(1), pp.23-30.
Whitman, M.E. and Mattord, H.J. 2012. Principle of Information Security. 4th ed. Boston: Course Technology, Cengage Learning.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download