Discuss about the Security Program for FoodLand.
In this report, the security aspects of FoodLand Supermarkets, a retail store in South Australia is evaluated and highlighted. FoodLand has been witnessing strong growth during the past decades and there is a need to establish strong security measures to protect their systems and data from threats. The growth of the internet and related technologies has benefitted the company to expand their operations using the world-wide-web. At the same time as threats and attacks on transactions, systems are on the rise, FoodLand is facing the threat of cyber security attack in their operations. In order to establish, a strong security mechanism for the company, the existing security scenario in FoodLand is first examined .
FoodLand Supermarkets perform business transactions through their website. The recent security incidents and breaches on the internet show there has been an increase in cyber crime (Roberts, et al. 2012) particularly targeting e-commerce sites, where hackers target financial accounts and customer data along with personal details like credit card numbers, passwords, and bank details. The company has a good reputation, and also respects the privacy of its customers using the website, but concerned due to data breach their customers personally identifiable information could be compromised and misused by hackers (Weber, 2010). In addition to this, the company also shares their customer data with vendors and other partners who offer extended offers, coupons, and promotions for FoodLand’s customers. This is again a threat because the company does not have control of their customer data. However, the website offers authentication by username and password, and after verification, the customer can make an online purchase transaction.
Many consumers in Australia prefer to make online purchases on a daily basis for its convenience and ease of use (McHenry, 2013). At the same time the online fraud is also on the rise. There are numerous cases to show hackers steal important credit card information when a user is making an online transaction, and hackers more find it easy when consumers make use of open wireless networks for transacting (Hu et al. 2011).
Security Challenges faced by FoodLand Supermarket
The following security challenges are faced by the retailer in their services.
- Threats and attacks from the internet on their online consumers
- Hackers stealing personal consumer information–bank details, credit card numbers, passwords, etc. for misuse and personal gains.
- Security breaches are possible in their point-of-sale (PoS) systems, databases, transaction and accounting systems
- Misuse of consumer information while sharing with their vendors, trading partners, etc. because they are external parties
- Types of attacks envisaged by the company are phishing attacks, DoS, unauthorized access, malicious activity, security breaches, card payment fraud, and so on.
- Attacks and threats envisaged have wide negative implications for their business. All threats and attacks are due to vulnerabilities present in their existing IT systems and infrastructure which must be handled to secure and protect information
Objectives of the report
The objectives of the report are as follows:
- Explore methods to improve the information security for FoodLands
- Provide an analysis of the overall security program in FoodLands
- Explore the option of implementing ISO security standards and development of good security practices
- Assess risks for the type of controls needed to minimize the impact of attacks
Having understood the threats faced by FoodLand, the report provides details on the security program required by the company. The report also explores the need for security structure in their organization and identifies training needs on security (Puhakainen and Siponen, 2010). The use of ISO standards in the implementation of a security plan is explored for its suitability in FoodLand. The need for security certifications in the implementing good security practices and procedures may help in improving its security posture. The need for security certification as an option is examined. Lastly, the report provides a risk assessment that identifies key threats for FoodLand and the type of controls required to mitigate risks to bring them to a minimum level is provided.
Security Assessments and Discussions
As mentioned earlier, customers make use of unsecured wireless networks to make online transactions. In addition to this, the number of customers using their online services is increasing. It is important to understand that unsecured wireless networks pose serious threats to data when they are transmitted (Cavallari et al. 2014). Due to unsecured networks, there are many top threats and vulnerabilities that exist and make retailers like FoodLands Supermarket an easy target for attackers and hackers (Romanosky et al. 2011). Therefore, it is crucial for FoodLands to safeguard their customer details, data and protect against security threats.
The large proliferation of Internet of Things (IoT) devices used in retail business processes (Haller and Magerkurth, 2011) adds to the existing threat landscape. Retailers make use of IoT devices to manage inventory, perform mobile transactions, measure temperature of certain food stuff, monitor store temperature, and so on. IoT devices are connected to the main IT network infrastructure and transmit data constantly in the network. These devices are easily vulnerable to attacks, particularly when IoT devices participate in wireless networks, their level of vulnerability increases. This is one important challenge the company has to make adequate security measures.
In addition to the wireless networks and use of IoT device, the company is vulnerable to credit-card payment fraud which is another major problem worldwide (Dal Polozzo et al. 2014). Credit card theft is quite common when it is not protected by a chip and as well as PIN (Personal Index Number) (Asani, 2014). The security issues arising out of credit card fraud has resulted in deterioration of brands and customer trust (Rao et al. 2014). FoodLands is aware of these concerns in their PoS systems and online portal. Data security breach is another significant threat where attackers steal customer data and misuse it for their gains. Normally customer data is more vulnerable and may be exposed to POS systems at the time of purchasing products or while making an online payment (Murdoch and Anderson, 2010). This is another important aspect of security in FoodLands.
Security vulnerabilities and attacks can have a huge negative impact on business operations, reputation and profits. A review of overall security indicated that business could be impacted by
Loss of value with shareholders reduced profits, the decline in trust with customers, deterioration of brand and reputation. This can further result in significant reduction in online transactions thus reducing profits for the company. In addition to these effects, hackers make use of holiday season to exploit a maximum number of vulnerabilities in retailer systems (Burner, 2014).
Therefore, security data involves not only overcoming technical flaws in systems but also involves many aspects such as customer service, awareness of security issues, user training and protection of individual rights. Comprehensive security measures required for FoodLands will include,
- Multi-layer access controls
- Deterrence against threats (use of firewalls, hardware, and software security systems can be considered or implementation)
- Detection (The company can make use of intrusion prevention systems (IPS) or intrusion detection systems (IDS) to identify any malicious activity in their systems)
- Assessment will involve a thorough analysis on threat landscape and their implications to their systems
- Response measures will involve the implementation of data encryption in wireless networks, encryption for databases and storage of important data in the company can also be considered.
The overall security program (Norman, 2016) will consist of the following
- Security Policies and Procedures
- Defining access levels for all staff, customers, partners and vendors
- Access controls refers to a particular user can have access to only those data as appropriate for his/her role and level
- User authorization and there can be 2-way authentication in online transactions
- Implementing perimeter security measures for the network to prevent penetration attacks
- Having a security awareness program
- Training on security
- Deploying special countermeasures to overcome unique vulnerabilities
The overall security program will take into consideration the above aspects along with user training on security is required so they are aware of the security implementation.
Professional plan of training requirements
Security implementations may require following new procedures like authentication or validation. A successful security project implementation will assimilate the proposed changes in the organization. When new technologies and policies are implemented in FoodLands, there is a need for employee training and education. The training is mostly done after the new policies and procedures in security are already implemented and in place. It is also highly important to note that untrained users can work around to bypass controls and this can create additional vulnerabilities in the system (Whitman and Mattord, 2012). FoodLands must plan for training within three weeks before the new policies and security systems are implemented and they are online. In addition to training, the security project must ensure compliance documents are made available to all employees or them to read, understand and agree on new policies.
Training plans will also ensure users to follow certain procedures while using IT systems and are aware of the importance of information in the company. The following points can be fulfilled through training,
- Users are made aware of the selected controls and their effectiveness
- Through training, the management can find it easy to implement procedures for promptly identifying security violations and respond to security events
- Training will help organize information security and incident management. In an organization, security is supported and a chief security officer (CSO) is the main focal point for communication and coordination of all security matters, supervision, and management of countermeasures, implementation, for security planning and awareness programs.
- The users and staff can understand their accountability in using the system.
Training is an inherent part of ensuring a culture of security (Tsohou et al, 2010) in the company.
ISO security standards
FoodLands can consider the best practices and global standards in implementing their systems security and ensure data protection. International Standards Organization (ISO) provides the requirements for products and services to meet world markets in a transparent manner. ISO security framework also offers assessment mechanisms to verify if the security standards measure up to the standards. The ISO/IEC 27001:2013 is a set of requirements for implementing, maintaining and improving information security management within the context of any type of organization (ISO, 2013). This standard provides a method to evaluate security risks which can be customized for FoodLands. The requirement in ISO 27001:2013 is generic and they are advantageous for information systems security by
- Standardizing terminologies through consensus
- Providing a uniform understanding and agreements on functional and non-functional requirements in the design of information systems to be compatible in diverse environments
- Strengthening interoperability
These three advantages are highly required for FoodLands, because when they operate their business in the world-wide-web catering to online users, their systems and applications must function consistently and efficiently when users are accessing from a variety of devices. In addition to this, FoodLands will also comply with global standards in information security which can benefit the organization in the long run, like while planning to move to a cloud service and so on.
By implementing the standards in ISO 27001: 2013, the company will be able to enhance their security standards through their information security standards concept, interlinks, and categories (Berr, 2010). This standard is a framework that will serve two purposes for FoodLands, that include
- Links existing security practices in a coherent and systematic manner
- Provides guidelines to CSO in making effective security management decisions. The guidelines are based mainly on the security management code of practice (ISO/IEC 27002: 2005) and specification of requirements (ISO/IEC 237001:2005) standards
The ISO standards provide a framework for FoodLands to organize effective security management procedures and implement practices in accordance with security standardization activities.
Information Security Certifications
FoodLands, in order to enhance their security systems for data protection, can also consider hiring security personnel with specialized certifications (Merkow and Breithaupt, 2014). There are a variety of information security certifications available from international bodies compiled below:
Certified Information Systems Security Professional (CISSP) which is recognized globally and a standard for all IT professionals.
Certified Information Systems Auditor (CISA) is suitable for staff interested in auditing, monitor, control and in the access of an organization’s business IT.
Certified Information Security Manager (CISM) is focused on designing, managing and evaluate information security in organizations.
Certified Ethical Hacker (CAH) is for individuals interested in specific network security from the neutral perspective of vendors. This certification program will provide knowledge for security officers, auditors, administrators and any expert specializing in the integrity of network infrastructure.
In addition to the above certifications, there are many more accreditation programs provided by vendors such as CISCO, CompTIA, and so on.
In the case of FoodLands, the security program is to design, manage, monitor and evaluate information security for the company to protect their data from attacks. Hence the security certification recommended for the CSO of FoodLands can be either CISM or CISSP.
The risk assessment activity for FoodLands follows a development lifecycle. A risk management framework is used to continually evaluate the risk management by observing the following steps:
- Perform an analysis of impact and categorize information stored, processed and transmitted by the system
- Based on organizational assessment, select initial set of security controls for assessments of risk and local conditions
- Implement security controls and demonstrate how the controls can be used within FoodLands
- Review security controls using evaluation methods to determine if the controls are established correctly and meeting the security needs
- Information system must be authorized only for registered users and establish access controls based on their engagement with FoodLands
- Monitor security controls and updating security procedures is an ongoing activity.
The risk management framework considered for FoodLands is shown in figure 1.
Figure 1: Security risk management framework (Whitman and Mattord, 2012)
Risk assessment is an ongoing activity and highly crucial for business operations. It is important to note that implementing security policies and procedures require the need for certification for the individual in FoodLands.
In this report, the risk assessment and an overall risk management plan for FoodLands are provided for its information security system. Due to the expansion of their operations to cater to online customers, the company allows online transactions for its customers. Since customers on the internet can make use of any type of device (computers, tablets, smartphones) to access the system and perform online transactions it has become highly crucial to protect the information stored in the company’s system from attacks on the internet. It is highly important for FoodLands to protect their online customer data. It is also seen the existing systems are not well protected and vulnerabilities can be found in those areas while analyzing the existing IS scenario in the company.
The report provides the overall security program by evaluating possible risks which are due to open wireless networks and credit card thefts. Usually, these issues are found on the internet in addition to another type of attacks. The company decided to implement robust security policies and procedures, however, there is a need for security certification program to be completed by their existing IT staff to gain expertise. The security certification programs available are highlighted and appropriate certification is recommended in the context of FoodLands. The importance of ISO risk management processes for information security is considered for the chosen company because it provides flexible risk management processes which can be tailored and can incorporate existing security practices in place. The report also provides a risk management framework which can be implemented for FoodLands.
Asani, E.O., 2014. A Review Of Trends Of Authentication Mechanisms For Access Control. Computing, Information Systems, Development Informatics & Allied Research Journal, 5(2).
BERR. 2008. “Information Security Breaches Survey”, Technical Report,
PriceWater House Coopers, in association with Symantec, HP and The Security Company,
Bruner, C.M. 2014. Authorized Investigation: A Temperate Alternative to Cyber Insecurity. Seattle UL Rev., 38, p.1463.
Cavallari, R., Martelli, F., Rosini, R., Buratti, C. and Verdone, R. 2014. A survey on wireless body area networks: technologies and design challenges. IEEE Communications Surveys & Tutorials, 16(3), pp.1635-1657.
Dal Pozzolo, A., Caelen, O., Le Borgne, Y.A., Waterschoot, S. and Bontempi, G. 2014. Learned lessons in credit card fraud detection from a practitioner perspective. Expert systems with applications, 41(10), pp.4915-4928.
Haller, S. and Magerkurth, C. 2011. The real-time enterprise: Iot-enabled business processes. In IETF IAB Workshop on Interconnecting Smart Objects with the Internet.
Hu, N., Liu, L. and Sambamurthy, V. 2011. Fraud detection in online consumer reviews. Decision Support Systems, 50(3), pp.614-626.
ISO. 2013. ISO/IEC 27001:2013. Information technology -- Security techniques -- Information security management systems -- Requirements. [ONLINE] Available at: https://www.iso.org/iso/catalogue_detail?csnumber=54534. [Last Accessed 17-Sep-2016].
McHenry, MP. 2013. ‘Technical and governance considerations for advanced metering infrastructure/smart meters: Technology, security, uncertainty, costs, benefits, and risks’, Energy Policy, vol. 59, pp.834-842.
Merkow, M.S. and Breithaupt, J., 2014. Information security: Principles and practices. Pearson Education.
Murdoch, S.J. and Anderson, R. 2010. Verified by visa and mastercard secure-code: or, how not to design authentication. In International Conference on Financial Cryptography and Data Security (pp. 336-342). Springer Berlin Heidelberg.
Norman, T.L. 2016. Risk Analysis and Security Countermeasures Selection. 2nd ed. London: CRC Press. Taylor & Francis Group.
Puhakainen, P. and Siponen, M. 2010. Improving employees' compliance through information systems security training: an action research study. Mis Quarterly, pp.757-778.
Rao, D.N., GopiKrishna, T. and Subramanyam, M. 2014. Electronic commerce environment: (Economic Drivers and Security Issues). Compusoft, 3(2), p.572.
Roberts, L.D., Indermaur, D., and Spiranovic, C. 2012. Fear of Cyber-Identity Theft and Related Fraudulent Activity. Psychiatry, Psychology and Law, Copyright Taylor & Francis, (Available at: https://www.tandfonline.com/10.1080/13218719.2012.672275).
Romanosky, S., Telang, R. and Acquisti, A., 2011. Do data breach disclosure laws reduce identity theft?. Journal of Policy Analysis and Management, 30(2), pp.256-286.
Tsohou, A., Kokolakis, S., Lambrinoudakis, C., Gritzalis, S., (2010). A security standards' framework to facilitate best practices' awareness and conformity. Information Management & Computer Security. 18 (5), pp.350-362
Weber, R.H. 2010. Internet of Things–New security and privacy challenges.Computer Law & Security Review, 26(1), pp.23-30.
Whitman, M.E. and Mattord, H.J. 2012. Principle of Information Security. 4th ed. Boston: Course Technology, Cengage Learning.