To properly secure an information system means protecting its files and other confidential information from misuse. The current speed of technological growth requires ever evolving security measures to follow these developments. As the members of Team “A” set out to address this need, it was necessary to discuss the requirements. The foundation of all concrete security plans require a detailed knowledge of all current systems, the tools needed to accomplish security needs and employee training. The implementation of these requirements will be outlined within a final Security Presentation. Kudler Fine Foods is an upscale specialty food store that has three locations located in the San Diego area. Kudler has a new initiative they would like to pursue. They want to create a customer rewards program that will track their loyal customers buying behaviors. For customers that participate in this program, they will collect loyalty points that they can redeem for high-end merchandise, specialty food or airline upgrades.
“The customer purchase behavior patterns will help Kudler refine its processes and offerings to best satisfy their valued customers” (University of Phoenix, 2013, para. Sales and Marketing Overview Virtual Organization Portal – Kudler Fine Foods). This IT security report will go over the top security IT threats, security considerations, security policies, and awareness training. The security report will help the design team protect the new system from the threats that have been identified during the design phase of the new system. At the end of this report there will be provisions suggested that will help Kudler Fine Foods internal staff to help validate security measures once the new program is up and running so they can keep the system safe from hackers, attacks or any unauthorized personnel. Identifying Top Threats & Summary
There are many security threats that can affect Kudler Fine Foods. Throughout the week, the team members worked to determine any and all possible threats that could affect Kudler Fine Foods Customer Rewards Program. The two most significant threats that need to be focused on are “Data Loss” and Identity Theft”. Protecting customer’s personal information must be the first priority. To help reduce these risks and threats, it is important to use authentication to allow access to only those who need it. This will in turn reduce network traffic making data transfers smoother and will increase productivity. All virus software, firewalls, and patches will also have to be regularly updated to keep the percentage of security threats to a minimum. It is also very crucial to make sure that all data is backed on at least a daily basis so the data can be retrieved for any future use. This team will use the information that was gathered this week for the foundation of our security plan. This table below will identify threats and the vulnerabilities that each threat will exploit. Kudler Fine Food IT Top Security Threats
Area of System
Individual terminals can be compromised, and credit card data stolen Customer Information
Denial of Service (DoS)
Illegal access to the system
Loss or change of information if there is illegal access occurs. Data backup
The System can fail, and data will be lost if the proper backup procedures
are not carried out. Network traffic
Unauthorized use can overload the network causing a slowdown in performance Causing a slowdown in performance, production and a loss of profits. Employees visiting harmful sites and downloading damaging apps.
Security Considerations System Development
The chart below will show the system development process phases that were identified. The system development process starts with the planning process, analysis, design, testing, implementation and ends with how the system will be maintained and kept secure. Using the system development process phase, these security considerations will be analyzed in every stage. Every risk cannot be planned. The risks that can be identified will have policies and procedures in place so that a fix can be implemented immediately. With little to no downtime, threats and disaster create small business impacts. System Development Phase
Mitigation of Risks
Do not know if there are any bugs in the system or if the system is secure. Decisions about security. Preliminary risk assessment.
Develop basic security needs. Setting up an outline that will identify the response and control of a threat. Create an outline that will identify the response and control of a threat. Analysis
Vulnerabilities impacts loss of confidentiality, integrity, and availability. Review legal, security requirements and regulations. Determine the effect a disaster will have on the accessibility information, and the time it will take to have the system function properly. Design
Unauthorized access and use. Bugs that were missed.
Security plan and program security controls are designed and tested. Evaluation plan for security controls. Encryption for data and authentication for each employee at the proper security level. Testing
Multiple viruses and computer exploits left unchecked due to incompatible security enhancements. Preliminary testing and implementation of security measures on isolated machines. Compatibility and stress testing amongst known hardware infections. Implementation
Malware, Spyware because Firewalls and Security programs not updated. Security controls are designed, developed, implemented and tested properly to the fullest extent. Evaluation plan is written. Check any safety or security issues.
Enhancements, modifications, hardware and software added or replaced. User requirements. Ensure all enhancements modifications hardware and software are safe and secure. Replaced hardware or software should be destroyed completely by the security team. Downtimes have to be scheduled very carefully during the off times. Monitor continuously for any user changes.
If the system is ever removed from service due to power outages, internet outages or other disasters scenarios, all users will be moved to a manual mode. If there is not a backup system, then the data security will be compromised. Data integrity may also be affected because the information will be inaccessible. To overcome this, all users will have training on both main and backup systems. The users will also be instructed on manual procedures and policies. A backup in system place will enable multiple points of data restoration (cloud, network storage, and remote). These security measures will enforce the protection of data. Security Policy and Training
It will be necessary to establish several security policies for the creation of Kudler Fine Food’s Customer Rewards program. The program’s completion will increase sales and customer service exponentially. In order for this system to remain secure, an authentication and accessibility policy is developed. Users will only be granted access if a form of pre-authorization exists. It is important to determine who has the ability to access the information. Information is important for any company and consequently authentication and accessibility to said information must be limited. A security policy is required to ensure that the buyer’s program maintains the shopper’s information. This is made possible through the Enterprise Information Security Policy (EISP). The EISP is a plan that is accountable for a range of areas of data security and safety. This will include all maintenance plans, procedures and responsibilities for the users. The plan may help with legal issues, which may arise from unforeseen situations. The EISP documents will include the following factors: Review of Awareness on Protection
Duties Shared by Users
Duties Specific to Each Role
Security Policy Elements
Kudler Fine Foods is required to protect its customer and organizational information. To do this, a security policy will be created by senior management and reviewed by the legal department. An awareness training session will be held for all employees to go over this policy. A strong security policy will ensure this information is kept safe. The following elements will be included in the security policy: Classification of Information
Internet Usage Policy
E-Mail Usage Policy
Need to Know & Less Privilege
Username & Password
Disposable & Destruction of Information
The following audit provisions will help Kudler Fine Foods internal staff to validate security measures to keep the new customer rewards program safe from hackers, attacks and unauthorized personnel. There will be ten practices for the internal staff to start with. Gluscevic (2003), “These ten practices include different kinds of information security, such as policy, process, people, and technology, all of which are necessary for deployment of a successful security process” (Introduction). By adopting these practices, it will give Kudler Fine Foods and any other organization a secure way to manage their security risk. The ten practices are: General Management – Security managers create the security policies and processes. Their job is to make sure the policies and procedures are followed on a daily basis. They will also create the audit processes.
Policy – Written rules to educate employees how they need to conduct business every day while keeping the information safe. Risk Management – Conduct risk evaluations that will identify threats, vulnerabilities, and risks. Security Architecture & Design – Know the assets that need to be secured. User Issues – Accountability, integrity, and training.
System & Network Management – Access controls, software integrity, backups, and data encryption. Do regular virus checks and updates. Authentication & Authorization – Provide network access to all users based on the level of access they are approved for. Restrict users to levels, they do not have approved access. Monitor – Use system monitoring tools to audit, inspect and respond to activity in question to report on the events and conditions of the system. Physical Security – This practice is usually always forgotten, but this is a necessary practice to help secure who has access. Use physical controls, for example, badges, swipe cards, keys, and a sign-off feature for certain of inactivity on a laptop or computer. Disaster Recovery – This is just in case your data is lost or damaged. Hopefully, it will not be by using the practices above but just in case create a disaster recovery plan and test it to make sure it works before you need it. Using these practices will help keep Kudler Fine Foods new system safe from threats, attacks and unauthorized users getting access to information they do not have authority to see. Conclusion
In conclusion, Kudler Fine Foods is having a customer rewards program system created. This team was given the assignment to create an IT security report where we identified the top IT security threats, security consideration, security policies, and security awareness training. The design team will use this report to build in security features at the beginning, so they do not have to backtrack and create this features after the design phase. Security awareness training is crucial that Kudler gives their employees. This training will help the employees detect possible intrusions and will understand how valuable the information is to their employer and the integrity. If everyone follows the security policies and procedures, this system will be free of hackers, attacks, and unauthorized personnel.
Conklin, W. A., White, G., Williams, D., Davis, R., & Cothern, C., (2011). Comp TIA Security + (3rd ed.). Retrieved from The University of Phoenix eBook.
Gartenberg, M. (2005, January 13). How to develop an enterprise security policy. Retrieved from http://www.computerworld.com/article/2569303/security0/how-to-develop-an-enterprise-security-policy.html
Gluscevic, M. (2003). Implementing Basic Security Measures. Retrieved from
University of Phoenix. (2013). Virtual Organization Portal – Kudler Fine Foods. Retrieved from University of Phoenix, CMGT400 website.
Whitman, M., & Mattord, H. (2004). Information Security Policy. In Management of information security(Fourth ed., p. 154). Boston, Mass.: Thomson Course