ITNET306A Assignment Scenario  – Semester 1 2012

Floriarty Australia Pty Ltd.  is an on-line business which allows customers to order flowers online for delivery by florists around the county. The company processes credit card orders, storing these details for future purchases in a back-end database in their data-centre.

Floriarty is a small family run business with little IT expertise. Management was alarmed at news reports of a competitor which suffered a compromise of customer credit card information after reading the following article:

http://www.abc.net.au/news/2007-09-15/hackers-steal-credit-card-details-from-roses-only/670366

(NB: This is a historical document and not reflective of the existing security or reputation of the organisation mentioned and it should be noted that any organisation can be the target of such an attack)

Floriarty have commissioned you to produce a report on what their requirements are to protect their business from such an event and give high-level recommendations on how they can meet these requirements.

A good start in identifying these requirements is the Payment Card Industry Data Security Standard (PCI-DSS). This is an industry-wide standard which dictates the security controls required to ensure that an organisation can store and process credit information in a secure way for the big credit card companies VISA, Mastercard etc.

PCI-DSS requirements are broken into six Control Objectives:

1. Build and Maintain a Secure Network
2. Protect Card-holder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

This project is broken into three components:

1 – Literature Review (1500 words)

Beingcompliant to security standards such as PCI-DSS does not necessarily equate to being secure from a security compromise. Discuss.

Guidelines: There are many different security standards in the industry however PCI-DSS is one of the most prevalent. Discuss the strengths and weaknesses associated with compliance to security standards in general (500 words) and then outline the contentious areas which have generated debate about some of the PCI-DSS requirements (1000 words). Offer your own opinion on these issues but be sure to support it with relevant references and (where possible and relevant, real-world experience).

2 – Requirements gathering (250 words max.) NB: Each student will only need to focus on addressing TWO out of the six PCI-DSS Control Objectives. (See Table 1 on the following page)

You have been given very little information about your customer (Floriarty) thus far. Compile a list of no more than 12 questions to send to management to get an understanding of their business and network architecture. The response to these questions will be the only information available to you in formulating your final report which will outline your recommendations to the business in order to help become PCI-DSS compliant for the TWO Control Objectives you have been assigned. Assume the customer knows little about IT and write questions as such. If you ask technical questions, you may well get non-technical (or even wrong) answers….just as in the real world.

3 – PCI-DSS Recommendations Report (PowerPoint Presentation)

Provide a 10 minute PowerPoint presentation to the business outlining your findings and recommendations. This should be broken up into the following components:

–        Introduction

–        Summary of PCI-DSS and what it means to the business

–        Scope, Assumptions and Constraints

–        Requirements Identified

–        Recommended Controls

–        Conclusion

Note that your recommendations will be high-level and do not require you to specify technology vendors, device configuration or cost but keep in mind that this is a small business with a limited budget. Where you have not received adequate information from the client, you will need to make reasonable assumptions. Keep these assumptions realistic and support them with sound reasoning. During the presentation, the client (examiner) will be asking questions.

Further guidance will be provided to assist in understanding expectations around this content.

TABLE 1: Assigned Control Objectives:

The PCI-DSS documentation is the logical starting point for your project and can be found here:

https://www.pcisecuritystandards.org/security_standards/index.php

SOLUTION

1.    Literature Review

Being compliant to security standards such as PCI-DSS does not necessarily equate to being secure from a security compromise. Discuss

The valuable data assets of organisation can be protected by complying with information security standards. There is no magical formula which can guarantee 100% security, however  there is vital need for  setting up standards or benchmarks which are helpful in insuring that adequate  level of security is achieved and the resources of  organisation are used  efficiently and the best practices for information security are being used (AN OVERVIEW OF INFORMATION SECURITY STANDARDS, 2008).

Strengths associated with Security Standard Compliance

In this modern age where Information Security is very important and paramount issue which every organisation needs to follow. The rate at which technology is growing , it has become imperative that all the organisations big or small need to protect their data assets , which will ensure the confidence of the  customers, clients, and partners with whom they work. If the organisation is properly aligned with IOS /IEC standard it will get benefit of (The ISO/IEC 27000 Family of Information Security Standards, 2003):

• Securing their own tangible and non-tangible assets which are critical (Humphries, 2006).
• Improving and ensuring the confidence of their customers.
• Evolving their Information Security along with technological advancements.
• Managing various levels of risk to the organisation.
• Evade the loss of brand image, potential fines or any loss of earnings.
• Customer confidence can be assured by the organisation by demonstrating that their systems and procedures are completely aligned with respect to sharing or exchanging information while transacting online business and providing range of services.
•  The organisation also gets business benefits as it meets contractual benefits which it can demonstrate to their business partners and other business parties (Humphries, 2006).

Weaknesses Associated with Security Standards Compliance

Along with the strengths the security standard compliance comes with some risks or weaknesses too, some of them are listed below:

• Loss of Confidentiality: Unauthorised users like hackers etc. can easily gain access to sensitive corporate data as well as network resources or systems.
• Loss of Integrity:  The sensitive corporate data accessed might be tampered and while transmission the corporate data might be corrupted.
• Loss of availability: This will result in complete inability to access the corporate system or network when needed and the customers might not get required services. The unauthorised users get access to the bandwidth.
• Due to comprising of data the clients have to bear direct loss.
•  Company has to pay regulatory fines.
• Direct fraud, inability to operate and data loss will cause financial losses.
• Negative media coverage will damage the brand image of company.
• Competitive advantage is completely lost due to bad image in the market and unreliability of the customers. When the client needs immediate services and the system is under the period of downtime, the client is lost to the competitor immediately causing again financial loss and loss of customer and lost competitive advantage.
• Loss of client and investor confidence.
• Inability to give services to the customers will directly cause loss of revenue to the company (WIRELESS SECURITY – INFORMATION FOR CIOS, n.d.).

Contentious Areas related to PCI-DSS Requirements

Payment Card Industry Data Security Standards (PCI-DSS) is a worldwide information security standard which has been created by Payment Card Industry Security Standards Council (PCI SSC). It has been created in order to help all the organisations which process  card payments , to prevent card fraud by enhancing the controls all around the sensitive card data and to stop the exposure of this data form compromising (mjschereck, 2009).

PCI Controversies and Exposures

The ugly news of cyber security breach from Hannaford Bros. Co. of 4.2 million credit and debit card numbers being stolen by a cyber intruder in a span of three months was a big concern. This cyber heist took place while the customer data was under transit situation and not in situ in a database and this the first large scale known cyber heist which rocked the whole world. The more scarier part is that Hannaford Bros. Co. was in compliance with the Payment Card Industry Data Security Standards ( PCI-DSS), which was being established by major credit card companies  like MasterCard Inc. and Visa Inc. in order to guarantee the privacy and security of customer information n stored by the organisation (Tucci, n.d.).

“PCI compliance is not enough”, this is what Steve Rowen, PCI expert and partner at Retail Systems Research LLC (RSR) had to say. RSR is a Miami based research firm which specialises in business challenges and technology related to the retail industry.

Brain Kilcourse , the managing partner of RSR  and co-author of a data security related book with Rowen said that PCI just focuses on credit card payment data, but along with this data there is  other stuff which is also collected  and it is just as dangerous as credit card data. If we analyse a good amount of portion of breaches are Social Security Numbers and PCI does not mention nor does anything about Social Security numbers which are being collected by retail industry (Kilcourse and Rowen, 2008). He also mentioned that looking at PCI-DSS as “checkbox project is not enough” in the article.

According to Kilcourse security is a fluid process which needs practical and upbeat measures in order to decrease the risk associated with the customer data retention and the capturing of sensitive data (PCI DSS Compliance Overview and Best Practices: E-Guide, n.d.). Thus the retailers who want to handle the customer security data from a positive and practical standpoint should incorporate the payment-specific security measures in a successful manner in their large business strategies and initiatives. The retailers make a common mistake while getting PCI-DSS compliant is that they simply map their applications as per the mandate.

The most difficult part of compliance with PCI-DSS as cited by the retailers is the ability to monitor networking access, which means there are numerous points of data transmission which exist within the network and the retailers cannot monitor all of them.

Thus the retailers should encrypt their data in all the forms of data and not just in the in-state form of data as said by Rowen (PCI DSS Compliance Overview and Best Practices: E-Guide, n.d.). Thus it is good to become PCI complaint, but at the same time the organisation must reassure that their best practices are in right place and their own processes are well tested (Tucci, 2008).

PCI Compliance Challenges Faced

The proliferating number of data security standards are a concern for the industry as the compliance requirements might become a bit confusing for the organisations to implement or might potentially go opposite to each other. According to CISCO report 43% respondents have said that complaint to the security standards and regulations has enhanced their capabilities to become PCI-DSS complaint.

However there is one big issue which they ha dot face to be PCI-complaint and that is in educating the employees regarding proper handling of cardholder’s data. Another problem which has been identified with PCI-DSS is that they have to upgrade their antiquated systems in order to bring them according to the compliance level. Along with this they have to change the business practices also of the company in order to comply with the PCI requirements (Organizations See PCI as a Benefit, Not a Burden” CISCO Whitepaper, 2011).

The ever-changing human behaviour in relation to card-data is a much bigger challenge for the companies that the security issues or instituting the correct technology in the organisation for security. That is why the companies should have PCI compliance training, Supporting Policy and awareness programs which is able to communicate to the employees regarding what to expect from the mandatory training and how it will be enforced. At the same time the organizations should set right the correct mechanisms for monitoring and measuring the training effectiveness level.

The most problematic PCI-DSS requirement amongst all 12 to achieve compliance is the tracking and monitoring all the access provided to the cardholder data and network resources as per CISCO survey (Organizations See PCI as a Benefit, Not a Burden” CISCO Whitepaper, 2011).

Some IT security professionals believe that PCI-DSS does just a little more than giving merely least baseline for data security. As can be seen from following statement (mjschereck, 2009):

“The fact is that you can be PCI-complaint and still be insecure. Look at online application vulnerabilities. They are arguably the fastest growing area of security, and for good reason-exposures in customer-facing applications pose a real danger of security breach.” – Greg Reber (mjschereck, 2009).

Still some IT security professional believe that PCI-DSS is a forward step towards paying much more attention towards security by the organisations, although the bare minimum standards are not sufficient enough to completely eliminate the problems related to security. Then too companies which have been PCI-complaint have registered security breaches like in 2008 the largest payment providers, Heartland Payment processing Systems, had to suffer a data security breach which was approximately estimated to be more than one million card numbers (mjschereck, 2009).

2. Requirement Gatherings

Two PCI-DSS Control Objectives:

2.1Build and maintain a secure network

1. Does your system have a Firewall installed and are you aware of it for security compliance?
2. Is the current security system safe and secure regarding the data security within the organisation?
3. Is it possible for the staff to access any information they want from other systems in the network?
4.  Is accessing the critical data is allowed to all the employees in the organisation or is it restricted to some of them?
5.  Can accessing the data related to the credit card or debit card payment be accessed by anyone in the staff in Floriarty?
6. Are the employees and management satisfied with the current network security standards?

2.2Protect Card-Holder Data

1. Is the cardholder’s data being stored in Floriarty network anywhere or in any form?

2. Does Floriarty keep the printouts of Personal Identification Number (PIN) entry device (PED) terminals?

3.  Does Floriarty store or keep any data related to payment from the card in any unprotected  endpoint devices like  laptops, Smartphone’s, PC’s etc.?

4. Does Floriarty allow anyone unauthorised to access the stored cardholder data?

5. Are the policies related to password protection and clear access in place in the company?

3. PCI-DSS Recommendations Report

10 minute PowerPoint presentation with following components attached along with the document:

Introduction

Summary of PCI-DSS and what it means to the business

Scope, assumptions and Constraints

Requirements Identified

Recommended Controls

Conclusion

Bibliography

AN OVERVIEW OF INFORMATION SECURITY STANDARDS (2008), The Government of the Hong Kong Special Administrative Region.

Humphries, T. (2006) State-of-the-art information security management systems with ISO/IEC 27001:2005, January-February, [Online], Available: http://www.iso.org/iso/info_security.pdf [29 May 2012].

Kilcourse, B. and Rowen, S. (2008) Customer Data Security, PCI and Beyond.

mjschereck (2009) Middleware Audits And Remediation For PCI Compliance, Evans Resources Group.

Organizations See PCI as a Benefit, Not a Burden” CISCO Whitepaper (2011), [Online], Available: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps6538/ps6540/white_paper_c11-642025.pdf [30 May 2012].

PCI DSS Compliance Overview and Best Practices: E-Guide, [Online], Available: www.searchcio.com [30 May 2012].

The ISO/IEC 27000 Family of Information Security Standards (2003), [Online], Available: http://www.itgovernance.co.uk/iso27000-family.aspx [29 May 2012].

Tucci, L. (2008) PCI standard still packs little punch, [Online], Available: www.searchCIO.com [30 May 2012].

Tucci, L. PCI compliance a good start, but not enough, [Online], Available: http://www.maxxuminc.com/pdf/E-guide_PCI-DSS_9-29-08.pdf [30 May 2012].

WIRELESS SECURITY – INFORMATION FOR CIOS, [Online], Available: http://www.tisn.gov.au/Documents/Wireless+-+CIO+-+15+oct+2008.pdf [29 May 2012].

LH11

But you can order it from our service and receive complete high-quality custom paper.  Our service offers PROJECT MANAGEMENT  essay sample that was written by professional writer. If you like one, you have an opportunity to buy a similar paper. Any of the academic papers will be written from scratch, according to all customers’ specifications, expectations and highest standards.”