Information Security Strategy of IT Department at Eazee Shopping - Case Study Example

Information Security Strategy of IT Department at Eazee Shopping Abstract This paper will first throw light over the threats to information systems in the cyberspace. The researcher will then demonstrate the organisational policies of Eazee Shopping followed by physical and system security initiatives that should be taken by top management of Eazee Shopping. The researcher will then discuss the compliance of information systems and security initiatives with ISO – 27001 Standard after which a conclusion will be presented to summarise the key findings and scope of security strategies. Introduction Eazee Shopping was established in 2004 is a famous supermarket (chain) business operational in United Kingdom. The company works under supervision and guidance of Mr. Sundeep Singh who is the CEO and controls entire strategic planning, coporate policy formulation & implementation and business control process. The supermarket chain aims to simplify its business selling process by offering all products through an online information management system. The company recorded revenues to be nearly 20 million in 2006 and aimed to increase its existing revenues to 3 times by introducing new order tracking and sales automated system. Indeed, this would enable the company to increase its existing target market as well as help increasing revenue streams. For instance, the supermarket could also improve its value creation and value propositon offered to potential customers in the market. For instance, Eazee Shopping is also interested in using decision and executive support systems because they could provide pertinent information to top and middle level managers. As a result, the induction of above mentioned systems would reduce work load, facilitate business decision – making and problem – solving, and enhance productivity, effectiveness and overall organisational performance. It is worthwhile to mention that information is considered as an extremely valuable business asset across Eazee Shopping, which is usually created from sales and financial data. Indeed, the managers obtained information in the form of statistics regarding most sold products, most demanded products in different packages, changes and fluctuations in prices, profitability etc. This information is used not only to analyse the growth rate of Eazee Shopping Company but also to determine the effectiveness of currently implemented product development, market development and diversification strategies and business policies. Also, the market research and sales information identify any underlying problems in advance, thereby enabling strategic planners to take corrective measures. In simple words, information plays a critical role in Eazee Shopping’s business decision – making and any threats to information security should be considered as direct threat to smooth functioning, business growth and sustainable development of the supermarket business. As far as Eazee Shopping information security strategy is concerned, it should be pointed out that supermarket chain is required to train its IT workers so that they could become physically and mentally prepare regarding use of new operational, executive and decision support systems. Then, the company needs to employ different strategies such as continuous system monitoring, performance appraisal framework for systems’ assessment / evaluation and Acceptable Use Policy (AUP) to ensure physical systems’ and network security. The above mentioned policies will be discussed in detail in a separate chapter. For instance, Eazee Shopping should maximise internal systems’ security by using stronger Oracle Applications, by informing organisational members in advance about certain programming flaws and defects, by building security profiles and storing in Authorisation Management Systems, and by using organisation-wide and division-wide system security approaches. The above mentioned plans will also be discussed in detail in a separate chapter to provide readers an insight about implementation of various system security plans by Eazee Shopping. Threat Analysis As far as the perceived threats are for Eazee Shopping supermarket chain are concerned, it should be pointed out that the UK based chain has been shifting towards an online business model because of increment in internet users and potential online buyers. The debit, credit, visa and e-cards are normally used by consumers to shop online, which is viewed as relatively convenient, reliable and hassle-free shopping nowadays. In addition, online shopping saves time and reduce transportation / travelling expenses. It is worthwhile to mention that consumers will provide their private business account information, credit card numbers and contact details that will be stored in management information system (MIS) of the Easy Shopping supermarket chain. Nevertheless, these information systems have proven vulnerable to security threats due to cyber attacks from hackers and subsequent system breakdowns, failures and data lossess. It should be recalled that various multinational organisations and governments have already come under attack launched by hackers in the form of gruesome system viruses / malwares and auto - data detection softwares (cookies). Viruses are the rogue programmes that attach with other programmes in the information system for execution. Another possible threat in computer language is commonly known as Worms that are independent programmes that copy from a computer to another over a network without permission of the end-users. Nonetheless, the strong viruses disrupt system functioning of Easy Shopping and result in data losses. Also, the intruders or hackers may also transfer useful data / information (such as customer profile, sales data, profitability rates, and inventory at hand and in stores etc.) from the operational system to their PCs so that they could harm Easy Shopping and lead to financial losses. It should be pinpointed that hackers usually launch denial-of-service attacks on the systems through fake communication requests, which results in system crashes, disruptions and blatant slowdowns. In most cases, the system observes a slowdown followed by a temporary breakdown, which results in data losses. The IT professionals of Easy Shopping are then required to restore and recover the data, while the managers and organisational members, especially sales department workers, suffer because of problems faced in carrying out business operations in an efficient and effective manner. However, the most crucial element involved is misuse of private consumer and business related information of Easy Shopping Company by hackers / cyber terrorists. The supermarket chain promises confidentiality and protection of private information of their clients. Failure of Easy Shopping in protecting valuable customer and business related information will lead to reduction in consumer satisfaction, loyalty and trust factor. Also, the top management perceives a threat that hackers could surreptitiously sell Easy Shopping confidential or private business information to competitors, thereby making competitors aware in advance about supermarket’s corporate strategies and business policies. In addition to aforementioned, there are internal security threats such as software failures and breakdowns, information leakage and misuse by employees etc. Hence, Easy Shopping has to pay special attention to install security programmes to thwart access of unauthorised persons to the confidential business information. The intense competition in domestic UK markets has also forced the supermarket chain to hire part-time or contract (temporary) workers; therefore, it has become difficult to ensure strict check and balance on every single employee. The top management perceives that information leakage could take place with the help of highly dissatisfied employees of Easy Shopping. Organisational Policies: As far as the organisational policies are concerned, it should be pointed out that Eazee Shopping has established an IT department comprising of software specialists, hardware maintenance personnel, data centre operators, information security officers etc. The company has formulated a new organisational policy to induct operational, managerial and executive support systems so that it could shift from manual processes to a relatively automated organisation. The supermarket chain requires these systems to facilitate its inventory management, order tracking, order processing and sales forecasting procedures. Eazee Shopping values its customers and promises to protect their private information at any cost. Hence, the company managers pay special attention to safeguard account information (provided by customers). Physical Security Plan The first step will be about training of employees of IT department at Eazee Shopping. Indeed, the IT personnel have to be trained about information creation, storage, use, dissemination and security tools so that they could manage entire information system (inputting and outputting tasks, maintenance, restoration etc.) and facilitate employees of other organisational departments. For instance, a chief security officer will be chosen and assigned the responsibility to monitor every IS worker so that probability of information leakage and access to any unauthorised person could be minimised. In addition, all organisational computer systems (used at different supermarkets, city and head offices) will be continuously monitored. This enables Eazee Shopping to check what information is stored (obtained from external and internal sources) on organisational PCs, to understand and analyse whether the stored information could threaten system security or not. In addition, a performance appraisal framework will be developed and implemented to analyse and measure the functioning and performance of new information systems. Also, the framework will help identifying any underlying weaknesses in information security tools and their viability. In addition, Eazee Shopping could employ an Acceptable Use Policy (AUP) which would define the acceptable uses of organisational information, computing equipment (such as PCs, Laptops, wireless devices, telephones, intranet and extranet) and technological resources. This policy would clarify Eazee Shopping privacy rules and regulations, user responsibility, acceptable / unacceptable actions and consequences for noncompliance. System Security Plan To ensure the System Security, the supermarket will develop its information system by using Oracle Applications, which are considered as relatively better due to stronger programming base. In addition, the Information Security tools, applications and controls have to be evaluated and assessed on regular basis in order to judge their effectiveness and performance against external cyber crime threats. Another strategy to be used for System Security is to inform workers about technical defects and programming flaws, which are normally determined during implementation stage. These technical system problems will be communicated with the system developers and rectified to avoid any system failure, breakdown and data losses. It should be noted that intruders and hackers first identify any coding or programming errors in the information system after which they launch attacks because of weak defense against viruses, malicious software, spywares, worms and Trojan horses. In order to protect the organisational information, Eazee Shopping could develop security profiles that would then be stored in Authorisation Management Systems. Indeed, this policy would enable supermarket chain to define what information each user is permitted to access. For example, a sales employee at Birmingham supermarket owned by Eazee Shopping is restricted to access sales information of any other division because of security profile tool. Eazee Shopping could implement another initiative known as ‘organisation – wide system security approach’ under which workers will be trained to identify possibility of cyber attacks in advance. This would enable the company to save precious time and organisational resources used for investigation of security issues / problems / incidents. The monitoring of all information systems and technology resources would not only save costs but also reduce productivity losses occurred due to system failures, crashes and breakdowns. Similarly, the managers could also adopt another strategy known as ‘division – wide system security approach’ under which the IT specialists will be trained to identify the probability of complex cyber attacks on systems and sub-systems employed at Eazee Shopping supermarkets in various cities. The specialists will then communicate this information with other divisional employees to make them aware about perceived security threats and adoption of precautionary measures during data transfer and dissemination. This would enable IT department to analyse which division is more vulnerable to cyber attacks launched by hackers to steal valuable business information. Compliance with ISO – 27001 Standards It is worthwhile to mention that ISO – 27001 is an expansion of “British Standard BS 7799, Part 2”, which aims to maximise information system security through use of a stronger risk management model. The previous version was “revised and updated” (Humphreys, 2006) to ensure information safety, security and protection from cyber terrorists (hackers, intruders etc.) that either hack information systems or instill viruses for criminal purposes. The new ISO – 27001 Standard also focuses on principles that would lead to development of information systems in a better manner followed by improvement in management and maintenance. Also, the standard complies with OECD (Organization for Economic Cooperation and Development) principles that consider information as most valuable asset in today’s external business environment, and therefore emphasise heavily on information system security (27001 - Online Article, n.d). It should also be noted that ISO – 27001 is a part of ISO - 9001: 2000 and ISO - 14001: 2004. Business enterprises have produced this new standard because of rising menace of cyber attacks, cyber crimes and cyber warfare. The strategic planners and top executives of various business firms have taken into account the perceived cyber threats after which developed “information security manage­ment system (ISMS) and this ISO - 27001 Standard” that could facilitate in information and system security of any firm from any business sector (Humphreys, 2006). In addition, the ISO – 27001 has been developed on PDCA model. In the first stage, ‘P’ stands for Plan during which Eazee Shopping, with the help of IT specialists and system developers, has to design the ISMS in its operational, decision and executive support systems. In the second stage, ‘D’ stands for Do during which Eazee Shopping has to install the ISMS and train its workers so that they could maintain supermarkets technological resources, secure information and networks. In the third stage, ‘C’ stands for Check during which Eazee Shopping will have to ensure check and balance through monitoring and performance appraisal framework for better security and smooth functioning of ISMS. In the last stage, ‘A’ stands for Act during which It department of Eazee Shopping has to enhance and upgrade the tools, programmes, features and modules of ISMS so that the security system best suits information security needs and requirements of supermarket chain (Humphreys, 2006). Conclusion References Rees, Jackie, Subhajyoti Bandyopadhyay and Eugene H. Spafford (2002) “PFIRES: A Policy Framework for Information Security” Center for Education and Research in Information Assurance and Security [Online] Available at http://www.enhyper.com/content/pfires.pdf Anderson, Ross (2001) “Why Information Security is Hard - An Economic Perspective” University of Cambridge Computer Laboratory Siponen, Mikko (2000) “A conceptual foundation for organizational information security awareness” Information Management & Computer Security 8/1, pp. 31±41 [Online] Available at http://oasis.oulu.fi/publications/imcs080100-ms.pdf Dhillon, Gurpreet & Gholamreza Torkzadeh (2006) “Value-focused assessment of information system security in organizations” Info Systems 16, pp. 293–314 [Online] Available at http://iris.nyit.edu/~kkhoo/Spring2008/Topics/Topic10/ValueFocusedAssmntInfoSecOrg2006.pdf Gordon, Lawrence and Martin Loeb (2003) “Information Security Expenditures and Real Options: A Wait and See Approach” Computer Security Journal, Volume 14 [Online] Available at http://www.cpppe.umd.edu/Bookstore/Documents/ISExpenditures_11.2.03.pdf Anderson, Ross and Tyler Moore (2007) “Information Security Economics – and Beyond” Computer Laboratory, University of Cambridge 27001-Online Article (n.d.) “Welcome to ISO 27001 Online - Dedicated to the ISO 27001 Security Management Standard” [Online] Available at http://www.27001-online.com/ Humphreys, Ted (2006) “State-of-the-art information security management systems with ISO/IEC 27001:2005” ISO Management Systems [Online] Available at http://www.iso.org/iso/iso_catalogue/management_standards/specific_applications/specific-applications_it-security.htm Read More