An Information Security Risk in Topshop Company - Example

IS Audit Students Name: Institutional Affiliation: Department Course: Date Link http://www.chapelhigh.org.uk/internet_assets/documents/business_studies/Year%2010%20Company%20Report%20Topshop.pdf Executive summary An information security risk assessment is a continuing process characterized by discovering, correcting and preventing security problems. The threat assessment is an essential part of a risk management practice designed to provide suitable levels of security for information systems. An information security risk assessment is a component of sound protection practices and is needed by the Commonwealth Enterprise Information Security Policy[Dav113]. The risk assessments and interrelated documentation are also an important part of compliance with Health Insurance Portability Accountability Act security standards. A Risk assessment will assist each agency decide the tolerable level of risk and the consequential security requirements for every system. The agency then plan execute and examine a set of security measures to address the level of known risk. The summary report summaries the significant security susceptibilities that pertain the credit card information theft which is an information security risk associated with Top shop retail[Gil11]. The vulnerabilities and threats indicated in this report that is related to the subsequent main areas: i. Probable theft of information through manipulation of card evaluation at the sales point usually to the Point of Sales. ii. Feasible breaches inside the Top shop retail business’s network iii. Probable information theft from the company servers and networks. iv. Every department as drawn indicates audit goals and objectives to be encountered in order to make sure Top Shop Company’s are in the full conformity with the set regulations and principles. All parties anticipate strict acquiescence during the audit practice where substantial enquiries will be responded in an honest way with providing any supportive documents for the right objectives and goals will be obtainable once requested. Recommendations have been offered with anticipated acquiescence from Top Shop retail to make sure the security of its present systems and information, along with data that’s relates to its clients. Case study Top shop retail is considered a Britain multinational fashion retailer of clothing, shoes, make-ups and accessories. The Top Shop has around 500 stores globally in which around 300 shops are located in the UK plus online operations in a number of its market. The Top Shop started as a brand extension of the department of stores which initially sold fashion by young British designers. The Top Shop expanded rapidly because it changed its name to Top Shop which resulted in increased sales and making high profits[Vac12]. To helped preserve and managed its varied range of customers and chains. Top shop used various Security Information System to help with the job. The employed information systems embrace: Top shop embraced widespread of the network throughout the offices, where all the computers were linked to one central point. One manager is installed at the server office to monitor all the linked systems in it. Top shop being a largest shop that sells highly rated clothes embraced this kind of security method where the general screen being installed in an open place allowing real-time monitoring of stocks from different locations. Point of sale system that allows over the counter transaction and monitoring various types of goods where top shop employed three types of security systems; Managers from different vicinity had point of sales installed on their computers to help them manage existing stock values, pricing, and locations Check out point to handle the transactions, monitor the flow of stocks and how they are being sold or refunded. Managers have other staffs installed at the door to counter check the actual sales with the receipt produced by the system. This helps to reduce the occurrence of unrecorded transactions that lead to loss of products[Whi11]. This audit report mainly focuses on top shop instant checkout point of sale which is a credit card based system. Top shop has several points of sale terminals that are linked to one central server operated by a senior manager in the organization. The server serves like a temporally hoard where data are referred from the card evaluator, decrypted and instantly matched with the Top Shop records before it is re- encrypted and forwarded through a secured internet connection to the appropriate financial point. Each system installed on a particular system as a card reader handles the following primary functions. i. The system can read the details on the credit card ii. The system can validate credit card details iii. The system is able to collect credit card details iv. The system is able to receive transaction details. The system is able to print transaction details such as list of items purchased, information such as time and date the purchases took place. Risks. Risks being the major threat for top shop retail shop that is much known for being vulnerable to major threats in its day to day operations[Vac12]. Weak risks areas include; i. Risks of device tampering that may take place at the point of manufacturing, where the implication causes exceptional loss of clients’ important data information that impact several businesses that count on the producer for the components. The affected business together with the manufacturer will lose its reputation due to the loss. ii. Device tampering at the business storage that could make a company lose its reputation from the loss of several customers’ information and exposes flaws in the company practices that are deemed helpful. iii. A Point of sale manipulation with the company systems, Point of Sale tampering would cause loss of customer’s information, exposes the customers to significant risks and eventually loss of business reputation. iv. A Broken network that causes loss of customer information from the system that would cause loss of reputation and eventually loss of its customers[Mon111]. v. Compromised errors that may cause a big loss of customer information exposes risks in the company network system leading to loss of company good reputation. vi. Open servers that may cause loss of customer’s information, loss of the Top shop most sensitive information and also leads to loss of company reputation. Audit plan An audit plan is the specific guidelines to be followed when conducting an audit that helps the auditor to obtain appropriate evidence that are sufficient for the circumstances. Audit Area Objectives Gadget card readers i. Make sure all component functionality is tested once they are received. ii. Make sure all elements are acquiescent with appropriate standards & practices iii. Make sure testing area has proper protection and anti-virus scanners Device manipulation prevention i. To make sure proper staff division of work are imposed ii. Ensure appropriate safety actions are used such as limited personnel entrance iii. To make sure all storing locations are enough for great risk things iv. To scrutinize how expedient is mounted at point of sale Top shop Company network i. To verify passwords used is functioning and effective. ii. Make sure traffic flow check is in practice to observe for suspicious information iii. Make sure appropriate security protocols and practices in place like: Antivirus and staff access restrictions iv. Verify how external drives such as flash disks are used well and if procedures are in accordance to avert viruses from spreading Top shop retail servers i. To make sure passwords used is effective and working ii. Make sure appropriate security procedures and practices in place like: Antivirus and staff entrance restrictions iii. Verify how external drives such as flash disks are scanned and whether procedures are used well to avert viruses from spreading iv. To make sure proper staff division of duties are enforced v. To make sure proper server segregation is enforced. Audit Plan Framework The International Accounting Auditing has taken steps to develop a framework for Audit Quality that articulates on the inputs and outputs factors that contributes to audit quality at the engagement. Linux audit framework because it helps make the system more secure by providing a means to analyze what is happening on the system in great details as well as help in executing the new Information Technology controller systems[Whi11]. Linux audit framework is capable to offer the following structures making it best appropriate for this examination: i. Capability to give the requested department with audits views. ii. Outlines objectives and goals they can support with company goals. iii. Gratify statutory necessities Interview Inquiries & Documents Audit goals and objective Asked Question and some Evidence found Make sure all components functionalities are verified once received Stages used to check functionality Demonstrate testing Make sure all components are amenable with significant standards & practices i. Reveal how the department is amenable with procedures and standards. ii. Ask for conformity reports iii. Steps followed to ensure units are in conformity. Trying area has right protection like scanners and anti-virus i. Display reports that regards protection that is used in trying area alongside with their structures ii. Display the protection that is in place iii. Reveal if the protection purposes as planned Appropriate staff division of responsibilities are imposed i. Provide list of staff and their access places ii. Ask staffs arbitrarily to their entrance places iii. Get list of those allowed to access to high risk areas. Suitable safety actions are imposed such restricted personnel entrance i. Ensure safety measures are mounted ii. Exhibit such safety are in place as planned iii. Present credentials on mounted security devices iv. Offer offices layout of the place gadgets are positioned Storing place is sufficient for high risk products i. Inspect the type of security measures in place ii. Request for plan of storage chamber iii. Staff access logs to room Inspect how device is installed at point of sale i. Inspect how device is installed at the point of sale ii. Requests for records on who has access to device iii. Security measures in place to prevent manipulation Authenticate password used is valid and functioning properly i. Question the practices that are in place to make sure keys are effective, distinctive and much secure ii. Review who has contact to the key and the duties they have iii. Record reports on earlier keys Traffic inspection in use to lookout for suspect information i. Approaches in place to identify suspicious information and how they are controlled ii. Traffic observing reports iii. Demo and try of how suspicious information is dealt with Check how peripheral media like flash disks are treated and if procedures are in place to avert viruses from spreading i. Procedures in place to handle external media ii. Demonstration & test of how it’s handled iii. What steps are taken if virus is detected Appropriate server division is obligatory i. Check server positions ii. Inquire on what happens concerning various situations to determine if only one or several systems are affected iii. look of server logs Recommendations Device manipulation All components established ought to be appropriately tested to make sure no manipulation has happened that they are normally functioning[Mon111]. Any divisions established to have substandard alterations or have viruses would be plainly found and it can stop theft of customer information thus making it easier to look back to where such issues may have come from. Storage Storage capacity used to stockpile the point of sale gadget should be substantially protected to prevent unauthorized contact with some staff or even outsiders[Whi13]. These facilities should have cameras to watch the situation connected with an alarm and constrained staff access that uses passwords to log in thus making it very easy to find who has been in the store point should any problem happen. Ready device As the appliance has been fixed up, the place must be precisely crisscross to ensure that no susceptible parts are contemporary. Example, the exposure of certain portions could mean either a staff or client inconspicuously mismanage the gadget. Moreover, the zone should continue under supervision to for recording apprehensive doings. Manipulated Network Appropriate safety actions would make sure no suspected staff entrance to transpire on the network[Zhu11]. The accomplishment of a security would significantly limit entrance to only authorized personnel while antiviruses’ applications detect extortions inside to avert possible data outflow. Manipulated password A manipulated password would despicable that any protected information if removed from a server would be effortlessly decoded and accessible. To alleviate this threat, use of a resilient key is vital. Open servers Server rooms; It’s important that they continue being well sheltered because they contain company vital statistics that is much sensitive[Gil11]. Precise measures that are able to scan for viruses and firewalls would eliminate a lot of risks; contrariwise server separation would make sure that all apparatuses are unconnectedly kept. Bibliography Dav113: , (Davis, 2011), Gil11: , (Gillies, 2011), Vac12: , (Vacca, 2012), Whi11: , (Whitman, 2011), Mon111: , (Montesino, 2011), Whi13: , (Whitman, 2013), Zhu11: , (Zhu, 2011), Read More