Home Depot Information System Audit Plan - Example

Student’s Name: Instructor’s Name: Course Code & Name: Date of Submission: THE HOME DEPOT RETAIL INFORMATION SYSTEM AUDIT REPORT Table of Contents Executive summary 1 Case Background: Home Depot 1 Home Depot IS Risk 3 Home Depot Information System Audit Plan 4 Audit Plan Framework 5 Interview Questions & Documents on Home Depot 6 Recommendation 7 REFERENCE 8 Executive summary The security vulnerability of the company information system should constantly be monitored in order to avoid theft of customer credit data in order to enhance customer trust and loyalty. Therefore, the report addresses significant vulnerabilities in the current Home Depot Information System and outlining procedures or precautions to avoid hacking of customer credit card. The areas of concentration on this audit report are vulnerability to possible theft of data by tempering card reading in Point of Sale Systems, breach or theft of data from company server and company network breach. The report is prepared in accordance with control objectives for information and related technology framework that is use of COSO framework. Therefore, to ensure Home Depot compliance to the set standards, possible vulnerability outlines goals to be met where interviews will be made, a perusal of documentation and running system check. Full cooperation is required during the process in order to ensure that the report is sufficient enough to address all the issues affecting the information system of the business. The recommendation is the last part of this report where it outlines strategies that need to be put in place in order to ensure that Home Depot Information System data is safe from hackers. The recommendations are made according to the level of urgency and personnel required to implement Case Background: Home Depot Home Depot is a large American based retail company with various chains in several countries. The company was incorporated in 1978 at Georgia. The company deals with merchandise on construction and home appliance such as lone mowers etc. The company majorly does online sales and deliver goods to respective customers but compliment by availing their goods in stores where the customer can physically visit and inspect goods before making an actual purchase. Home Depot maintains Information System that helps them to run all its process smoothly and is interlinked through intranet and internet. The information system supported by Home Depot entails; First, Networks of all the stores are linked to a central server that is connected using secure Virtual Private Network (VPN) to each store in order to monitor stock, backup data and grant privileges to store server9. The company Information System is designed to entail Point of Sales Systems which is used in entering transactions and monitoring goods sold and stock bought. In addition, it is used as inventory control tool by checking availability, stock level warning and discount range. Home Depot maintains two types of Point of Sales System that is checkout based which ensures stock in and stock out are monitored both by sales or inter-store transfers. The tellers majorly use it in stores5. Secondly, Managers based point of sales system that is used to control stock prices, stock quantity, and location and inter-store transfer authorization. The most important and critical part of an information system is checkout based point of sale card system since it operates a large number of point of sale terminals centrally linked to central server in each country of operation. The system decrypts information from customer card and compares the transaction worth with customer balance card before authorizing the dispatch and printing receipt of the goods purchased1. The information will then be relayed to card service provider in order to make a necessary deposit to the company account. The system has the following privileges read credit card information, validate credit card information, collect credit card information, receive transaction information and print transaction information which entails customer details, items purchased, amount, transaction ID, date and time. The audit report therefore, concentrates on checkout based point of sale Information System. It has high chances of security vulnerability due to extensive use of customer credit card information via the company server and financial institutions links. Home Depot IS Risk Home Depot has large and complex information system with so many interlinked servers thus can be easily exploited by hackers to obtain confidential data9. The exposure of sensitive data can lead to a shift in customer preference to other competitors that will result to decrease in company profitability. Therefore, it is important to carry out audit risk on the information system in order to understand the extent of vulnerability and develop precaution on such vulnerability. The table below illustrates risk, probability, level and implication. Risk Probability Level Implication Privilege to encryption key by third party 0.2 Low It can cause more loss of confidential information thus losing cash and information to third party. The loss will result to lose of company reputation7 and attract legal suite taken against the company. The effect will affect multiple stores since they are interlinked and can cause business failure due to online fraud. Intrusion to company network 0.4 Moderate It can cause loss of confidential information thus losing cash and information to third party. The loss will result to lose of company reputation7 and attract legal suite taken against the company. The effect will affect multiple stores because intruder will access administrators privilege thus he/she can authorize cash transfer to his/her account thus crippling company financially. Exposed servers 0.6 High It can cause loss of confidential information thus lose of cash and information to third party. Therefore, leading to lose of reputation7. The effect will affect multiple stores, customers and credit card provider. Device tampering at Manufacturer’s premise 0.1 Low Defective device can lead to loss of confidential information to third party that might result to loss of customer and company cash. It can cause loss of important information to competitor to the company. The overall loss is on Home Depot and manufacturer reputation7 which result to loss of key customers. Device tampering on Transit 0.12 Low It will result to loss of confidential information thus of loss customers due to fear. Home Depot will also lose its reputation7. Device tampering at business stores 0.4 Moderate It can cause loss of confidential information thus losing cash and information to third party. The loss will result to lose of company reputation7 and attract legal suite taken against the company. Device tampering on use at store 0.5 Moderate It can cause loss of confidential information, cash, company reputation7 and additional cost on legal suit. Home Depot Information System Audit Plan The audit areas and objectives to be achieved in the Information System are given below; In regard to audit of card readers the following objective shall be achieved; Ensures that devices functions properly in all aspects Ensures that device have sufficient and up to date protection e.g. firewalls 4 Ensures that device meets required quality and standards set by COSO. Auditing of storage condition of card readers aims at achieving the following objectives; Proper security measures are in place such as alarms, biometric doors, CCTV cameras, restricted personnel access Clear division of labour within organization to enhance accountability3. Proper installation of checkout system Restricted privileges on some online sites which steal cookies8 Auditing of company server and networks mostly on unexpected traffics result to the following objectives; Proper server separation is done to avoid bugs. Proper division of duties is done to enhance accountability Ensure that no server is allowed to extract data apart from central server. Ensure enough measures are in place when extracting data using external storage devices such as flush Ensure there are enough skilled personnel to monitor the system regularly and repair when server fails. Verify validity of the encryption key if it is valid. Check on traffic in order to detect if hackers have access to the system. Carry out data overflow in order to check if it can withstand large data inflow. Proper security protocols and practices are in place for example restricted access to employees, active firewalls and updated antivirus. Audit Plan Framework The audit is carried out in accordance with COSO Framework since it is majorly on Information system. The framework is usually used in development and implementation of new IT infrastructure in any company. The objectives achieved using COSO framework includes ability to provide opinion to the client, definition of objectives and alignment to company goals, one can give assurance on assurance audit and fulfilment of regulatory requirement. According to nature of audit that Home Depot information system, COSO framework will be sufficient to provide sufficient recommendation since it requires audit of information system. Interview Questions & Documents on Home Depot Question asked and evidence gathered Objective Provide list of employees and level of access List of employees with access to central server Random to employees on certain information system scenario To ensure proper segregation of duties and sufficiency of employees skills and knowledge on information system. Is there security system in place for examples alarms and CCTV? Ask for documentation of security system in place Run a test of the security system To minimize device tampering at the store Provide compliance reports Demonstrate if the information system in place meet standards & procedures set by regulations What are steps taken to ensure information system comply with regulators specification? To ensure that the system has necessary infrastructure to reduce instances of hacking or system failure. What is the procedure of testing functionality of information system? Ask for test report of each server and card reader To ensure information system is working accordingly to avoid errors and vulnerability of data to third party. What are the procedures in place when handling external media? Demonstration on how it is handled? What steps are taken when malware is detected? Ensure that confidential data is not extracted and no third party program is installed in central server which might increase vulnerability. Recommendation After analyzing Home Depot information system, the following recommendations were made to reduce, detect and eliminate the risk that might affect the company negatively. First on Company network, it is recommended that proper security procedures should be put implemented to ensure no third party get access to the system. The firewalls should be updated and active to ensure that cookies from vulnerable sites are blocked. The anti-malware software should be from the reputable developer in order to ensure no third party software is installed in the system. Traffic on company network should be regularly monitored in order trace any third party intrusion thus reducing any unauthorized access. For example, Application used by Sally Salon to check on traffics assisted a lot in reducing company loss of data. In case of encryption key being compromised to a third party or unauthorized staff, the company should change the key immediately. Secondly, recommendation on device tempering includes; testing card reader devices functionality at manufactures stores and making sure devices are transported using trusted channels in order to avoid anyone tampering with the product. The location used to store point of sale should be highly guarded for example use of biometric doors, alarms, CCTV cameras and security personnel 8. The access should be restricted particular people in order to ensure that there is no malicious person gets accessed by the device. The company is also able to know who tempered with the device and evidence can be retrieved from motion pictures taken by CCTV. The device in use at the stores should regularly be inspected to ensure that it is functioning properly. The device should be positioned in a proper location in order to obstruct any malicious person monitoring the processes on the credit card. The premise should be under CCTV cameras in order to record any activities in the surrounding. Lastly, the report provides a recommendation on exposed servers where the company needs to update its firewalls. Review server activities in order to detect any deviation from the standard. The company should ensure that there are limited privileges given to store servers while central server controls and backup all data from other computers9. REFERENCE 1. BSI Group America Inc., (2014). Home Depot Security Breach. [online] bsigroup.com. Available at: http://www.bsigroup.com/LocalFiles/en-US/Case-Studies/bsi-lessons-learned-home-depot.pdf [Accessed 20 Apr. 2015]. 2. Consultants, J. (2014). Home Depot Sees Huge Data Breach. [online] JonKeith Communications Consultants, Inc. Available at: http://www.jonkeith.net/2014/10/04/home-depot-sees-huge-data-breach/ [Accessed 20 Apr. 2015]. 3. Elgin, B., Riley, M. and Lawrence, D. (2014). Home Depot Hacked After Months of Security Warnings. [online] Businessweek.com. Available at: http://www.bloomberg.com/bw/articles/2014-09-18/home-depot-hacked-wide-open [Accessed 20 Apr. 2015]. 4. Home Depot, (2014). Statement 1. [online] Corporate.homedepot.com. Available at: https://corporate.homedepot.com/mediacenter/pages/statement1.aspx [Accessed 20 Apr. 2015]. 5. Krebs, J. (2014). Home Depot breach — Krebs on Security. [online] Krebsonsecurity.com. Available at: http://krebsonsecurity.com/tag/home-depot-breach/ [Accessed 20 Apr. 2015]. 6. Netwrix, (2014). Three Steps The Home Depot Could Have Taken to Prevent Data Breach Devastation. [online] Netwrix.com. Available at: http://www.netwrix.com/three_steps_to_prevent_The_Home_Depot_breach.html [Accessed 20 Apr. 2015]. 7. Notte, J. (2015). How Do Home Depot and Target Save Their Reputations After Data Breach?. [online] TheStreet. Available at: http://www.thestreet.com/story/12890092/1/how-do-home-depot-and-target-save-their-reputations-after-data-breach.html [Accessed 20 Apr. 2015]. 8. Ragan, S. (2015). What you need to know about the Home Depot data breach. [online] CSO Online. Available at: http://www.csoonline.com/article/2604320/data-protection/what-you-need-to-know-about-the-home-depot-data-breach.html [Accessed 20 Apr. 2015]. 9. Rosenblum, P. (2014). Home Depot Data Breach: Banks' Response Is Critical To Consumer Reaction. [online] Forbes. Available at: http://www.forbes.com/sites/paularosenblum/2014/09/19/home-depot-data-breach-banks-response-is-critical-to-consumer-reaction/ [Accessed 20 Apr. 2015]. Read More