Kudler Security Report

Team B has been commissioned to examine the Kudler Fine Foods’ (KFF), frequent shopper, Customer Loyalty Program that is currently in development. The team has also been asked to direct the system development team to ensure the system is established securely so that it properly protects company data and customer information throughout all stages of the system development process. In week 2, the team will examine the Customer Loyalty Program for vulnerabilities in different areas of the system. The study will define the possible threats

1. The scope of the RFP states the State want a review of its entire system security

During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it

| The security controls for the information system should be documented in the security plan. The security controls implementation must align with the corporate objectives and information security architecture. The security architecture provides a resource to allocate security controls. The selected security controls for the IS must be defined and

“The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347)” ("FIPS PUB 199," 2004). In this paper, FIPS PUB 199 has been chosen as the security standard used by State of Maryland Department of information technology. This standard addresses to develop standards for categorizing information and information systems. On the other hand, ISO/IEC 27001 is the other standard not used by State of Maryland which has been discussed as a contrast standard.

Management defines information security policies to describe how the organization wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules that will be used to implement the policies. Some policies can have multiple guidelines, which are recommendations as to how the policies can be implemented. Finally, information security management, administrators, and engineers create procedures from the standards and guidelines that follow the policies.

12. Why is a methodology important in the implementation of information security? How does a methodology improve the process?

Have a good Information Security Governance that translates into a set of policies, processes, and responsibilities associated with structures and people in the organization. It makes it possible to clearly establish the decision-making process and the guidelines for the management and use of IT, all in a way that is aligned with the organization's vision, mission and strategic goals. It also ensures the alignment of IT plans with business plans, which the anticipated benefits are actually being generated. Allowing the organization to recognize all risks (and opportunities) for the business by deciding the appropriate plans to mitigate, accept or avoid them. Having fundamental performance measurement throughout this process, monitoring and monitoring strategy implementation, use of resources and delivery of services.

To guide and assist organizations with implementing the security program that is appropriate for their needs, certain industry accepted standards have been designed and made available to the market. NIST is popular predominantly in the USA – a recent survey found that 82 percent of 150 IT and security professionals in the federal government said their agencies are either fully or partially implementing the

In today’s complex IT system because of the wide abundance of threats and deliberate attempts to attack networks and IT assets, it is crucial to have a stream-lined process which attempts to incorporate security as an integral part of the development process as opposed to including security measures after the development cycle has finished. System Development Lifecycle (SDLC) is a hypothetical method created for the design and step-by-step implementation of general information system in business organizations using six different phases. Security System development lifecycle (SecSDLC) uses the same six phases to implement the security project except that its intent and scope is specific to the particular threats identified and designing

To fully understand the importance of the ISO 27001 model, we need to understand what an IS0 27001 model actually is this will now be discussed. The ISO 27001 is a specific set of standards used to ensure information is kept secure within an organisation. The standards are used to help an organisation manage the security of their assets, for example

In this section include open or closed IT audit findings, risk derived findings, internal assessments, at the time of approval of the security plan.

ISO/IEC 27001 is the most popular IS the ISO/IEC 27000 standard series. As per its credentials, ISO 27001 is meant to offer an archetypal for implementing, establishing, monitoring, improving, maintaining, reviewing, and operating an ISMS. ISO 27001 is technology-neutral and utilizes a rundown list of risk-based approaches (Disterer, 2013; ISO, 2014). Its specifications describe a six-part process of planning:

Information security is defined as the preservation of confidentiality, integrity and availability of information …

The newest standards are ISO 26000, which standardizes social responsibility, and ISO/IEC 27001, which is a developed management system to standardize information security (ISO, n.d.). The most well-known and best-selling standard of the ISO governing body is ISO 9000, which was developed in 1987 (ISO, n.d.). ISO 9000 is for quality management standards. Quality management includes standards that help the organization identify processes that can be developed and employ constant performance improvement. ISO 9000 has been utilized by many national and international companies to constantly improve performance and processes, but ISO 9000 usually involves a manufacturing company.