6.10 Project Part Two
docx
keyboard_arrow_up
School
Indiana Wesleyan University, Marion *
*We aren’t endorsed by this school
Course
320
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
9
Uploaded by abjzumur
6.10 Project Part Two
6.10 Project Part Two
6.10 Project Part Two
Up-North Fishing Outfitters (UNFO) is a brick-and-mortar retailer of fishing equipment, apparel, watercraft, safety gear, and other products. As UNFO is moving to an e-commerce model, it will be
6.10 Project Part Two
exposed to new risks in web application vulnerabilities and the legal requirement of Payment Card Industry Data Security Standard (PCI DSS) compliance.
As an Information Security Analyst, the report provides a detailed overview of how the organization can move through the compliance process and the consequences of noncompliance. It also highlights the common weaknesses and attacks associated with e-commerce and social networking applications, motivations for potential attacks, and how these risks can be mitigated.
The report also explains the importance of Configuration management and testing to ensure the security
of the e-commerce website. Configuration management helps track and manage changes to the website and its components, ensuring that any vulnerabilities or bugs are identified and resolved quickly. Testing,
however, is essential to ensure the website functions correctly and is secure.
In conclusion, PCI DSS compliance, Configuration management, and testing are crucial for transforming UNFO into an e-commerce environment. The senior management should use this report to determine the budget allocation and resources for the compliance process, implementing the change and configuration management process and test plan. It will not only help the organization to meet its compliance requirements but also to improve the overall security posture of the organization.
Step-by-step explanation
Task 1: As Up-North Fishing Outfitters (UNFO) transforms into an e-commerce model, it will be exposed to new risks in the form of web application vulnerabilities. “These vulnerabilities can be exploited by attackers with various motivations, such as stealing sensitive information, disrupting business operations,
or gaining unauthorized access to systems” (Charig, 2023). Identifying these weaknesses and causes early in the development process is crucial to mitigate the risks and protect the organization from potential business impacts.
6.10 Project Part Two
“Common weaknesses and attacks associated with e-commerce and social networking applications include SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure session management. Attackers can exploit these vulnerabilities to steal sensitive information, disrupt business operations, or gain unauthorized access to systems” (Essays, 2023).
The motivations for potential attacks can include financial gain, political or ideological motives, or personal grudges. Identifying these motivations early in the development process is crucial to understand the potential risks better and take appropriate measures to mitigate them.
System administrators, developers, security engineers, and quality assurance analysts are crucial in identifying and mitigating web application vulnerabilities. The system administrator is responsible for maintaining the security of the organization's systems, while the developer is responsible for creating secure code. The security engineer is responsible for identifying potential vulnerabilities and implementing security controls, and the quality assurance analyst is responsible for testing the application's security.
The business impacts of a successful exploit on a web application's weakness can include financial losses, damage to the organization's reputation, and loss of customer trust. It is essential to take appropriate measures to prevent these impacts by implementing security controls and introducing security into the Software Development Life Cycle (SDLC).
To create a secure coding policy and guidelines, resources such as OWASP (Open Web Application Security Project) can be used. The SDLC process should include security considerations at every stage, from requirements gathering to deployment. This can consist of threat modeling, code reviews, and penetration testing.
Revisions to the control process can include implementing security controls such as encryption and authentication and regularly reviewing and updating the organization's security policies. Software developers can use static and dynamic analysis techniques to scan their source code for vulnerabilities.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
6.10 Project Part Two
In conclusion, as UNFO transforms into an e-commerce model, it will be exposed to new risks in web application vulnerabilities. Identifying these weaknesses and motivations early in the development process is crucial to mitigate the risks and protect the organization from potential business impacts. The senior management team should use this report as guidance for determining a budget allocation for hiring new IT professionals who will implement the e-business model, design the web applications using the SDLC, and make the process secure, thus significantly reducing the risk of having exploitable web applications.
Task 2:
As Up-North Fishing Outfitters (UNFO) transforms into an e-commerce model, it must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to protect cardholder data and reduce the risk of credit card fraud.
Becoming PCI DSS compliant involves several steps, including self-assessment, external assessment, and ongoing compliance monitoring. The organization must complete a self-assessment questionnaire (SAQ) to assess its compliance with the standard. It may also need to undergo an external assessment by a Qualified Security Assessor (QSA).
“The organization must implement several security controls, including firewalls, intrusion detection and prevention systems, and encryption, to move through the compliance process. The organization must also establish and maintain a comprehensive security policy and conduct regular security audits and penetration testing” (WPTechie, 2023).
The consequences of non-compliance with PCI DSS can include fines, legal penalties, and damage to the organization's reputation. Therefore, the organization must take the necessary steps to comply with the standard as soon as possible.
6.10 Project Part Two
To support the compliance process, it is also essential to have a structured change and configuration management process to track and manage changes to the e-commerce web application and a test plan to ensure that the application is functioning correctly and securely. This can include using version control systems, change management software, and testing tools. This will not only help the organization to meet its compliance requirements but also improve the overall security posture of the organization.
In conclusion, PCI DSS compliance is a critical aspect of operating an e-commerce business, and UNFO needs to ensure that it takes the necessary steps to become compliant as soon as possible. A structured change and configuration management process and a test plan are also crucial for ensuring the e-commerce web application is secure and functioning correctly. The senior management should use
this report to determine the budget allocation and resources for the compliance process and implement the change and configuration management process and test plan.
As Up-North Fishing Outfitters (UNFO) transforms into an e-commerce model, it must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to protect cardholder data and reduce the risk of credit card fraud. In this report, we will discuss how the
principles and requirements of PCI DSS can be implemented on UNFO's website to ensure compliance and protect customer's personal and sensitive information.
Introduction:
Up-North Fishing Outfitters (UNFO) is a brick-and-mortar retailer of fishing equipment, apparel, watercraft, safety gear, and other products. As UNFO is moving to an e-commerce model, it will be exposed to new risks in the form of web application vulnerabilities. The legal department has advised the senior management that the organization must become PCI DSS compliant before using online
6.10 Project Part Two
applications that accept credit cards and customer personal information. The administration isn't familiar
with PCI DSS compliance; therefore, the management asked you to recommend explaining PCI DSS compliance, how the organization can move through the compliance process, and the consequences of noncompliance.
PCI DSS Principles and Requirements:
Build and Maintain a Secure Network: To ensure the network's security, firewalls, and intrusion detection and prevention systems must be implemented. This will protect the network from unauthorized access and malicious attacks.
Do not use Vendor Supplied Defaults: It is essential to change the default settings for all system components and ensure that all passwords are changed to strong, unique passwords.
Protect Stored Card Data: Sensitive cardholder data must be encrypted and stored securely protected by firewalls and intrusion detection and prevention systems.
Encrypt Transmission of Cardholder Data: All cardholder data must be transmitted over a secure network using encryption protocols such as SSL or TLS.
Use Antivirus Programs: Antivirus software must be installed and configured to protect all systems from malware and other malicious software.
Develop and Maintain Secure Systems and Applications: The organization must develop and maintain secure systems and applications protected from vulnerabilities and attacks.
Restrict Access to Cardholder Data: Access to cardholder data must be restricted to only those who need it to perform their job duties.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
6.10 Project Part Two
Assign a Unique ID to each Person with Computer Access: Each person with computer access must be assigned a unique ID that is used to track and monitor their access.
Restrict Physical Access to the Cardholder Data Environment: Physical access to the cardholder data environment must only be restricted to authorized individuals.
Track and Monitor All Access: All access to the cardholder data environment must be tracked and
monitored to ensure that unauthorized access is detected and prevented.
Regularly Test Security Systems and Processes: Security systems and processes must be regularly tested to ensure that they function correctly and that vulnerabilities are identified and addressed.
Maintain Information Security Policy for Employees and Contractors: The organization must establish and maintain an information security policy that applies to all employees and contractors.
By implementing these principles and requirements, UNFO can ensure that its e-commerce website is PCI DSS compliant, and that customers' personal and sensitive information is protected. The organization can also improve the overall security posture of the organization and ensure that it is protected from vulnerabilities and attacks.
In addition to the above, Configuration management and testing play a crucial role in ensuring the security of the e-commerce website. Configuration management helps track and manage changes to the website and its components, ensuring that any vulnerabilities or bugs are identified and resolved quickly.
6.10 Project Part Two
Keeping track of all changes made to the website helps to maintain consistency and accuracy in the website and also helps to identify and resolve issues quickly.
Testing, however, is essential to ensure the website functions correctly and is secure. This includes functional testing, security testing, and penetration testing. This helps to identify and resolve any vulnerabilities or bugs before the website goes live and helps to identify any potential security risks. This also helps ensure the website is user-friendly and easy to navigate.
In conclusion, PCI DSS compliance, Configuration management, and testing are crucial for transforming UNFO into an e-commerce environment. By following the principles and requirements of PCI DSS, UNFO can ensure that its e-commerce website is compliant, and that customer's personal and sensitive information is protected. Configuration management and testing help maintain the website's security and ensure it functions correctly. The senior management should use this report to determine the budget allocation and resources for the compliance process, implementing the change and configuration management process and test plan.
Reference
6.10 Project Part Two
Charig, N. (2023, October 25). The smart grid – what it is, and why we need it. Power & Beyond. https://www.power-and-beyond.com/the-smart-grid-what-it-is-and-why-we-need-it-a-
390575215d5f5a136fc35a372cba7b26/
Essays, W. (2023, February 2). Multimedia Messaging Service - essay bishops. Essay Bishops. https://essaybishops.com/multimedia-messaging-service/
WPTechie. (2023, February 4). Matt Mullenweg And Mike Little. | WPTechie. WPTechie. https://www.wp-
techie.com/matt-mullenweg-and-mike-little/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help