Kudler Fine Foods IT Security Report
Kudler Fine Foods is an upscale specialty food store with the very best domestic and imported fare at every location.
In keeping with their motto, “Shopping the World for The Finest Food”, Kudler Fine Foods shops the world in order to provides the very best Baked and pastry products, fresh meat and seafood, fresh produce, cheese and specialty dairy products, wines, and condiments and packaged foods. Kudler Fine Foods brings those food items back to their loyal customers in the San Diego metropolitan are. Kudler Fine Foods has stores in Del Mar, La Jolla, and Encinitas. Their mission is to offer their customers a delightful and pleasing shopping experience by employing experienced, helpful, and knowledgably staff, coupled with their selection of fine foods.
Background

Customer rewards programs and the like have become commonplace in many small and large retail market places. Kudler Fine Foods understands the benefits these programs offer. Customer rewards programs are electronic records management (ERM) systems that collect and store customer sales transaction information in databases from which reports can be queried. Kudler Fine Foods plans to develop the RMS, but needs help from Learning Team “A” to manage security concerns during the system development life cycle (SDLC) in order to safeguard data stored as customer information within the newly implemented system as prescribed by the Federal Trade Commission (FTC). The FTC is charged with protecting the privacy of U.S. consumers.
According to Federal Trade Commission (2007), the fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form. Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem (Fair Information Practice Principles, para. 4).
Privacy Complaint Mitigation

When the FTC receives notice of a violation of privacy, it tries to negotiate a settlement that both parties can live with, but when no settlement is reached, the FTC issues a complaint using the phrase “would be in the best interest of the public”. If the complaint fails to yield favorable results, the FTC issues a temporary restraining order, followed immediately by a cease and desist order. Failing to respond appropriately to the order will result in a civil penalty imposed of up to $11,000, for each separate violation of the final "cease and desist" order ("Epic.org", n.d.).

Potential Threats

Threats to ERM systems can range from malicious physical threats on end user interface hardware to “Act of God” damages suffered from fire, flood, earthquake, and lightning and Cyber threats ranging from destruction of systems or information due to unwanted sabotage or vandalism from hackers to software attacks from viruses, worms, macros, and denial of service.
“While this term originally referred to a clever or expert programmer, [hacker] is now more commonly used to refer to someone who can gain unauthorized access to other computers” ("Hacker," 2013). Malicious attacks are carried out by all types of people, ranging from teens hacking for purposes of entertainment to competitors trying to gain some sort of strategic ground in the marketplace, but regardless how entertaining or serious the hacker may be, the outcomes can be the same—a disruption in customer service. Table 1 identifies these malicious threads and other potential threats facing Kudler’s new customer rewards program.
Area of System Threat Potential Vulnerability
D:H Technical hardware failures or errors Equipment failure
D:H:Pe:Pr:S Missing, inadequate, or incomplete Loss of access to information systems due to disk drive failure without proper backup and recovery plan organizational policy or planning in place
D:H:S:Pe Sabotage or vandalism Destruction of systems or information
D:S Memory Safety Violation Buffer overflows
D:S Technical software failures or errors Bugs, code problems, unknown loopholes
H Forces of nature Fire, flood, earthquake, lightning
H:Pe:Pr:S Human error or failure Accidents, employee mistakes
H:Pr:S Technological obsolescence Antiquated or outdated technologies
H:Pr:S Missing, inadequate, or incomplete controls Network compromised because no firewall security controls
H:S: User interface failures Data integrity loss
H:S:Pe Deviations in quality of service ISP, power, or WAN service issues from service providers
Pe:Pr: Information extortion Blackmail, information disclosure
Pe:Pr:S Theft Illegal confiscation of equipment or information
Pe:Pr:S Software attacks Worms, Trojan horse, virus, denial of service
Pe:Pr:S Espionage or trespass Unauthorized access and/or data collection
Pe:Pr:S Compromises to intellectual property Piracy, copyright infringement
S Input validation errors Format string attacks, SQL injection, Cross-site scripting (web application)
Legend: D=Data, H=Hardware, Pe=People, Pr=Procedure, S=Software
Table 1 - Table identifying the top threats to the new customer rewards program at Kudler Fine Foods
Areas of the System
In Table 1, areas of the system at risk of being potentially vulnerable include the five areas of a system which are as follows:
• Data – This category refers to factual inputs used by programs in the production useful information.
• Hardware – This category includes the computers, peripherals, servers, I/O devices, storage and communication devices.
• People – This category refers to users of the information system. Though this category is often over-looked, people are most influential element in the information system’s success or failure.
• Procedure – This category refers to policies and rules governing processes pertaining to information systems.
• Software – This category refers to computer programs that control functions within systems for the production useful information from data. Support manuals are also included in this category.
Most Critical Threats to Kudler From the list of threats (Table 2), Learning Team “A” ranked the threats based on what we felt to be the most critical. From the list, we categorized each risk into three distinct security classifications:
• High (H): Possibility of causing extremely serious personal or organizational injury, including any of the following: o Financial harm – extreme loss of capital/assets, imposition of extreme penalties/sanctions o Operational harm – severe loss of operation control, breach of contract/regulatory standard, prolonged loss of public trust o Personal harm – loss of life, limb, or extreme danger to public safety
• Medium (M): Possibility of causing serious personal or organizational injury, including any of the following: o Financial harm – significant loss of capital/assets, imposition of significant penalties/sanctions o Operational harm – significant impact on ability to serve, significant damage to partnerships, and reputation, significant impact from lowered employee moral o Personal harm – serious personal hardship
• Low (L): Possibility of causing limited or no injury to individuals or organization, including any of the following: o Financial harm – Some degree of financial loss o Operational harm – Some degree of inability to serve, limited impact from lowered employee moral o Personal harm – Some degree of embarrassment
Severity Threat
H Espionage or trespass
H Software attacks
H Theft
H Forces of nature
H Missing, inadequate, or incomplete controls
H Sabotage or vandalism
M Missing, inadequate, or incomplete
M Compromises to intellectual property
M Information extortion
M Human error or failure
L Technical software failures or errors
L Technical hardware failures or errors
L User interface failures
L Deviations in quality of service
L Input validation errors
L Memory Safety Violation
L Technological obsolescence
Table 2 - List of Threats facing Kudler
Classified by level of serenity.
References
Epic.org. (n.d.). Retrieved from http://epic.org//privacy/internet/ftc/Authority.html
Federal Trade Commission. (2007). Retrieved from http://www.ftc.gov/reports/privacy3/fairinfo.shtm
Hacker. (2013). In Techterms.com. Retrieved from http://www.techterms.com/definition/hacker