Compliance Law and Regulations Related to IT Any establishment that sells food and alcohol requires strict compliance with several federal, state, and local laws; however, this section relates to Information Technology (IT) specific compliance and regulations. Because Beachside Bytes Bar and Grill will be accessing and storing sensitive information from customers and employees, guidelines, laws, and policies have been established to insure the privacy of such information is secure. Only those authorized to view, change, or remove such data must be fully authenticated through proper procedures. In addition, established protocols and encryption methods must be use to access database information via the Internet. This section of the report will address these and other challenges related to IT privacy and security. PCI DSS (Payment Card Industry Data Security Standard) is an information security standard that was created from a joint effort of major credit card companies in 2004. Its purpose is to create controls that would reduce credit card fraud. This standard is built around 6 principles and 12 requirements. It is assumed that Beachside Bytes intends to credit cards as a form of payment and must therefore comply with the following principles set forth. The first principle, "Build and Maintain a Secure Network", is enforced through 2 requirements: (1) Install and maintain a firewall, and (2) do not use defaults (IE. passwords). Firewalls create a single point of defense between two networks. Since the Internet is web of networks, it is important that firewalls are installed in every Beachside Bytes local area network location. Since the company has 3 major locations in Miami, San Diego, and Honolulu, a minimum of 1 firewall at each location is required. If a website is maintained, 2 firewalls and a DMZ (demilitarized zone) or perimeter network could be used for added security. Firewalls should be industry hardware standard manufactured by a reputable company such as Cisco. A software firewall is not considered as reliable as a hardware firewall. Any agent of the company requesting to connect to a database outside the local network will also require a firewall, but may be of SOHO (Small Office Home Office) caliper. Firewalls should following lifecycle steps: (1) Determine what traffic should be allowed, (2) Create a firewall policy, (3) purchase firewall hardware, (4) install firewall, (5) configure firewall, (6) test firewall, (7) implement firewall, and (8) maintain and update firewall configuration and polices. Continuing with the secure network principle, is the requirement that default usernames and passwords are not used. Authentication is the root of a secure network, and must be taken seriously through written policy and server group polices. Passwords recommendations include passwords to be at least 8 characters long, using upper and lower case, at least 1 number and 1 special character. Username may be assigned through the administrator. When accessing the network from outside the LAN, a 2-step authentication may be used where physical access to a cell phone text message can be trusted. Since usernames and passwords must be memorized, a 3rd party password management solution such as LastPass may be entertained. The second principle of PCI DSS is to protect cardholder data that requires (1) protection of stored data, and (2) encrypted transmissions. As customers use credit cards and driver licenses throughout the bars, sensitive information is transferred, processed, and stored on a local network database. There are many POS (Point of Sale) programs that may be used but must be validated to insure cardholder data is secure. If the data is inside an Oracle database, for example, care must be taken so that only those authorized and trained can view, alter, or remove such data. Such database programming tools that can bypass regular POS system functions like PL/SQL could be shut down completely, unless a database administer (or appointee) discovers a need. Although much information can be stored from one individual, it may not be necessary to keep the information for extended periods, and may be purged if the data is no longer of use or value. Although storage is cheap, the consequences of a hacker accessing the storage may be quite expensive. Protection of cardholder data also requires the use of VPN (Virtual Private Network) when accessing data outside the local network. The use of a VPN extends the local network (a private network) across the Internet (public networks) to a distant destination (usually the an employee's SOHO). Proper installation and security policies must be observed while creating the VPN(s). Encryptions require RSA (public key encryption method) with 2048 bits or an asymmetric system where 2 keys are used (public and private). In any case, all encryptions methods must be tested and validated before being used. The third principle, "Requiring a Vulnerability Management System", requires (1) the proper use of antivirus software, and (2) the development and maintenance of secure systems. There are 2 flavors of antivirus software, business and private. Both provide the same function of preventing, detecting and removing malicious activities on a computer or network. The antivirus requirements should include real-time protection, rootkit detection, and the ability identify malware, and may be used in conjunction with spyware software. All computers and even some devices (tablets and smartphones) would require antivirus software installed if accessing the network. A Vulnerability Management System also requires planning, developing, implementing, testing, and maintaining IT security procedures. Such plans can come from 3rd party organizations like ITIL (Information Technology Infrastructure Library) whose intention is to align IT services with the needs of the business. This document may support such an effort, as it may be part of this "Risk Management Plan". The fourth principle, "Strong Access Control Measures", requires (1) restrict access to data and (2) the requirement of unique logins for each user. Through the use of group policies in server software, the division (and hence security) of different departments or functions may be utilized to segregate data based on users' network privileges. Moreover, LAN switches may be used to create VLANs (Virtual Local Area Networks) to logically separate departments or functions. The IT administrator (or designee) would also provide unique usernames for each employee. A written policy or SOP (Standard Operating Procedure) that is understood by each employee regarding the use of usernames and passwords must be enforced. All employees must be trained and sign a document indicating they understand and follow such procedures. For customers, an "Accept" button on the website establishing limiting legal liability to the company before accessing the network. Customers may access their own profile and data via PIN (Private Identification Number) or through a "Secret Question/Answer" process. The fifth principle, "Regularly Monitor and Test Networks", requires (1) tracking and monitoring software and (2) to regularly test security. The ability to know who and when data has been added, modified or removed is essential to troubleshooting malicious activities. General and detail reporting may be used to motivate management to fund IT resources adequately. Testing of the network may come from 3rd party entities that certify network security. Whether done in-house or outsourced, the company (and hence senior management) is ultimately responsible for the network's vulnerability. The final principle, "Maintain an Information Security Policy", requires a security policy detailing the above mentioned and updates as technology progress and new challenges are met. To insure this framework is properly installed, the Security Standards Council has several PCI DSS programs available to assist and train. A mandatory yearly audit of the system will evaluate PCI DSS compliance.

References