Organizatonal Information Security Next Generation
1. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 1
Exploration of a Proposed Collaborative Cyber Security Policy Featuring Darden Restaurants
and Ziosk Technologies
Gregory Totty – ISM 529 – Emerging Cyber Security Technology, Threats, and Defense
Colorado State University – Global Campus
Dr. Murthy Rallapalli – January 28, 2016
2. EXPLORATION OF A PROPOSED COLLABORATIVE 2
Exploration of a Proposed Collaborative Cyber Security Policy Featuring Darden Restaurants
and Ziosk Technologies
A recent increase in both the size and complexity of cyber-criminal activity mandates that
businesses operating in the global enterprise system now prioritize information security as a
primary business function. The landmark security breach involving Target that compromised
millions of customer’s private information (Tucker, 2014), set the tone for organizations now
facing this very real threat of cyber-attack. This event illustrates the level of resources an
organization needs to mitigate the damage created by these new, sophisticated cyber-attacks.
What would certainly be a nightmare scenario for any organization, these cyber-attacks are often
conducted by organized gangs from all corners of the globe. The technology that allows for
virtually limitless data transfer and storage in the world economy also unleashes these new
threats of a type and magnitude previous generations of executives never encountered.
The possibility of a such massive security breaches prompted the President of the United
States to issue executive order 13636, authorizing the creation of a new flexible framework for
the cyber security of critical infrastructure (Obama, 2013). The framework derives much of its
structure from previous governmental department analysis (Snow, 2011). Escalation of recent
cyber-attacks, prioritized the frameworks implementation. Officially named The NIST Cyber
Security Framework for Critical Infrastructure is a set of guidelines that are not only designed
for national security, but also applicable for structuring information cyber security policies in
today’s modern organizations. The following research proposal attempts to outline a cyber
security policy derived from the NIST framework, in the creation of a collaborative cyber
security policy for the world’s largest restaurant corporation, Darden Restaurants in conjunction
with a third party vendor company, Ziosk Technology. Research has indicted that organizations
3. EXPLORATION OF A PROPOSED COLLABORATIVE 3
should look to combine resources with trusted vendor’s in creation of a cooperative cyber
security policy (Gamer, 2015). The proposed collaborative policy would utilize the guidelines
suggested by executive order 13636. Darden and Ziosk are both regarded as organizations
compliant with industry standards for securing private information. The concept of industry
cooperative cyber security policies suggests a proactive approach to cyber security, a concept
needed to successfully manage these modern threats.
The purpose of the following research is an attempt at exploration of a forward-thinking
concept from the next generation of cyber security. Evidence from Gamer (2015) and others in
media suggest the future of organizational cyber security evolves many different forms of
cooperative efforts between businesses. Collaboration between businesses for a symbiotic benefit
has become more common as the global enterprise system advances in data and communications
technology. The fundamental goal of this exploration suggests the creation of a secure climate for
Darden Restaurant’s POS transactions by using the new NIST cyber security framework core and
profile tools in conjunction with the tablet system provided by Ziosk Technology. The cyber
security framework provided by the NIST allows for strategic projections of a security policy
that evolves with technology. The Ziosk tablets not only provide a wealth of information for
management through analytics, but has been virtually infallible since their inception (McCeney,
2015). The analysis of Darden Restaurants Cyber security policy reflects the need for a more
flexible, robust policy, that can be incorporated into the business design (Monaco, 2011). The
suggested collaboration hopes to generate further interest in the subject, ultimately adding
industrial knowledge of cooperative cyber security between organizations.
4. EXPLORATION OF A PROPOSED COLLABORATIVE 4
Darden Restaurants and Ziosk Technology
Darden Restaurants vision statement commits the organization “to be a company that
positively affects meaningfully more guests, employees, communities and business partners – a
company that matters even more than we do today”. The mission statement focuses on customer
service by promising “to nourish and delight everyone we serve” (Darden, 2016). According to a
PR Newswire (2015), Darden Restaurants total sales rose 3.2% to 1.61 billion dollars in the last
quarter of 2015. The world-wide restaurant chain features such well-known brands as Longhorn
Steaks, The Olive Garden, Capital Grille, Four Seasons, just to name a few. Darden’s corporate
operations are based in Orlando Florida and include over 1500 total restaurants and 170,000
employees. Like many other customer service businesses, the point of sale function is a key
business element for the organization. Leading the industry in many ways, Darden has
emphasized POS functionality for many years, culminating with the recent addition of new table
top tablets, a new technology developed by Ziosk Technology. The impact of this technology on
Darden and the industry has been dramatic. According to Ahmed (2016), the tablets also
generate a wealth of new data analytics that managers utilize to reduce costs and improve
service. The analytics produced from the tablets indicate the tablets contribute a higher quality
guest experience emphasized through better overall service. The guests have more control over
the pace of dining by using Ziosk’s pay at the table POS function. The point to point encryption
feature of the tablet is also the focal point for the protection of the customer’s private information
(Bodhani, 2013). The combination of Darden Restaurants enormous customer data base in
conjunction with primary POS functions conducted through the use of Ziosk tablets, creates a
new generation of transaction processing that needs a flexible framework through which the
growth of this collaboration can be realized.
5. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 5
NIST Cyber Security Framework
According to Riehle (2015), most restaurants view cyber security as nothing but a cost of
doing business. However, as Allen (2015) reports, the business climate is changing everywhere.
The global enterprise system of today must recognize information security as a primary function
of the business. The National Institute of Standards and Technology or NIST’s Cyber Security
Framework for Critical Infrastructure has received its share of criticism from Lewis (2014), and
others for being too broad in scope for most organizations. However, Chang-Gu (2015),
demonstrates how portions of it can be utilized by any organization. The framework is divided
into three parts, the framework core, the implementation tiers, and the framework profile, each
part is a different tool used for a different purpose. The research presented in this exploration
will focus on the framework core analysis of both the current state cyber security policy at
Darden Restaurants, compared with the proposed collaborative policy in its initial state. (Figure
1). Finally, a roadmap created from assessments using the framework profile (Figure 2), will
project where the organization desires the policy to be at a point of time in the future. The
structure evolves to align the collaborative policy with other primary business functions, such as
operations or finance. This type of organizational commitment is necessary, due to the
technologically enhanced business climate. The global enterprise system of twenty-first century
opens the door for cyber-attacks on an epic scale.
Darden Restaurant’s Cyber Security Landscape
A full assessment of Darden Restaurants cyber security needs is archived by the United
States Securities and Exchange Commission (SEC, 2012). The document filing 10 -k reveals the
company’s dependency on technology and susceptibility to cyber-attacks. This attitude is
consistent with previous statements from Patti-Riley White, former CIO and Senior VP, (New,
6. EXPLORATION OF A PROPOSED COLLABORATIVE 6
2009). The former CIO of Darden Restaurant continually urged the organizational leadership to
align the cyber security policy with primary business functions. Her emphasis focused on the
necessity of organizational commitment through a forward-thinking vision realized through:
A next generation point of sale system
Forecasting systems
Mapping systems to accurately measure guest’s wait time
Information Technology performance measurement tools
The introduction of the Ziosk tablet will upgrade all of these technologies, along with the
establishment of a state-of -the-art POS system complete with a host of analytical data collected
by the tablets. Darden’s vulnerability suggested from the SEC report indicates a need for a
security policy upgrade – one that matches the needs of the organization, before such an event
occurs.
Darden Restaurants is fortunate among the restaurant industry; others are not as lucky.
According to London (2014), P F Chang’s China Bistro, a restaurant chain featuring Chinese
cuisine, experienced a security breach involving 33 restaurants. The breach compromised
customer’s credit card information with which the company offered identity theft insurance and
compensation. The mitigation strategies needed to compensate the victims are costly and
ineffective as a preventative strategy. The only data security breach that has ever been attributed
to Darden restaurants occurred in 2009 and cost the company a $9 appetizer voucher per
customer whose information was compromised (Sinha, 2016). This fact alone tends to diminish
the role of cyber security in the business. However, by adopting the flexible guidelines of the
NIST cyber security framework, Darden can realize the functionality needed in the event of a
data breach. The adoption of the NIST framework correlates precisely with the addition of the
7. EXPLORATION OF A PROPOSED COLLABORATIVE 7
Ziosk tablets, effectively creating a state of the art information security policy for the hospitality
industry. The goal of achieving a policy that aligns with primary business functions cannot be
realized at Darden Restaurants in the current state analysis.
Cyber Security Policy – Darden Restaurants Current State
Using the NIST framework core (Figure 1), The current cyber security policy would
feature the five broad functions:
Identify
Protect
Detect
Respond
Recover
The framework utilizes these five actions in the assessment of the current cyber security
climate of Darden Restaurants as well as providing a starting point for the proposed
collaboration. The NIST framework profile will addresses these same action steps to create a
flexible collaborative policy that will evolve with the varying business environments. The
proposed collaboration with Ziosk is also analyzed by the NIST framework core. It improves on
the existing cyber security policy which is reactive and only partially addresses these steps:
Identify - what assets are at risk?
Cyber security policy begins with an extensive process in which potential issues are
revealed. This step attempts to identify what assets are or particular concern, including an
assessment of possible risks to information systems, culminating with a developed strategy for
risk management. The business environment and climate are also factors that contribute to the
8. EXPLORATION OF A PROPOSED COLLABORATIVE 8
initial risk identification model (Hayden, 2014). Once identified, methods to mitigate the risk are
developed. Darden Restaurants assigns no emphasis to this function and any action steps are
entirely reactive to the situation.
Protect - take the steps to stop a cyber-attack before it starts
This protection phase includes technical applications such as data encryption, control of
information system access, training, and implementation of security technology. Ferguson (2013)
emphasizes this phase as a continually evolving instrument reflective of the current business
environment. The aspects of protection vary from organization, but in the hospitality industry, a
particular emphasis is generally placed on data privacy. Currently, POS transactions at Darden
Restaurants are encrypted, but not with any two phase authentication methods. This
vulnerability is mentioned in the SEC filing document 10-k.
Detect – routinely monitor systems for unusual activity
Ferguson (2013) recommends an open testing procedure for identification of risks, but
also warns that these test might be froth with their own dangers. The continual monitoring of the
security systems is a necessary action for the identification of new threats and to learn defense
for known threats. Information systems currently at Darden include Oracle’s Business Suites,
noted by Carr (2014) and Maurice (2015), to have numerous vulnerabilities.
Response - plan for the worst possible scenario
Once an attack or breach has been detected a series of implementations should be enacted
that will counteract the incident. In the case of Darden Restaurants, the business continuity
strategy currently is incomplete and reactive. Recent security breaches involving the hospitality
industry have been complex in nature with focus on network compromise via distributed denial
9. EXPLORATION OF A PROPOSED COLLABORATIVE 9
of service. In the 10-k filing (SEC, 2012), Darden Restaurants hints at the organizations’
dependency on existing information systems and their susceptibility to this form of cyber-attack.
Recover – getting back to normal after the breach
Recovery strategies develop primarily through experience over time (Riehle, 2015). This
phase also contains plans for the rebuilding of brand and reputation; often the company’s most
valuable asset. Through continual testing and system monitoring, a recovery core strategy should
be developed that encompasses all facets of the operation. This is a most necessary element of
the twenty-first century global enterprise system (Chang-Gu, 2014). Darden Restaurants does
have a reactive plan designated for crisis management.
Proposal for the Darden / Ziosk Collaborative Cyber Security Policy
Utilizing the framework core for structure and as an aid for assessing the current cyber
security landscape, the Darden Restaurant cyber security policy can be viewed as a static,
traditional policy revealing the current methods that are characteristic for a conglomerate
organization in the hospitality industry today. The current landscape promotes more of a partial
policy, rather than the cooperative lifecycle approach generated through partnerships (Gamer,
2015). This cooperative strategy is reflected in the framework profile, an instrument used in
creation of a cyber security roadmap, enabling an alignment with business core functions. If an
assessment of the cyber security policy were made utilizing the tiers assigned by the NIST, the
current state of cyber security at Darden Restaurants would be placed in tier one or two in most
areas. Upgrading Oracle Business Suites and full implementation of the Sun Solaris platform
bring the information systems to the level where the addition of the point to point encryption data
privacy of the Ziosk tablet at the projected level of 80% total credit transactions at the Olive
Garden Restaurants, the cyber security environment evolves into a life cycle. A relevant series of
10. EXPLORATION OF A PROPOSED COLLABORATIVE 10
questions can be developed that address specific elements of each of the five functions described
in the NIST framework core. This assessment creates current state of cyber security. Using the
framework profile, a roadmap is created that can predict the cyber security landscape for the
future. The final product reveals a new approach to cyber security policy, much like the ideas
previously describe by former CIO White (Sinha, 2016).
Identify – Take a full inventory of what assets are at risk:
What systems or hardware—like point-of-sale terminals—connect to your network?
What type of information do they collect and what software do they run?
Oracle Business Suites and Sun Platform; Ziosk tablets for POS.
How vulnerable is the website or mobile ordering site?
Standard Oracle version
Is a firewall in place to secure the network?
Yes, Network Perimeter for all sensitive areas
Do employees have access to network? To Data Storage, or other sensitive areas?
No – only authorized individuals
What third parties have access and who is responsible?
The CIO and appointed individuals. Only Ziosk will have full access.
The collaboration of Darden Restaurants and Ziosk Technology helps to define specific goals.
Protect – Enact security measures that minimize risk to assets
Do you have limited access to information system and assets?
Yes. Only authorized personnel have knowledge – not shared
Do you have adequate cyber security training in place?
Some now, setting goals to improve on timetable
11. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 11
Are systems, platforms and software updated regularly?
Yes, where applicable
Is the most sensitive data well protected?
Yes, by the Ziosk point to point encryption
Some of the questions have conditional answers, but the addition of the Ziosk tablet’s encryption
system brings the protection phase up to a tier 3.
Detect – Monitoring and reporting
What systems are in place that monitor unusual activity?
Reactive systems only.
Like most of the hospitality industry, Darden Restaurants fails to meet the baseline in this area.
According to Lang (2010), hospitality industry workers tend to be very good with sharing
knowledge with each other therefore the answer would be found from existing industry methods.
Respond – Planning for the worst
What Data was compromised?
The answer should not be what but “how Quickly can you find out.
How was the breach created and by who?
This would be part of an identification forensic, no feature in place
Can the breach be controlled and terminated?
This would depend on how quickly it was identified and the speed of which the business
contingency plan could be implemented
What are the legal implications?
Once again, this will depend upon the situation
12. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 12
By aligning cyber security with other important business functions, the response phase collects
industry information on similar incidents including successful response strategies.
Recovery – Building back the brand and reputation
Has the business met all of the legal requirements of the breach?
Using other crisis situations examples, yes
Are you prepared for slowed business? Have you cut expenses?
Again, yes – recessed business is part of the market and economy
Are you prepared to terminate those responsible? Have you sought help from a PR
firm to help build brand and reputation?
Yes, and no.
Have you done all things possible – such as hire a chief of security all the way to
changing all passwords?
Will have by this phase but not as of yet
With very little experience in data breaches, Darden would do well to initiate talent search for
experience personnel in this area. The assessment reveals a current security core that before the
policy implementation could be measured as the baseline. The policy has evolved to be a part of
the roadmap created by implementation of the framework profile displayed:
Cyber security Landscape – Darden Restaurants – Using NIST Framework
The NIST framework profile serves as the assessment tool for:
Currently assessing the organizational cyber security landscape
Current
Cyber
Security
Collaboration
with Ziosk
Adaptive
Evolving
Policy
13. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 13
Predictive assessment of an evolving policy in collaboration with Ziosk
Forecasts the cyber security landscape for the future of Darden Restaurants
NIST Framework for Cyber Security
Still in its infancy, the NIST framework for cyber security demonstrates a wide variety of
uses observed from the model featured in this exploration. Since the hospitality industry is one of
the most targeted industry for cyber-attacks, the framework demonstrates its flexibility with an
ability to adapt and conform with the differences observed from various industries. The utility
displayed in the application of the framework as described by Chang-Gu (2015), is a feature that
would enhance any organizations security policy. Ferguson (2013), remarks that only time will
tell about the framework’s usefulness to industry, this exploration verifies the utility two years
after designing. Lewis (2013) predicted that the framework would be too broad to be useful in
business, however Riehle, (2014) suggests that the functions themselves are specific enough for
a small business to adopt. However, it is depicted, the NIST framework for cyber security can be
a very useful tool in both assessing the current organizational cyber security landscape, as well as
a roadmap tool for predicting and forecasting an organizational cyber security policy goal.
Conclusion
The NIST framework for cyber security ads in the construction of the collaborative cyber
security policy of Darden Restaurants with Ziosk Technology. Point of sale transactions are a
very attractive target for cyber criminals (Whittaker, 2014). The ability to access these systems
by cyber criminals causes great damage to organizations, not only financially, but also to the
brand and reputation, compromising individual’s sensitive data (Bodhani, 2013). Darden
Restaurant has completed its installation of the Ziosk tablets at all 800 of its’s Olive Garden
locations with little opposition (Jorge, 2015), forming a partnership with many positive attributes
14. EXPLORATION OF A PROPOSED COLLABORATIVE 14
for both organizations. The collaborative cyber security policy created from the use of the point
to point encryption featured in the Ziosk tablets, produces a state of the art information security
feature in data privacy (Gamer, 2015) destine to become a landmark achievement in cyber
security defense strategy.
15. EXPLORATION OF A PROPOSED COLLABORATIVE 15
References
Ahmed, S. (2016). IT Innovators: Ziosk Serves Restaurants’ Growing Appetite for Data. Data
Center Talk. Retrieved from: https://www.datacentertalk.com/2016/01/it-innovators-
ziosk-serves-restaurants-growing-appetite-for-data/
Allen, C. (2015). An Ever-More-Complicated Risk Landscape Vexes Corporate Directors.
NACD. Retrieved from:
https://www.nacdonline.org/AboutUs/NACDInTheNews.cfm?ItemNumber=1298
Bodhani, A, (2013). Point-of-sale cyber security: hacking the check-out. Engineering and
Technology Magazine. Retrieved from: http://eandt.theiet.org/magazine/2013/03/turn-on-
log-in-checkout.cfm
Carr, D, (2014). Darden Uses Analytics to Understand Restaurant Customers, Information Week.
Retrieved from: http://www.informationweek.com/strategic-cio/executive-insights-and-
innovation/darden-uses-analytics-to-understand-restaurant-customers/d/d-
id/1141551?page_number=2
Chang-Gu, A. (2015). NIST Cybersecurity Framework vs. NIST Special Publication 800-53.
Praetorian. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity-
framework-vs-nist-special-publication-800-53
Darden. (2016). Company website. Retrieved from: https://www.darden.com/our-
company/faqs#darden-mission
Darden Restaurants, (2011). Code of Business Conduct and Ethics. Retrieved from:
https://s2.q4cdn.com/922937207/files/doc_downloads/governance/Code-of-Business-
Conduct.pdf
16. EXPLORATION OF A PROPOSED COLLABORATIVE 16
Ferguson, G. (2013). NIST Cybersecurity Framework: Don’t Underestimate It. Information
Week. Retrieved from: http://www.informationweek.com/government/cybersecurity/nist-
cybersecurity-framework-dont-underestimate-it/d/d-id/1112978
Gamer, N. (2015). Cyber Security: The Cooperation Game. Trend Micro. Retrieved from:
https://blog.trendmicro.com/cyber-security-the-cooperation-game/
Hayden, E. (2014). NIST cybersecurity framework analysis: Putting it to good use. Tech Target.
Retrieved from: http://searchsecurity.techtarget.com/tip/NIST-cybersecurity-framework-
analysis-Putting-it-to-good-use
Jorge, K. (2015). Ziosk Completes Installation of Tabletop Tablets at Olive Garden Restaurants
Nationwide. Restaurant News.com. Retrieved from:
http://www.restaurantnews.com/ziosk-completes-installation-of-tabletop-tablets-at-olive-
garden-restaurants-nationwide/
Lang, S (2010). Hospitality experts ponder profit and sustainability. The Cornell Chronicle.
Retrieved from: http://news.cornell.edu/stories/2010/12/hospitality-pros-ponder-profits-
and-sustainability
Lewis, J. (2014). NIST Cybersecurity Framework. CSIS – Center for Strategic and International
Studies. Retrieved from: http://csis.org/publication/nist-cybersecurity-framework
London, D. (2014). P.F. Chang's: 33 restaurants affected in data breach. USA Today. Retrieved
from: http://www.usatoday.com/story/money/business/2014/08/04/pfchang-credit-debit-
card-data-breach/13567795/
Maurice, E. (2015). January 2015 Critical Patch Update Released. The Oracle Software Security
Assurance Blog. Retrieved from:
https://blogs.oracle.com/security/entry/january_2015_critical_patch_upda
17. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 17
McCeney, M. (2015). Ziosk(R) Strengthens Restaurant Security Through Industry-First Secure
Payment and Mobile Wallet Solutions. Yahoo Finance. Retrieved from:
http://finance.yahoo.com/news/ziosk-r-strengthens-restaurant-security- -
Monaco, H. (2011). Cooking Good Security. Info Security Watch. Retrieved from:
http://www.securityinfowatch.com/article/10536751/cooking-good-security
New, J. (2009). CIO Profiles: Patti Reilly White, Senior VP and CIO of Darden Restaurants.
Information Week. Retrieved from: http://www.informationweek.com/it-leadership/cio-
profiles-patti-reilly-white-senior-vp-and-cio-of-darden-restaurants/d/d-id/1085291
Obama, B. (2013). Executive Order -- Improving Critical Infrastructure Cybersecurity. Retrieved
from: https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-
improving-critical-infrastructure-cybersecurity
P R Newswire, (2015). Darden Restaurants Financial Statement 2015. SyS Con Media. Retrieved
from: http://news.sys-con.com/node/3605446
Riehle, H. (2015). Get answers on cybersecurity—for free. National Restaurant Association.
Retrieved from: http://www.restaurant.org/News-Research/News/Get-answers-on-
cybersecurity%E2%80%94for-free?feed=NationalRestaurantAssociationNews
SEC, (2012). Form 10-k. Darden Restaurants. Retrieved from:
http://www.sec.gov/Archives/edgar/data/940944/000094094412000031/dri-
201210xk.htm#s80BBA54262E1182D103D03A83696B5A0
Sinha, S. (2016). Proposed settlement in Olive Garden FACTA lawsuit. Inadequate Security.
Retrieved from: http://www.databreaches.net/proposed-settlement-in-olive-garden-facta-
lawsuit/
18. EXPLORATION OF A PROPOSED COLLABORATIVE 18
Snow, G. (2011). Statement before the House Financial Services Committee, Subcommittee on
Financial Institutions and Consumer Credit. Federal Bureau of Investigation. Retrieved
from: https://www.fbi.gov/news/testimony/cyber-security-threats-to-the-financial-sector
Tucker, E. (2014). Target breach renews calls for national notification standard for victims of
data theft. PBS News Hour. Retrieved from
http://www.pbs.org/newshour/rundown/target-breach-renews-calls-national-
notificationstandard-victims-data-theft
Whittaker, W (2014), Point of Sale (POS) Systems and Security. SANS Institute. Retrieved from:
https://www.sans.org/reading-room/whitepapers/bestprac/point-sale-pos-systems-
security-35357
19. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 19
Figure 1 - NIST Framework for Cyber Security - Core
Chang-Gu, A. (2015). Chart. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-
publication-800-53
20. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 20
Figure 2 - NIST - Framework for Cyber Security - Profile
Chang-Gu, A. (2015). Chart. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-
publication-800-53