SlideShare una empresa de Scribd logo

Organizatonal Information Security Next Generation

Gregory Totty
Gregory Totty
1 de 20
Descargar para leer sin conexión
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 1 Exploration of a Proposed Collaborative Cyber Security Policy Featuring Darden Restaurants and Ziosk Technologies Gregory Totty – ISM 529 – Emerging Cyber Security Technology, Threats, and Defense Colorado State University – Global Campus Dr. Murthy Rallapalli – January 28, 2016
EXPLORATION OF A PROPOSED COLLABORATIVE 2 Exploration of a Proposed Collaborative Cyber Security Policy Featuring Darden Restaurants and Ziosk Technologies A recent increase in both the size and complexity of cyber-criminal activity mandates that businesses operating in the global enterprise system now prioritize information security as a primary business function. The landmark security breach involving Target that compromised millions of customer’s private information (Tucker, 2014), set the tone for organizations now facing this very real threat of cyber-attack. This event illustrates the level of resources an organization needs to mitigate the damage created by these new, sophisticated cyber-attacks. What would certainly be a nightmare scenario for any organization, these cyber-attacks are often conducted by organized gangs from all corners of the globe. The technology that allows for virtually limitless data transfer and storage in the world economy also unleashes these new threats of a type and magnitude previous generations of executives never encountered. The possibility of a such massive security breaches prompted the President of the United States to issue executive order 13636, authorizing the creation of a new flexible framework for the cyber security of critical infrastructure (Obama, 2013). The framework derives much of its structure from previous governmental department analysis (Snow, 2011). Escalation of recent cyber-attacks, prioritized the frameworks implementation. Officially named The NIST Cyber Security Framework for Critical Infrastructure is a set of guidelines that are not only designed for national security, but also applicable for structuring information cyber security policies in today’s modern organizations. The following research proposal attempts to outline a cyber security policy derived from the NIST framework, in the creation of a collaborative cyber security policy for the world’s largest restaurant corporation, Darden Restaurants in conjunction with a third party vendor company, Ziosk Technology. Research has indicted that organizations
EXPLORATION OF A PROPOSED COLLABORATIVE 3 should look to combine resources with trusted vendor’s in creation of a cooperative cyber security policy (Gamer, 2015). The proposed collaborative policy would utilize the guidelines suggested by executive order 13636. Darden and Ziosk are both regarded as organizations compliant with industry standards for securing private information. The concept of industry cooperative cyber security policies suggests a proactive approach to cyber security, a concept needed to successfully manage these modern threats. The purpose of the following research is an attempt at exploration of a forward-thinking concept from the next generation of cyber security. Evidence from Gamer (2015) and others in media suggest the future of organizational cyber security evolves many different forms of cooperative efforts between businesses. Collaboration between businesses for a symbiotic benefit has become more common as the global enterprise system advances in data and communications technology. The fundamental goal of this exploration suggests the creation of a secure climate for Darden Restaurant’s POS transactions by using the new NIST cyber security framework core and profile tools in conjunction with the tablet system provided by Ziosk Technology. The cyber security framework provided by the NIST allows for strategic projections of a security policy that evolves with technology. The Ziosk tablets not only provide a wealth of information for management through analytics, but has been virtually infallible since their inception (McCeney, 2015). The analysis of Darden Restaurants Cyber security policy reflects the need for a more flexible, robust policy, that can be incorporated into the business design (Monaco, 2011). The suggested collaboration hopes to generate further interest in the subject, ultimately adding industrial knowledge of cooperative cyber security between organizations.
EXPLORATION OF A PROPOSED COLLABORATIVE 4 Darden Restaurants and Ziosk Technology Darden Restaurants vision statement commits the organization “to be a company that positively affects meaningfully more guests, employees, communities and business partners – a company that matters even more than we do today”. The mission statement focuses on customer service by promising “to nourish and delight everyone we serve” (Darden, 2016). According to a PR Newswire (2015), Darden Restaurants total sales rose 3.2% to 1.61 billion dollars in the last quarter of 2015. The world-wide restaurant chain features such well-known brands as Longhorn Steaks, The Olive Garden, Capital Grille, Four Seasons, just to name a few. Darden’s corporate operations are based in Orlando Florida and include over 1500 total restaurants and 170,000 employees. Like many other customer service businesses, the point of sale function is a key business element for the organization. Leading the industry in many ways, Darden has emphasized POS functionality for many years, culminating with the recent addition of new table top tablets, a new technology developed by Ziosk Technology. The impact of this technology on Darden and the industry has been dramatic. According to Ahmed (2016), the tablets also generate a wealth of new data analytics that managers utilize to reduce costs and improve service. The analytics produced from the tablets indicate the tablets contribute a higher quality guest experience emphasized through better overall service. The guests have more control over the pace of dining by using Ziosk’s pay at the table POS function. The point to point encryption feature of the tablet is also the focal point for the protection of the customer’s private information (Bodhani, 2013). The combination of Darden Restaurants enormous customer data base in conjunction with primary POS functions conducted through the use of Ziosk tablets, creates a new generation of transaction processing that needs a flexible framework through which the growth of this collaboration can be realized.
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 5 NIST Cyber Security Framework According to Riehle (2015), most restaurants view cyber security as nothing but a cost of doing business. However, as Allen (2015) reports, the business climate is changing everywhere. The global enterprise system of today must recognize information security as a primary function of the business. The National Institute of Standards and Technology or NIST’s Cyber Security Framework for Critical Infrastructure has received its share of criticism from Lewis (2014), and others for being too broad in scope for most organizations. However, Chang-Gu (2015), demonstrates how portions of it can be utilized by any organization. The framework is divided into three parts, the framework core, the implementation tiers, and the framework profile, each part is a different tool used for a different purpose. The research presented in this exploration will focus on the framework core analysis of both the current state cyber security policy at Darden Restaurants, compared with the proposed collaborative policy in its initial state. (Figure 1). Finally, a roadmap created from assessments using the framework profile (Figure 2), will project where the organization desires the policy to be at a point of time in the future. The structure evolves to align the collaborative policy with other primary business functions, such as operations or finance. This type of organizational commitment is necessary, due to the technologically enhanced business climate. The global enterprise system of twenty-first century opens the door for cyber-attacks on an epic scale. Darden Restaurant’s Cyber Security Landscape A full assessment of Darden Restaurants cyber security needs is archived by the United States Securities and Exchange Commission (SEC, 2012). The document filing 10 -k reveals the company’s dependency on technology and susceptibility to cyber-attacks. This attitude is consistent with previous statements from Patti-Riley White, former CIO and Senior VP, (New,
EXPLORATION OF A PROPOSED COLLABORATIVE 6 2009). The former CIO of Darden Restaurant continually urged the organizational leadership to align the cyber security policy with primary business functions. Her emphasis focused on the necessity of organizational commitment through a forward-thinking vision realized through:  A next generation point of sale system  Forecasting systems  Mapping systems to accurately measure guest’s wait time  Information Technology performance measurement tools The introduction of the Ziosk tablet will upgrade all of these technologies, along with the establishment of a state-of -the-art POS system complete with a host of analytical data collected by the tablets. Darden’s vulnerability suggested from the SEC report indicates a need for a security policy upgrade – one that matches the needs of the organization, before such an event occurs. Darden Restaurants is fortunate among the restaurant industry; others are not as lucky. According to London (2014), P F Chang’s China Bistro, a restaurant chain featuring Chinese cuisine, experienced a security breach involving 33 restaurants. The breach compromised customer’s credit card information with which the company offered identity theft insurance and compensation. The mitigation strategies needed to compensate the victims are costly and ineffective as a preventative strategy. The only data security breach that has ever been attributed to Darden restaurants occurred in 2009 and cost the company a $9 appetizer voucher per customer whose information was compromised (Sinha, 2016). This fact alone tends to diminish the role of cyber security in the business. However, by adopting the flexible guidelines of the NIST cyber security framework, Darden can realize the functionality needed in the event of a data breach. The adoption of the NIST framework correlates precisely with the addition of the
EXPLORATION OF A PROPOSED COLLABORATIVE 7 Ziosk tablets, effectively creating a state of the art information security policy for the hospitality industry. The goal of achieving a policy that aligns with primary business functions cannot be realized at Darden Restaurants in the current state analysis. Cyber Security Policy – Darden Restaurants Current State Using the NIST framework core (Figure 1), The current cyber security policy would feature the five broad functions:  Identify  Protect  Detect  Respond  Recover The framework utilizes these five actions in the assessment of the current cyber security climate of Darden Restaurants as well as providing a starting point for the proposed collaboration. The NIST framework profile will addresses these same action steps to create a flexible collaborative policy that will evolve with the varying business environments. The proposed collaboration with Ziosk is also analyzed by the NIST framework core. It improves on the existing cyber security policy which is reactive and only partially addresses these steps: Identify - what assets are at risk? Cyber security policy begins with an extensive process in which potential issues are revealed. This step attempts to identify what assets are or particular concern, including an assessment of possible risks to information systems, culminating with a developed strategy for risk management. The business environment and climate are also factors that contribute to the
EXPLORATION OF A PROPOSED COLLABORATIVE 8 initial risk identification model (Hayden, 2014). Once identified, methods to mitigate the risk are developed. Darden Restaurants assigns no emphasis to this function and any action steps are entirely reactive to the situation. Protect - take the steps to stop a cyber-attack before it starts This protection phase includes technical applications such as data encryption, control of information system access, training, and implementation of security technology. Ferguson (2013) emphasizes this phase as a continually evolving instrument reflective of the current business environment. The aspects of protection vary from organization, but in the hospitality industry, a particular emphasis is generally placed on data privacy. Currently, POS transactions at Darden Restaurants are encrypted, but not with any two phase authentication methods. This vulnerability is mentioned in the SEC filing document 10-k. Detect – routinely monitor systems for unusual activity Ferguson (2013) recommends an open testing procedure for identification of risks, but also warns that these test might be froth with their own dangers. The continual monitoring of the security systems is a necessary action for the identification of new threats and to learn defense for known threats. Information systems currently at Darden include Oracle’s Business Suites, noted by Carr (2014) and Maurice (2015), to have numerous vulnerabilities. Response - plan for the worst possible scenario Once an attack or breach has been detected a series of implementations should be enacted that will counteract the incident. In the case of Darden Restaurants, the business continuity strategy currently is incomplete and reactive. Recent security breaches involving the hospitality industry have been complex in nature with focus on network compromise via distributed denial
EXPLORATION OF A PROPOSED COLLABORATIVE 9 of service. In the 10-k filing (SEC, 2012), Darden Restaurants hints at the organizations’ dependency on existing information systems and their susceptibility to this form of cyber-attack. Recover – getting back to normal after the breach Recovery strategies develop primarily through experience over time (Riehle, 2015). This phase also contains plans for the rebuilding of brand and reputation; often the company’s most valuable asset. Through continual testing and system monitoring, a recovery core strategy should be developed that encompasses all facets of the operation. This is a most necessary element of the twenty-first century global enterprise system (Chang-Gu, 2014). Darden Restaurants does have a reactive plan designated for crisis management. Proposal for the Darden / Ziosk Collaborative Cyber Security Policy Utilizing the framework core for structure and as an aid for assessing the current cyber security landscape, the Darden Restaurant cyber security policy can be viewed as a static, traditional policy revealing the current methods that are characteristic for a conglomerate organization in the hospitality industry today. The current landscape promotes more of a partial policy, rather than the cooperative lifecycle approach generated through partnerships (Gamer, 2015). This cooperative strategy is reflected in the framework profile, an instrument used in creation of a cyber security roadmap, enabling an alignment with business core functions. If an assessment of the cyber security policy were made utilizing the tiers assigned by the NIST, the current state of cyber security at Darden Restaurants would be placed in tier one or two in most areas. Upgrading Oracle Business Suites and full implementation of the Sun Solaris platform bring the information systems to the level where the addition of the point to point encryption data privacy of the Ziosk tablet at the projected level of 80% total credit transactions at the Olive Garden Restaurants, the cyber security environment evolves into a life cycle. A relevant series of
EXPLORATION OF A PROPOSED COLLABORATIVE 10 questions can be developed that address specific elements of each of the five functions described in the NIST framework core. This assessment creates current state of cyber security. Using the framework profile, a roadmap is created that can predict the cyber security landscape for the future. The final product reveals a new approach to cyber security policy, much like the ideas previously describe by former CIO White (Sinha, 2016). Identify – Take a full inventory of what assets are at risk:  What systems or hardware—like point-of-sale terminals—connect to your network? What type of information do they collect and what software do they run?  Oracle Business Suites and Sun Platform; Ziosk tablets for POS.  How vulnerable is the website or mobile ordering site?  Standard Oracle version  Is a firewall in place to secure the network?  Yes, Network Perimeter for all sensitive areas  Do employees have access to network? To Data Storage, or other sensitive areas?  No – only authorized individuals  What third parties have access and who is responsible?  The CIO and appointed individuals. Only Ziosk will have full access. The collaboration of Darden Restaurants and Ziosk Technology helps to define specific goals. Protect – Enact security measures that minimize risk to assets  Do you have limited access to information system and assets?  Yes. Only authorized personnel have knowledge – not shared  Do you have adequate cyber security training in place?  Some now, setting goals to improve on timetable
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 11  Are systems, platforms and software updated regularly?  Yes, where applicable  Is the most sensitive data well protected?  Yes, by the Ziosk point to point encryption Some of the questions have conditional answers, but the addition of the Ziosk tablet’s encryption system brings the protection phase up to a tier 3. Detect – Monitoring and reporting  What systems are in place that monitor unusual activity?  Reactive systems only. Like most of the hospitality industry, Darden Restaurants fails to meet the baseline in this area. According to Lang (2010), hospitality industry workers tend to be very good with sharing knowledge with each other therefore the answer would be found from existing industry methods. Respond – Planning for the worst  What Data was compromised?  The answer should not be what but “how Quickly can you find out.  How was the breach created and by who?  This would be part of an identification forensic, no feature in place  Can the breach be controlled and terminated?  This would depend on how quickly it was identified and the speed of which the business contingency plan could be implemented  What are the legal implications?  Once again, this will depend upon the situation
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 12 By aligning cyber security with other important business functions, the response phase collects industry information on similar incidents including successful response strategies. Recovery – Building back the brand and reputation  Has the business met all of the legal requirements of the breach?  Using other crisis situations examples, yes  Are you prepared for slowed business? Have you cut expenses?  Again, yes – recessed business is part of the market and economy  Are you prepared to terminate those responsible? Have you sought help from a PR firm to help build brand and reputation?  Yes, and no.  Have you done all things possible – such as hire a chief of security all the way to changing all passwords?  Will have by this phase but not as of yet With very little experience in data breaches, Darden would do well to initiate talent search for experience personnel in this area. The assessment reveals a current security core that before the policy implementation could be measured as the baseline. The policy has evolved to be a part of the roadmap created by implementation of the framework profile displayed: Cyber security Landscape – Darden Restaurants – Using NIST Framework The NIST framework profile serves as the assessment tool for:  Currently assessing the organizational cyber security landscape Current Cyber Security Collaboration with Ziosk Adaptive Evolving Policy
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 13  Predictive assessment of an evolving policy in collaboration with Ziosk  Forecasts the cyber security landscape for the future of Darden Restaurants NIST Framework for Cyber Security Still in its infancy, the NIST framework for cyber security demonstrates a wide variety of uses observed from the model featured in this exploration. Since the hospitality industry is one of the most targeted industry for cyber-attacks, the framework demonstrates its flexibility with an ability to adapt and conform with the differences observed from various industries. The utility displayed in the application of the framework as described by Chang-Gu (2015), is a feature that would enhance any organizations security policy. Ferguson (2013), remarks that only time will tell about the framework’s usefulness to industry, this exploration verifies the utility two years after designing. Lewis (2013) predicted that the framework would be too broad to be useful in business, however Riehle, (2014) suggests that the functions themselves are specific enough for a small business to adopt. However, it is depicted, the NIST framework for cyber security can be a very useful tool in both assessing the current organizational cyber security landscape, as well as a roadmap tool for predicting and forecasting an organizational cyber security policy goal. Conclusion The NIST framework for cyber security ads in the construction of the collaborative cyber security policy of Darden Restaurants with Ziosk Technology. Point of sale transactions are a very attractive target for cyber criminals (Whittaker, 2014). The ability to access these systems by cyber criminals causes great damage to organizations, not only financially, but also to the brand and reputation, compromising individual’s sensitive data (Bodhani, 2013). Darden Restaurant has completed its installation of the Ziosk tablets at all 800 of its’s Olive Garden locations with little opposition (Jorge, 2015), forming a partnership with many positive attributes
EXPLORATION OF A PROPOSED COLLABORATIVE 14 for both organizations. The collaborative cyber security policy created from the use of the point to point encryption featured in the Ziosk tablets, produces a state of the art information security feature in data privacy (Gamer, 2015) destine to become a landmark achievement in cyber security defense strategy.
EXPLORATION OF A PROPOSED COLLABORATIVE 15 References Ahmed, S. (2016). IT Innovators: Ziosk Serves Restaurants’ Growing Appetite for Data. Data Center Talk. Retrieved from: https://www.datacentertalk.com/2016/01/it-innovators- ziosk-serves-restaurants-growing-appetite-for-data/ Allen, C. (2015). An Ever-More-Complicated Risk Landscape Vexes Corporate Directors. NACD. Retrieved from: https://www.nacdonline.org/AboutUs/NACDInTheNews.cfm?ItemNumber=1298 Bodhani, A, (2013). Point-of-sale cyber security: hacking the check-out. Engineering and Technology Magazine. Retrieved from: http://eandt.theiet.org/magazine/2013/03/turn-on- log-in-checkout.cfm Carr, D, (2014). Darden Uses Analytics to Understand Restaurant Customers, Information Week. Retrieved from: http://www.informationweek.com/strategic-cio/executive-insights-and- innovation/darden-uses-analytics-to-understand-restaurant-customers/d/d- id/1141551?page_number=2 Chang-Gu, A. (2015). NIST Cybersecurity Framework vs. NIST Special Publication 800-53. Praetorian. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity- framework-vs-nist-special-publication-800-53 Darden. (2016). Company website. Retrieved from: https://www.darden.com/our- company/faqs#darden-mission Darden Restaurants, (2011). Code of Business Conduct and Ethics. Retrieved from: https://s2.q4cdn.com/922937207/files/doc_downloads/governance/Code-of-Business- Conduct.pdf
EXPLORATION OF A PROPOSED COLLABORATIVE 16 Ferguson, G. (2013). NIST Cybersecurity Framework: Don’t Underestimate It. Information Week. Retrieved from: http://www.informationweek.com/government/cybersecurity/nist- cybersecurity-framework-dont-underestimate-it/d/d-id/1112978 Gamer, N. (2015). Cyber Security: The Cooperation Game. Trend Micro. Retrieved from: https://blog.trendmicro.com/cyber-security-the-cooperation-game/ Hayden, E. (2014). NIST cybersecurity framework analysis: Putting it to good use. Tech Target. Retrieved from: http://searchsecurity.techtarget.com/tip/NIST-cybersecurity-framework- analysis-Putting-it-to-good-use Jorge, K. (2015). Ziosk Completes Installation of Tabletop Tablets at Olive Garden Restaurants Nationwide. Restaurant News.com. Retrieved from: http://www.restaurantnews.com/ziosk-completes-installation-of-tabletop-tablets-at-olive- garden-restaurants-nationwide/ Lang, S (2010). Hospitality experts ponder profit and sustainability. The Cornell Chronicle. Retrieved from: http://news.cornell.edu/stories/2010/12/hospitality-pros-ponder-profits- and-sustainability Lewis, J. (2014). NIST Cybersecurity Framework. CSIS – Center for Strategic and International Studies. Retrieved from: http://csis.org/publication/nist-cybersecurity-framework London, D. (2014). P.F. Chang's: 33 restaurants affected in data breach. USA Today. Retrieved from: http://www.usatoday.com/story/money/business/2014/08/04/pfchang-credit-debit- card-data-breach/13567795/ Maurice, E. (2015). January 2015 Critical Patch Update Released. The Oracle Software Security Assurance Blog. Retrieved from: https://blogs.oracle.com/security/entry/january_2015_critical_patch_upda
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 17 McCeney, M. (2015). Ziosk(R) Strengthens Restaurant Security Through Industry-First Secure Payment and Mobile Wallet Solutions. Yahoo Finance. Retrieved from: http://finance.yahoo.com/news/ziosk-r-strengthens-restaurant-security- - Monaco, H. (2011). Cooking Good Security. Info Security Watch. Retrieved from: http://www.securityinfowatch.com/article/10536751/cooking-good-security New, J. (2009). CIO Profiles: Patti Reilly White, Senior VP and CIO of Darden Restaurants. Information Week. Retrieved from: http://www.informationweek.com/it-leadership/cio- profiles-patti-reilly-white-senior-vp-and-cio-of-darden-restaurants/d/d-id/1085291 Obama, B. (2013). Executive Order -- Improving Critical Infrastructure Cybersecurity. Retrieved from: https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order- improving-critical-infrastructure-cybersecurity P R Newswire, (2015). Darden Restaurants Financial Statement 2015. SyS Con Media. Retrieved from: http://news.sys-con.com/node/3605446 Riehle, H. (2015). Get answers on cybersecurity—for free. National Restaurant Association. Retrieved from: http://www.restaurant.org/News-Research/News/Get-answers-on- cybersecurity%E2%80%94for-free?feed=NationalRestaurantAssociationNews SEC, (2012). Form 10-k. Darden Restaurants. Retrieved from: http://www.sec.gov/Archives/edgar/data/940944/000094094412000031/dri- 201210xk.htm#s80BBA54262E1182D103D03A83696B5A0 Sinha, S. (2016). Proposed settlement in Olive Garden FACTA lawsuit. Inadequate Security. Retrieved from: http://www.databreaches.net/proposed-settlement-in-olive-garden-facta- lawsuit/
EXPLORATION OF A PROPOSED COLLABORATIVE 18 Snow, G. (2011). Statement before the House Financial Services Committee, Subcommittee on Financial Institutions and Consumer Credit. Federal Bureau of Investigation. Retrieved from: https://www.fbi.gov/news/testimony/cyber-security-threats-to-the-financial-sector Tucker, E. (2014). Target breach renews calls for national notification standard for victims of data theft. PBS News Hour. Retrieved from http://www.pbs.org/newshour/rundown/target-breach-renews-calls-national- notificationstandard-victims-data-theft Whittaker, W (2014), Point of Sale (POS) Systems and Security. SANS Institute. Retrieved from: https://www.sans.org/reading-room/whitepapers/bestprac/point-sale-pos-systems- security-35357
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 19 Figure 1 - NIST Framework for Cyber Security - Core Chang-Gu, A. (2015). Chart. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special- publication-800-53
Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 20 Figure 2 - NIST - Framework for Cyber Security - Profile Chang-Gu, A. (2015). Chart. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special- publication-800-53

Recomendados

IT Security Risks Survey 2014
IT Security Risks Survey 2014IT Security Risks Survey 2014
IT Security Risks Survey 2014
- Mark - Fullbright
 
Encuesta Mundial de Ciberseguridad de la Información 2017
Encuesta Mundial de Ciberseguridad de la Información 2017Encuesta Mundial de Ciberseguridad de la Información 2017
Encuesta Mundial de Ciberseguridad de la Información 2017
PwC España
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
at MicroFocus Italy ❖✔
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
Booz Allen Hamilton
 
Global Technology Outlook 2012 Booklet
Global Technology Outlook 2012 BookletGlobal Technology Outlook 2012 Booklet
Global Technology Outlook 2012 Booklet
IBM Danmark
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
MuhammadArif823
 
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Enterprise Management Associates
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 

Recomendados

IT Security Risks Survey 2014
IT Security Risks Survey 2014IT Security Risks Survey 2014
IT Security Risks Survey 2014
- Mark - Fullbright
 
Encuesta Mundial de Ciberseguridad de la Información 2017
Encuesta Mundial de Ciberseguridad de la Información 2017Encuesta Mundial de Ciberseguridad de la Información 2017
Encuesta Mundial de Ciberseguridad de la Información 2017
PwC España
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
at MicroFocus Italy ❖✔
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
Booz Allen Hamilton
 
Global Technology Outlook 2012 Booklet
Global Technology Outlook 2012 BookletGlobal Technology Outlook 2012 Booklet
Global Technology Outlook 2012 Booklet
IBM Danmark
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
MuhammadArif823
 
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Enterprise Management Associates
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival Guide
Druva
 
Forrester Webinar: Security Ratings Set the Standard
Forrester Webinar: Security Ratings Set the StandardForrester Webinar: Security Ratings Set the Standard
Forrester Webinar: Security Ratings Set the Standard
SecurityScorecard
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security
Alysha Paulsen
 
The Big Returns from Big Data
The Big Returns from Big Data The Big Returns from Big Data
The Big Returns from Big Data
EMC
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
EMC
 
Insecure magazine - 51
Insecure magazine - 51Insecure magazine - 51
Insecure magazine - 51
Felipe Prado
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017
Merry D'souza
 
Accenture Banking Security Index
Accenture Banking Security IndexAccenture Banking Security Index
Accenture Banking Security Index
accenture
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
IJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
IJNSA Journal
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
Hewlett Packard Enterprise Business Value Exchange
 
Plan for the Worst; Fight for the Best
Plan for the Worst; Fight for the BestPlan for the Worst; Fight for the Best
Plan for the Worst; Fight for the Best
Hewlett Packard Enterprise Business Value Exchange
 
The big returns from Big Data
The big returns from Big DataThe big returns from Big Data
The big returns from Big Data
The Marketing Distillery
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
Matthew Rosenquist
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Overview of Haystax Technology
Overview of Haystax TechnologyOverview of Haystax Technology
Overview of Haystax Technology
Haystax Technology
 
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxRunning head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
jeanettehully
 
Cybersecurity Improvement eBook
Cybersecurity Improvement eBookCybersecurity Improvement eBook
Cybersecurity Improvement eBook
Pablo Junco
 

Más contenido relacionado

La actualidad más candente

Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security
Alysha Paulsen
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
IJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
IJNSA Journal
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 

La actualidad más candente (20)

Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival Guide
 
Forrester Webinar: Security Ratings Set the Standard
Forrester Webinar: Security Ratings Set the StandardForrester Webinar: Security Ratings Set the Standard
Forrester Webinar: Security Ratings Set the Standard
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security
 
The Big Returns from Big Data
The Big Returns from Big Data The Big Returns from Big Data
The Big Returns from Big Data
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
 
Insecure magazine - 51
Insecure magazine - 51Insecure magazine - 51
Insecure magazine - 51
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017
 
Accenture Banking Security Index
Accenture Banking Security IndexAccenture Banking Security Index
Accenture Banking Security Index
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Plan for the Worst; Fight for the Best
Plan for the Worst; Fight for the BestPlan for the Worst; Fight for the Best
Plan for the Worst; Fight for the Best
 
The big returns from Big Data
The big returns from Big DataThe big returns from Big Data
The big returns from Big Data
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Overview of Haystax Technology
Overview of Haystax TechnologyOverview of Haystax Technology
Overview of Haystax Technology
 

Similar a Organizatonal Information Security Next Generation

Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxRunning head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
jeanettehully
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
Sherry Jones
 
DATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASET
DATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASETDATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASET
DATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASET
AM Publications
 
CS309A Final Paper_KM_DD
CS309A Final Paper_KM_DDCS309A Final Paper_KM_DD
CS309A Final Paper_KM_DD
David Darrough
 
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docxRunning head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
jeanettehully
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 

Similar a Organizatonal Information Security Next Generation (20)

Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxRunning head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
 
Cybersecurity Improvement eBook
Cybersecurity Improvement eBookCybersecurity Improvement eBook
Cybersecurity Improvement eBook
 
Indusrty Strategy For Action
Indusrty Strategy For ActionIndusrty Strategy For Action
Indusrty Strategy For Action
 
White Paper Servicios Frost & Sullivan English
White Paper Servicios Frost & Sullivan EnglishWhite Paper Servicios Frost & Sullivan English
White Paper Servicios Frost & Sullivan English
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
 
IDC Rethinking the datacenter
IDC Rethinking the datacenterIDC Rethinking the datacenter
IDC Rethinking the datacenter
 
Data foundation for analytics excellence
Data foundation for analytics excellenceData foundation for analytics excellence
Data foundation for analytics excellence
 
DATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASET
DATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASETDATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASET
DATA MINING WITH CLUSTERING ON BIG DATA FOR SHOPPING MALL’S DATASET
 
Nuestar "Big Data Cloud" Major Data Center Technology nuestarmobilemarketing...
Nuestar "Big Data Cloud" Major Data Center Technology nuestarmobilemarketing...Nuestar "Big Data Cloud" Major Data Center Technology nuestarmobilemarketing...
Nuestar "Big Data Cloud" Major Data Center Technology nuestarmobilemarketing...
 
CS309A Final Paper_KM_DD
CS309A Final Paper_KM_DDCS309A Final Paper_KM_DD
CS309A Final Paper_KM_DD
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
7 Steps to Better Cybersecurity Hygiene
7 Steps to Better Cybersecurity Hygiene 7 Steps to Better Cybersecurity Hygiene
7 Steps to Better Cybersecurity Hygiene
 
Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...
Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...
Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...
 
Degitization of Business
Degitization of Business Degitization of Business
Degitization of Business
 
Cii-PwC Cloud Summit Report 2016
Cii-PwC Cloud Summit Report 2016Cii-PwC Cloud Summit Report 2016
Cii-PwC Cloud Summit Report 2016
 
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docxRunning head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
CSC Conversations
CSC ConversationsCSC Conversations
CSC Conversations
 
assignmenttutorhelp.com
assignmenttutorhelp.comassignmenttutorhelp.com
assignmenttutorhelp.com
 

Organizatonal Information Security Next Generation

  • 1. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 1 Exploration of a Proposed Collaborative Cyber Security Policy Featuring Darden Restaurants and Ziosk Technologies Gregory Totty – ISM 529 – Emerging Cyber Security Technology, Threats, and Defense Colorado State University – Global Campus Dr. Murthy Rallapalli – January 28, 2016
  • 2. EXPLORATION OF A PROPOSED COLLABORATIVE 2 Exploration of a Proposed Collaborative Cyber Security Policy Featuring Darden Restaurants and Ziosk Technologies A recent increase in both the size and complexity of cyber-criminal activity mandates that businesses operating in the global enterprise system now prioritize information security as a primary business function. The landmark security breach involving Target that compromised millions of customer’s private information (Tucker, 2014), set the tone for organizations now facing this very real threat of cyber-attack. This event illustrates the level of resources an organization needs to mitigate the damage created by these new, sophisticated cyber-attacks. What would certainly be a nightmare scenario for any organization, these cyber-attacks are often conducted by organized gangs from all corners of the globe. The technology that allows for virtually limitless data transfer and storage in the world economy also unleashes these new threats of a type and magnitude previous generations of executives never encountered. The possibility of a such massive security breaches prompted the President of the United States to issue executive order 13636, authorizing the creation of a new flexible framework for the cyber security of critical infrastructure (Obama, 2013). The framework derives much of its structure from previous governmental department analysis (Snow, 2011). Escalation of recent cyber-attacks, prioritized the frameworks implementation. Officially named The NIST Cyber Security Framework for Critical Infrastructure is a set of guidelines that are not only designed for national security, but also applicable for structuring information cyber security policies in today’s modern organizations. The following research proposal attempts to outline a cyber security policy derived from the NIST framework, in the creation of a collaborative cyber security policy for the world’s largest restaurant corporation, Darden Restaurants in conjunction with a third party vendor company, Ziosk Technology. Research has indicted that organizations
  • 3. EXPLORATION OF A PROPOSED COLLABORATIVE 3 should look to combine resources with trusted vendor’s in creation of a cooperative cyber security policy (Gamer, 2015). The proposed collaborative policy would utilize the guidelines suggested by executive order 13636. Darden and Ziosk are both regarded as organizations compliant with industry standards for securing private information. The concept of industry cooperative cyber security policies suggests a proactive approach to cyber security, a concept needed to successfully manage these modern threats. The purpose of the following research is an attempt at exploration of a forward-thinking concept from the next generation of cyber security. Evidence from Gamer (2015) and others in media suggest the future of organizational cyber security evolves many different forms of cooperative efforts between businesses. Collaboration between businesses for a symbiotic benefit has become more common as the global enterprise system advances in data and communications technology. The fundamental goal of this exploration suggests the creation of a secure climate for Darden Restaurant’s POS transactions by using the new NIST cyber security framework core and profile tools in conjunction with the tablet system provided by Ziosk Technology. The cyber security framework provided by the NIST allows for strategic projections of a security policy that evolves with technology. The Ziosk tablets not only provide a wealth of information for management through analytics, but has been virtually infallible since their inception (McCeney, 2015). The analysis of Darden Restaurants Cyber security policy reflects the need for a more flexible, robust policy, that can be incorporated into the business design (Monaco, 2011). The suggested collaboration hopes to generate further interest in the subject, ultimately adding industrial knowledge of cooperative cyber security between organizations.
  • 4. EXPLORATION OF A PROPOSED COLLABORATIVE 4 Darden Restaurants and Ziosk Technology Darden Restaurants vision statement commits the organization “to be a company that positively affects meaningfully more guests, employees, communities and business partners – a company that matters even more than we do today”. The mission statement focuses on customer service by promising “to nourish and delight everyone we serve” (Darden, 2016). According to a PR Newswire (2015), Darden Restaurants total sales rose 3.2% to 1.61 billion dollars in the last quarter of 2015. The world-wide restaurant chain features such well-known brands as Longhorn Steaks, The Olive Garden, Capital Grille, Four Seasons, just to name a few. Darden’s corporate operations are based in Orlando Florida and include over 1500 total restaurants and 170,000 employees. Like many other customer service businesses, the point of sale function is a key business element for the organization. Leading the industry in many ways, Darden has emphasized POS functionality for many years, culminating with the recent addition of new table top tablets, a new technology developed by Ziosk Technology. The impact of this technology on Darden and the industry has been dramatic. According to Ahmed (2016), the tablets also generate a wealth of new data analytics that managers utilize to reduce costs and improve service. The analytics produced from the tablets indicate the tablets contribute a higher quality guest experience emphasized through better overall service. The guests have more control over the pace of dining by using Ziosk’s pay at the table POS function. The point to point encryption feature of the tablet is also the focal point for the protection of the customer’s private information (Bodhani, 2013). The combination of Darden Restaurants enormous customer data base in conjunction with primary POS functions conducted through the use of Ziosk tablets, creates a new generation of transaction processing that needs a flexible framework through which the growth of this collaboration can be realized.
  • 5. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 5 NIST Cyber Security Framework According to Riehle (2015), most restaurants view cyber security as nothing but a cost of doing business. However, as Allen (2015) reports, the business climate is changing everywhere. The global enterprise system of today must recognize information security as a primary function of the business. The National Institute of Standards and Technology or NIST’s Cyber Security Framework for Critical Infrastructure has received its share of criticism from Lewis (2014), and others for being too broad in scope for most organizations. However, Chang-Gu (2015), demonstrates how portions of it can be utilized by any organization. The framework is divided into three parts, the framework core, the implementation tiers, and the framework profile, each part is a different tool used for a different purpose. The research presented in this exploration will focus on the framework core analysis of both the current state cyber security policy at Darden Restaurants, compared with the proposed collaborative policy in its initial state. (Figure 1). Finally, a roadmap created from assessments using the framework profile (Figure 2), will project where the organization desires the policy to be at a point of time in the future. The structure evolves to align the collaborative policy with other primary business functions, such as operations or finance. This type of organizational commitment is necessary, due to the technologically enhanced business climate. The global enterprise system of twenty-first century opens the door for cyber-attacks on an epic scale. Darden Restaurant’s Cyber Security Landscape A full assessment of Darden Restaurants cyber security needs is archived by the United States Securities and Exchange Commission (SEC, 2012). The document filing 10 -k reveals the company’s dependency on technology and susceptibility to cyber-attacks. This attitude is consistent with previous statements from Patti-Riley White, former CIO and Senior VP, (New,
  • 6. EXPLORATION OF A PROPOSED COLLABORATIVE 6 2009). The former CIO of Darden Restaurant continually urged the organizational leadership to align the cyber security policy with primary business functions. Her emphasis focused on the necessity of organizational commitment through a forward-thinking vision realized through:  A next generation point of sale system  Forecasting systems  Mapping systems to accurately measure guest’s wait time  Information Technology performance measurement tools The introduction of the Ziosk tablet will upgrade all of these technologies, along with the establishment of a state-of -the-art POS system complete with a host of analytical data collected by the tablets. Darden’s vulnerability suggested from the SEC report indicates a need for a security policy upgrade – one that matches the needs of the organization, before such an event occurs. Darden Restaurants is fortunate among the restaurant industry; others are not as lucky. According to London (2014), P F Chang’s China Bistro, a restaurant chain featuring Chinese cuisine, experienced a security breach involving 33 restaurants. The breach compromised customer’s credit card information with which the company offered identity theft insurance and compensation. The mitigation strategies needed to compensate the victims are costly and ineffective as a preventative strategy. The only data security breach that has ever been attributed to Darden restaurants occurred in 2009 and cost the company a $9 appetizer voucher per customer whose information was compromised (Sinha, 2016). This fact alone tends to diminish the role of cyber security in the business. However, by adopting the flexible guidelines of the NIST cyber security framework, Darden can realize the functionality needed in the event of a data breach. The adoption of the NIST framework correlates precisely with the addition of the
  • 7. EXPLORATION OF A PROPOSED COLLABORATIVE 7 Ziosk tablets, effectively creating a state of the art information security policy for the hospitality industry. The goal of achieving a policy that aligns with primary business functions cannot be realized at Darden Restaurants in the current state analysis. Cyber Security Policy – Darden Restaurants Current State Using the NIST framework core (Figure 1), The current cyber security policy would feature the five broad functions:  Identify  Protect  Detect  Respond  Recover The framework utilizes these five actions in the assessment of the current cyber security climate of Darden Restaurants as well as providing a starting point for the proposed collaboration. The NIST framework profile will addresses these same action steps to create a flexible collaborative policy that will evolve with the varying business environments. The proposed collaboration with Ziosk is also analyzed by the NIST framework core. It improves on the existing cyber security policy which is reactive and only partially addresses these steps: Identify - what assets are at risk? Cyber security policy begins with an extensive process in which potential issues are revealed. This step attempts to identify what assets are or particular concern, including an assessment of possible risks to information systems, culminating with a developed strategy for risk management. The business environment and climate are also factors that contribute to the
  • 8. EXPLORATION OF A PROPOSED COLLABORATIVE 8 initial risk identification model (Hayden, 2014). Once identified, methods to mitigate the risk are developed. Darden Restaurants assigns no emphasis to this function and any action steps are entirely reactive to the situation. Protect - take the steps to stop a cyber-attack before it starts This protection phase includes technical applications such as data encryption, control of information system access, training, and implementation of security technology. Ferguson (2013) emphasizes this phase as a continually evolving instrument reflective of the current business environment. The aspects of protection vary from organization, but in the hospitality industry, a particular emphasis is generally placed on data privacy. Currently, POS transactions at Darden Restaurants are encrypted, but not with any two phase authentication methods. This vulnerability is mentioned in the SEC filing document 10-k. Detect – routinely monitor systems for unusual activity Ferguson (2013) recommends an open testing procedure for identification of risks, but also warns that these test might be froth with their own dangers. The continual monitoring of the security systems is a necessary action for the identification of new threats and to learn defense for known threats. Information systems currently at Darden include Oracle’s Business Suites, noted by Carr (2014) and Maurice (2015), to have numerous vulnerabilities. Response - plan for the worst possible scenario Once an attack or breach has been detected a series of implementations should be enacted that will counteract the incident. In the case of Darden Restaurants, the business continuity strategy currently is incomplete and reactive. Recent security breaches involving the hospitality industry have been complex in nature with focus on network compromise via distributed denial
  • 9. EXPLORATION OF A PROPOSED COLLABORATIVE 9 of service. In the 10-k filing (SEC, 2012), Darden Restaurants hints at the organizations’ dependency on existing information systems and their susceptibility to this form of cyber-attack. Recover – getting back to normal after the breach Recovery strategies develop primarily through experience over time (Riehle, 2015). This phase also contains plans for the rebuilding of brand and reputation; often the company’s most valuable asset. Through continual testing and system monitoring, a recovery core strategy should be developed that encompasses all facets of the operation. This is a most necessary element of the twenty-first century global enterprise system (Chang-Gu, 2014). Darden Restaurants does have a reactive plan designated for crisis management. Proposal for the Darden / Ziosk Collaborative Cyber Security Policy Utilizing the framework core for structure and as an aid for assessing the current cyber security landscape, the Darden Restaurant cyber security policy can be viewed as a static, traditional policy revealing the current methods that are characteristic for a conglomerate organization in the hospitality industry today. The current landscape promotes more of a partial policy, rather than the cooperative lifecycle approach generated through partnerships (Gamer, 2015). This cooperative strategy is reflected in the framework profile, an instrument used in creation of a cyber security roadmap, enabling an alignment with business core functions. If an assessment of the cyber security policy were made utilizing the tiers assigned by the NIST, the current state of cyber security at Darden Restaurants would be placed in tier one or two in most areas. Upgrading Oracle Business Suites and full implementation of the Sun Solaris platform bring the information systems to the level where the addition of the point to point encryption data privacy of the Ziosk tablet at the projected level of 80% total credit transactions at the Olive Garden Restaurants, the cyber security environment evolves into a life cycle. A relevant series of
  • 10. EXPLORATION OF A PROPOSED COLLABORATIVE 10 questions can be developed that address specific elements of each of the five functions described in the NIST framework core. This assessment creates current state of cyber security. Using the framework profile, a roadmap is created that can predict the cyber security landscape for the future. The final product reveals a new approach to cyber security policy, much like the ideas previously describe by former CIO White (Sinha, 2016). Identify – Take a full inventory of what assets are at risk:  What systems or hardware—like point-of-sale terminals—connect to your network? What type of information do they collect and what software do they run?  Oracle Business Suites and Sun Platform; Ziosk tablets for POS.  How vulnerable is the website or mobile ordering site?  Standard Oracle version  Is a firewall in place to secure the network?  Yes, Network Perimeter for all sensitive areas  Do employees have access to network? To Data Storage, or other sensitive areas?  No – only authorized individuals  What third parties have access and who is responsible?  The CIO and appointed individuals. Only Ziosk will have full access. The collaboration of Darden Restaurants and Ziosk Technology helps to define specific goals. Protect – Enact security measures that minimize risk to assets  Do you have limited access to information system and assets?  Yes. Only authorized personnel have knowledge – not shared  Do you have adequate cyber security training in place?  Some now, setting goals to improve on timetable
  • 11. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 11  Are systems, platforms and software updated regularly?  Yes, where applicable  Is the most sensitive data well protected?  Yes, by the Ziosk point to point encryption Some of the questions have conditional answers, but the addition of the Ziosk tablet’s encryption system brings the protection phase up to a tier 3. Detect – Monitoring and reporting  What systems are in place that monitor unusual activity?  Reactive systems only. Like most of the hospitality industry, Darden Restaurants fails to meet the baseline in this area. According to Lang (2010), hospitality industry workers tend to be very good with sharing knowledge with each other therefore the answer would be found from existing industry methods. Respond – Planning for the worst  What Data was compromised?  The answer should not be what but “how Quickly can you find out.  How was the breach created and by who?  This would be part of an identification forensic, no feature in place  Can the breach be controlled and terminated?  This would depend on how quickly it was identified and the speed of which the business contingency plan could be implemented  What are the legal implications?  Once again, this will depend upon the situation
  • 12. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 12 By aligning cyber security with other important business functions, the response phase collects industry information on similar incidents including successful response strategies. Recovery – Building back the brand and reputation  Has the business met all of the legal requirements of the breach?  Using other crisis situations examples, yes  Are you prepared for slowed business? Have you cut expenses?  Again, yes – recessed business is part of the market and economy  Are you prepared to terminate those responsible? Have you sought help from a PR firm to help build brand and reputation?  Yes, and no.  Have you done all things possible – such as hire a chief of security all the way to changing all passwords?  Will have by this phase but not as of yet With very little experience in data breaches, Darden would do well to initiate talent search for experience personnel in this area. The assessment reveals a current security core that before the policy implementation could be measured as the baseline. The policy has evolved to be a part of the roadmap created by implementation of the framework profile displayed: Cyber security Landscape – Darden Restaurants – Using NIST Framework The NIST framework profile serves as the assessment tool for:  Currently assessing the organizational cyber security landscape Current Cyber Security Collaboration with Ziosk Adaptive Evolving Policy
  • 13. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 13  Predictive assessment of an evolving policy in collaboration with Ziosk  Forecasts the cyber security landscape for the future of Darden Restaurants NIST Framework for Cyber Security Still in its infancy, the NIST framework for cyber security demonstrates a wide variety of uses observed from the model featured in this exploration. Since the hospitality industry is one of the most targeted industry for cyber-attacks, the framework demonstrates its flexibility with an ability to adapt and conform with the differences observed from various industries. The utility displayed in the application of the framework as described by Chang-Gu (2015), is a feature that would enhance any organizations security policy. Ferguson (2013), remarks that only time will tell about the framework’s usefulness to industry, this exploration verifies the utility two years after designing. Lewis (2013) predicted that the framework would be too broad to be useful in business, however Riehle, (2014) suggests that the functions themselves are specific enough for a small business to adopt. However, it is depicted, the NIST framework for cyber security can be a very useful tool in both assessing the current organizational cyber security landscape, as well as a roadmap tool for predicting and forecasting an organizational cyber security policy goal. Conclusion The NIST framework for cyber security ads in the construction of the collaborative cyber security policy of Darden Restaurants with Ziosk Technology. Point of sale transactions are a very attractive target for cyber criminals (Whittaker, 2014). The ability to access these systems by cyber criminals causes great damage to organizations, not only financially, but also to the brand and reputation, compromising individual’s sensitive data (Bodhani, 2013). Darden Restaurant has completed its installation of the Ziosk tablets at all 800 of its’s Olive Garden locations with little opposition (Jorge, 2015), forming a partnership with many positive attributes
  • 14. EXPLORATION OF A PROPOSED COLLABORATIVE 14 for both organizations. The collaborative cyber security policy created from the use of the point to point encryption featured in the Ziosk tablets, produces a state of the art information security feature in data privacy (Gamer, 2015) destine to become a landmark achievement in cyber security defense strategy.
  • 15. EXPLORATION OF A PROPOSED COLLABORATIVE 15 References Ahmed, S. (2016). IT Innovators: Ziosk Serves Restaurants’ Growing Appetite for Data. Data Center Talk. Retrieved from: https://www.datacentertalk.com/2016/01/it-innovators- ziosk-serves-restaurants-growing-appetite-for-data/ Allen, C. (2015). An Ever-More-Complicated Risk Landscape Vexes Corporate Directors. NACD. Retrieved from: https://www.nacdonline.org/AboutUs/NACDInTheNews.cfm?ItemNumber=1298 Bodhani, A, (2013). Point-of-sale cyber security: hacking the check-out. Engineering and Technology Magazine. Retrieved from: http://eandt.theiet.org/magazine/2013/03/turn-on- log-in-checkout.cfm Carr, D, (2014). Darden Uses Analytics to Understand Restaurant Customers, Information Week. Retrieved from: http://www.informationweek.com/strategic-cio/executive-insights-and- innovation/darden-uses-analytics-to-understand-restaurant-customers/d/d- id/1141551?page_number=2 Chang-Gu, A. (2015). NIST Cybersecurity Framework vs. NIST Special Publication 800-53. Praetorian. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity- framework-vs-nist-special-publication-800-53 Darden. (2016). Company website. Retrieved from: https://www.darden.com/our- company/faqs#darden-mission Darden Restaurants, (2011). Code of Business Conduct and Ethics. Retrieved from: https://s2.q4cdn.com/922937207/files/doc_downloads/governance/Code-of-Business- Conduct.pdf
  • 16. EXPLORATION OF A PROPOSED COLLABORATIVE 16 Ferguson, G. (2013). NIST Cybersecurity Framework: Don’t Underestimate It. Information Week. Retrieved from: http://www.informationweek.com/government/cybersecurity/nist- cybersecurity-framework-dont-underestimate-it/d/d-id/1112978 Gamer, N. (2015). Cyber Security: The Cooperation Game. Trend Micro. Retrieved from: https://blog.trendmicro.com/cyber-security-the-cooperation-game/ Hayden, E. (2014). NIST cybersecurity framework analysis: Putting it to good use. Tech Target. Retrieved from: http://searchsecurity.techtarget.com/tip/NIST-cybersecurity-framework- analysis-Putting-it-to-good-use Jorge, K. (2015). Ziosk Completes Installation of Tabletop Tablets at Olive Garden Restaurants Nationwide. Restaurant News.com. Retrieved from: http://www.restaurantnews.com/ziosk-completes-installation-of-tabletop-tablets-at-olive- garden-restaurants-nationwide/ Lang, S (2010). Hospitality experts ponder profit and sustainability. The Cornell Chronicle. Retrieved from: http://news.cornell.edu/stories/2010/12/hospitality-pros-ponder-profits- and-sustainability Lewis, J. (2014). NIST Cybersecurity Framework. CSIS – Center for Strategic and International Studies. Retrieved from: http://csis.org/publication/nist-cybersecurity-framework London, D. (2014). P.F. Chang's: 33 restaurants affected in data breach. USA Today. Retrieved from: http://www.usatoday.com/story/money/business/2014/08/04/pfchang-credit-debit- card-data-breach/13567795/ Maurice, E. (2015). January 2015 Critical Patch Update Released. The Oracle Software Security Assurance Blog. Retrieved from: https://blogs.oracle.com/security/entry/january_2015_critical_patch_upda
  • 17. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 17 McCeney, M. (2015). Ziosk(R) Strengthens Restaurant Security Through Industry-First Secure Payment and Mobile Wallet Solutions. Yahoo Finance. Retrieved from: http://finance.yahoo.com/news/ziosk-r-strengthens-restaurant-security- - Monaco, H. (2011). Cooking Good Security. Info Security Watch. Retrieved from: http://www.securityinfowatch.com/article/10536751/cooking-good-security New, J. (2009). CIO Profiles: Patti Reilly White, Senior VP and CIO of Darden Restaurants. Information Week. Retrieved from: http://www.informationweek.com/it-leadership/cio- profiles-patti-reilly-white-senior-vp-and-cio-of-darden-restaurants/d/d-id/1085291 Obama, B. (2013). Executive Order -- Improving Critical Infrastructure Cybersecurity. Retrieved from: https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order- improving-critical-infrastructure-cybersecurity P R Newswire, (2015). Darden Restaurants Financial Statement 2015. SyS Con Media. Retrieved from: http://news.sys-con.com/node/3605446 Riehle, H. (2015). Get answers on cybersecurity—for free. National Restaurant Association. Retrieved from: http://www.restaurant.org/News-Research/News/Get-answers-on- cybersecurity%E2%80%94for-free?feed=NationalRestaurantAssociationNews SEC, (2012). Form 10-k. Darden Restaurants. Retrieved from: http://www.sec.gov/Archives/edgar/data/940944/000094094412000031/dri- 201210xk.htm#s80BBA54262E1182D103D03A83696B5A0 Sinha, S. (2016). Proposed settlement in Olive Garden FACTA lawsuit. Inadequate Security. Retrieved from: http://www.databreaches.net/proposed-settlement-in-olive-garden-facta- lawsuit/
  • 18. EXPLORATION OF A PROPOSED COLLABORATIVE 18 Snow, G. (2011). Statement before the House Financial Services Committee, Subcommittee on Financial Institutions and Consumer Credit. Federal Bureau of Investigation. Retrieved from: https://www.fbi.gov/news/testimony/cyber-security-threats-to-the-financial-sector Tucker, E. (2014). Target breach renews calls for national notification standard for victims of data theft. PBS News Hour. Retrieved from http://www.pbs.org/newshour/rundown/target-breach-renews-calls-national- notificationstandard-victims-data-theft Whittaker, W (2014), Point of Sale (POS) Systems and Security. SANS Institute. Retrieved from: https://www.sans.org/reading-room/whitepapers/bestprac/point-sale-pos-systems- security-35357
  • 19. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 19 Figure 1 - NIST Framework for Cyber Security - Core Chang-Gu, A. (2015). Chart. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special- publication-800-53
  • 20. Running head: EXPLORATION OF A PROPOSED COLLABORATIVE 20 Figure 2 - NIST - Framework for Cyber Security - Profile Chang-Gu, A. (2015). Chart. Retrieved from: https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special- publication-800-53