Assignment Content

Your company, Phoenix Security Services, is a managed security services contractor that consults with U.S. businesses that require assistance in complying with the Sarbanes-Oxley Act (SOX). Your company has a proven track record in providing information program security management, information security governance programs, risk management programs, and regulatory and compliance recommendations. Phoenix Security Services newest client, a national grocery company called SureMarket, must report to the Securities and Exchange Commission (SEC) with proof of their compliance to the Sarbanes-Oxley Act of 2002 (SOX).

You are appointed to lead the security team assigned to the SureMarket account. You must conduct a SOX assessment of compliance on SureMarket using the NIST Risk Management Framework (RMF) as described in NIST Special Publication 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37) as follows:

Step 1: Categorize Information Systems

Step 2: Select Security Controls

Step 3: Implement Security Controls

Step 4: Assess Security Controls

Step 5: Authorize Information System

Step 6: Monitor Security Controls

Review the Grading Rubric at the right.

Review the SureMarket IT Systems Profile to become familiar with the SureMarket business and IT systems relevant to a Sarbanes-Oxley Act (SOX) audit.

Your first task is to complete Step 1 of the NIST RMF process by documenting the information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

To prepare your documentation, create a 3-5-page Microsoft Word document with the following sections of lists and tables:

IT Systems Descriptions (List): Describes the following of SureMarkets primary IT systems subject to a SOX assessment:

Point of Sale (POS) Check System

Self-checkout POS

Cash Management (CashMan) System

Accounting & Finance Management System (AFMS)

Audit Trail Management System (ATMS)

Data Mapped to IT Systems (Table): Maps the security requirements outlined in this weeks reading, Minimum Security Requirements for Federal Information and Information Systems, with these SureMarket IT Systems:

Point of Sale (POS) Check System

Self-checkout POS

Cash Management (CashMan) System

Accounting & Finance Management System (AFMS)

Audit Trail Management System (ATMS)

Protection of Data (List): Describes the data stored, processed, and exchanged which must be adequately protected to meet SOX regulatory requirements

Categorization of Data (Table): Categorizes the data for each IT system as high, medium, or low sensitivity mapped to confidentiality, integrity, and availability

Categorization of IT Systems (Table): Categorizes each IT system based on the data elements a particular IT system processes, stores, and exchanges

Top 5 prioritized Security Family Areas Applicable to Each SureMarket IT System for SOX Assessment (Table): Illustrates, in a table, the family security-areas correlated with specific SOX IT system validation requirements (Note: The Access Control (AC) Family should be in the top 5 prioritized list based on information security fundamentals.)

Note: You will use this week's assignment to help you complete your Week 2 assignment.

Submit your assignment.

Resources

Center for Writing Excellence

Reference and Citation Generator

Grammar and Writing Guides

Overview SureMarket is a major publicly-owned grocery retailer with stores in 35 states within the nation. Retail sales last year were $25 billion. SureMarket employs over 125,000 people. Vision and Mission SureMarkets Vision: Be the customers number one choice for grocery shopping. SureMarkets Mission: Focus on customer value Execute efficient operations Commit to the highest standards of stewardship to stockholders and stakeholders

SureMarket IT Systems SureMarket has the following IT systems to support operations and management of the company. Past risk assessments identified vulnerabilities for some IT systems. Risk assessments were not completed for some IT systems. Information from the assessments is as follows: Customer Transaction Systems Point of Sale (POS) Checkout System: The system records sales and financial information, including detailed customer and product-related data. oRisk assessment needed to ensure proper protection of POS systems and payment information Self-Checkout POS System: The self-service POS stations provide customers with a ring-up and pay convenience capability. oRisk assessment needed to ensure proper protection of POS systems and payment information Cash Management (CashMan) System: This system controls the cash handling processes from the POS to the back office, and then to the bank. oA previous risk assessment discovered a vulnerability with the CashMan System. Vulnerability: This system does not provide encrypted transactions between the back office and the bank to protect financial and credit card data. Accounting and Financial Reporting Systems Accounting and Financial Management System (AFMS): This system tracks and monitors revenue and expenditures. This system produces accounting and balance sheet data in accordance with Sarbanes-Oxley Act Assessments (SOX). This is a SOX reportable system in accordance with Section 302. oA previous risk assessment discovered a vulnerability in ensuring proper access to the AFMS. Audit Trail Management System (ATMS): This system records any change to records and keeps an audit trail. Entries are time-stamped with information, including operator name and reason for record change. This is a SOX reportable system. oA previous risk assessment discovered a vulnerability with the ATMS. Vulnerability: This system does not provide adequate security by ensuring role-based access to prevent unauthorized modification. It does not prevent users from directly updating the database. A generic login account is used to access the database. Human Resources, Payroll, Compensation, and Employee Scheduling Systems Labor Scheduling: This system creates work schedules for employees and departments. Time & Attendance: This system plans, monitors, and reports employees work hours. Supply Chain Management Direct Store Delivery (DSD): The DSD System receives products distributed directly from manufacturers or suppliers. Order Entry/Inventory Management: This system supports inventory replenishment. Store Operations Item Price Verification System: This system uses wireless handheld devices connected to POS to audit prices on the shelf. Shelf Space Management System: This system manages the amount of shelf space allocated for each project. Data Loss Prevention System: This system provides an auditing tool to identify irregular and fraudulent activities by analyzing data to reduce lost profits. This is a SOX reportable system. Electronic Shelf Labels (ESL): Self tags are linked to a backroom computer and POS that automatically display price changes. Shelf Tags/Signs Software: This application prints in-store tags and signs. Strategic Planning and Training Learning Management System (LMS): This computer-based training course software delivers local or online content for new and existing employees. Forecasting Systems: This systems projects expected sales of products for given time periods.

Sarbanes-Oxley Act of 2002 (SOX) Assessments

SureMarket contracted with Phoenix Security Services to conduct an audit to ensure compliance with SOX. SureMarket was hired to assist in the compliance with SOX to provide information program security management, information security governance programs, risk management programs, and regulatory and compliance recommendations.

Risk Management Framework for IT System Validation SureMarket and Phoenix Security Services have agreed to use the NIST Risk Management Framework (RMF). The ISO 27000 series risk management framework was considered, but it required a significant cost to implement, while the NIST RMF is free to the public.

High-Level Minimum-Security Requirements Although not an all-inclusive list, the following major security-related areas will be included.

Auditing: Software and systems will be audited to ensure compliance with key requirements of SOX. First, system documentation will be audited against the intended use of the system. Second, the IT systems will be audited using the intended-use specification to identify any issues. In accordance with SOX, significant issues must be corrected and retested before the system can be certified and validated as ready for intended use.

Access Control: The systems will provide adequate security to prevent unauthorized modification by ensuring role-based access to prevent users from directly updating the database. Software will employ electronic signatures for any transaction into the system.

Lifecycle Methodology and Management: The lifecycle methodology and management requirement ensures that the software vendor who develops a software and the IT organization who implements that software follow a clearly defined and documented software-lifecycle methodology. Management of the lifecycle methodology guarantees quality and prevents any software defects resulting in non-compliance. The components of the lifecycle include: Systems Requirements: Clearly defined System Design Specifications: Clearly documented with design reviews Test Plans and Test Procedures: Early development in the lifecycle; tests based on requirements Coding Standards: Well-documented standards; frequent code reviews

Facility Security: This requirement warrants vendor facilities, as well as the organization (SureMarket), be audited to ensure adequate security controls are implemented to prevent unauthorized access to software, computer rooms, and backup media storage rooms.