With the unlimited opportunities to conduct business through the media of information technologies, come the possible way to undermine the system of secure data exchange and processing. Information systems infrastructure used by Vology, Inc., as a “Hybrid Super Value Added Reseller” of information systems networking equipment, covers various stages and aspects of business operating. This paper is to assess the vulnerabilities of different areas of the information technologies services security and assurance, to provide possible methods of testing and defining the flaws in the existing infrastructure, and to identify what areas of the informational security and assurance of Vology, Inc. are to be improved.
Primary features of the informational security infrastructure at Vology, Inc.
To assess the informational infrastructure of the Vology, Inc. it needs to be divided into smaller functional element, such as customer-related services operation and e-commerce, software, and systems dealing with verification processes, systems, and software used by the IT department, and systems handling payrolls, taxes, operations of human resources department and capital management. Since all these systems are equipped with different software and have a different infrastructure, they are to be tested separately.
However, the vulnerability assessment’s aim is not only to define the flaws in the systems but also to evaluate which of them are more likely to be a crucial issue in the case of emergency or the improvement of which of them will result in the maximum benefits of the system of information system as a whole.
The system of e-commerce and customer-related network services at Vology is based on the optimized search engine functioning, improved user interaction and lead generation (Agrawal & Gill, 2013). This most likely implies the use of the Broadleaf E-Commerce Suite, a platform that includes the catalog for customers, the ability to generate targeted advertisement and provide maximum interaction with the customer from the start of the product searching process to the checking out the order.
The Broadleaf is based on the two-level order-taking system of workflows and activities, equipped with the database configuration of the Hypersonic (HSQL) database (Agrawal & Gill, 2013). In other words, different levels of the configuration relate to different customer activities, when the workflows respond to order processing, including pricing items and checking out, the activities are responsible for browsing and reviewing the items.
The back-end system addresses the financial operations of the company, including payrolls, taxation payments, verifications of customers’ payments and integrating with both the accounting system and the system of e-commerce. The back-end system also provides the platform for the inventory management that can be accessed by both the customers checking on their order processing and staff who can manage the inventory by using the application.
Factors to evaluate integrated information security
Given the fact that many of the customer-related services are integrated with company’s home-based back-end system that at the same time manages accounting and financial operations, including quarterly and annual reporting, it is important to make sure that the efficiency and performance of it will be satisfactory in cases of high flow of the customers. To test it the assessment team is to create conditions of such a situation artificially, for example, by testing penetration (Fischer-Hübner, 2001).
The “Red Team” attack scenario in such a situation is not quite suitable since, in case of “failing” the test, the system will create the difficulties for actual customers using the site at the moment of testing (Scarfone, Souppaya, Cody & Orebaugh, 2008). In such a way, the optimal solution is to conduct the testing in the form of rehearsal with the cooperation of the information technologies department of the Vology, Inc. Thus, the testing penetration will define the vulnerabilities of the integrated back-end infrastructure security and assurance system, without creating obstacles for customer users monitoring the processing of their order.
Another area that needs to assessment is the security of the customers’ personal information provided for the transactions. Presumably, its safety relies upon the integrated system. However, the vulnerability of the PCI information depends on whether the firm chooses to store it, which, on the one hand, convenient for the regular customers, but, on the other hand, demands additional security measures. The possible method of the assessment is creating a testing customer account with the following testing penetration of the “White-Hat Hacker”.
As the result of these operational evaluations, by using the rehearsal of the situation and testing penetration, we define the possible vulnerabilities of the interconnected system of order processing, inventory management, and accounting that rely on the same platform, without any discomfort for the customers using the services of the website.
Motivation and means for information security improvement
According to Werlinger, Hawkey, and Beznosov (2009), “the culture of the organization and decentralization of IT security trigger security issues that make security management more difficult” (p. 4). Thus, the significant issue is to maintain the integrated platform for the different branches and services of the company that each is provided with its own software and infrastructure. It is especially important to preserve all the security methods and guidelines in the context of expanding and developing user interface and functionality of the customer-related services provided by the company website.
Conclusion
The areas that store customer information, including PCI and personal data, require further investigation and audit because those types of data in terms of the vulnerability is the most targeted. Meanwhile, the number of services providing customer-interaction is constantly growing that implies the necessity for additional security and assurance measures in this sphere.
References
Agrawal, M., & Gill, G. (2013). Mobile Application Development Strategy at Vology. Journal of Informational Technology Education, 2(13), 1-20. Web.
Fischer-Hübner, S. (2001). IT-security and privacy. New York, NY: Springer. Web.
Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical Guide to Information Security Testing and Assessment. Washington, DC: US Department of Commerce. Web.
Werlinger, R., Hawkey, K., & Beznosov, K. (2009). An integrated view of human, organizational, and technological challenges of IT security management. Information Management & Computer Security, 17(1), 4-19. Web.