Cases 1. Fairplay Turns to a Managed Security Service Provider Fairplay Finer Fo
ID: 386214 • Letter: C
Question
Cases 1. Fairplay Turns to a Managed Security Service Provider Fairplay Finer Foods is an independent grocery retailer that operates in the greater Chicago area. From its beginning, Fairplay's mission has been to provide quality foods at an affordable price along with exceptional customer service. Starting with a single store in 1975, Fairplay has since grown to seven locations. The opening of each new store led to increased sales and attracted new customers; however, expansion also raised new information system needs as well as information security risks. Due to its size, it was not practical for Fairplay to create and run its own information tech- nology organization, so it contracted with KCS Computer Technology, Inc., to provide these services along with the necessary computer hardware and systems. One of KCS's key accom- plishments for Fairplay was to implement and manage a corporate network that the grocery chain uses to run applications and communicate across all of its stores. Another important area of focus for KCS involved helping Fairplay manage issues related 5 to the Payment Card Industry Data Security Standard (PCI DSS). Retailers accepting credit cards and other forms of electronic payment are required to comply with the PCI DSS. The PCI DSS standard ensures that businesses follow best practices for protecting their custo- mers' payment card information. The necessity to comply with the PCI DSS standard along with concern over potential network security issues led Fairplay and KCS to seek out a man- aged security service provider (MSSP) After a thorough investigation, Fairplay and KCS selected ControlScan, an MSSP head- quartered in Atlanta. This choice was based on ControlScan's simple pricing model, stable of certified security experts, advanced technology, and solid reputation. As part of its contract with Cyberattacks and CybersecurityExplanation / Answer
1. Network and security is a separated domain even within engineering industry and encompasses a major area of interest and studies. As a result, even software companies often outsource their security needs to other companies. This is done because most of the organizations across the globe does not have core competency in security domain. We can consider this analogous to security personnel for home or office. While we can obviously hire employees to do that, it is often left best to the professionals to provide security services. Especially considering that an organization such as Fairplay is comparatively small organization and their core competency lies in retail business the advantages that an MSSP like ControlScan brings is:
One of the potential drawback of outsourcing security projects to an MSSP is that organizations place enormous trust on them. There are certain drawbacks that one needs to be aware of before placing too much trust. One of the major drawbacks is the increased risk and the dependency that is created. Consider the case of Fairplay and ControlScan. If the security of ControlScan gets compromised, all their clients’ data is also compromised. Also, by outsourcing the security operation to another organization, Fairplay is effectively sharing their customer data and other sensitive information with ControlScan. Measures need to be taken in order to make sure that MSSPs do not misuse that information.
2. PCI DSS is a compliance standard. This provides the minimum level of security required for secure transactions and protection of customer data. However, simply complying with PCI DSS standard does not mean that the system is secure. In addition to implementation of PCI DSS system, I would also schedule periodical audits from another third party. Organizations that provide QSA (qualified security assessor), or ISA (Internet security assessor) can be conducted to make sure that our systems are as per the requirement of the business.
3. Some of the key changes that have been implemented in PCI DSS 3.0 from PCI DSS 2.0 are the following
The future of PCI standards are in a flux as the industry is experiencing various shift in the way the businesses operate. There is considerable movement when it comes to sharing of data and transactions. Companies are increasingly adapting to cloud and there is a requirement and suggestion to implement changes to security standards that can provide a guideline for this offline/online convergence.