MIS Cyber Security Audit
pannyjr23
MIS680Assignment2.pdf
MIS 680 Cyber Security Audit
Assignment 2
Student Name: __________________________________
1
Purpose
This project provides an opportunity for you to apply principles related to auditing to
ensure information systems are in compliance with pertinent laws and regulations, as
well as industry requirements.
Learning Objectives and Outcomes
You will be able to:
• Explain the purpose of PCI DSS
• Analyze business factors that influence PCI DSS compliance
• Describe potential consequences of failing to demonstrate PCI DSS
compliance
• Apply standards and frameworks to the development of information security
internal control systems
• Analyze the use of information security controls within IT infrastructure
domains.
Required Source Information and Tools
The following tools and resources that will be needed to complete this project:
§ Course textbook
§ Materials posted on Canvas
§ Access to the Internet to perform research for the project
§ PCI Security Standards Council: https://www.pcisecuritystandards.org
§ Important PCI Compliance Information for Merchants:
http://www.pciassessment.org/pci-dss-framework/merchants
§ Other source of information as you deem needed.
Deliverable Outcomes
As discussed in this course, IT Audit is an important process for all organizations.
This is particularly true in information systems, which provides critical support for
organizational missions. The heart of IT audit is a formal IT Audit management plan.
The project activities described in this document allow you to fulfill the role of an
MIS 680 Cyber Security Audit
Assignment 2
Student Name: __________________________________
2
employee participating in the PCI DSS IT Audit management process in a specific
business situation.
Submission Requirements
All project submissions should follow STU’s standards and course syllabus format:
Scenario - PCI DSS Compliance Requirements
Scenario S&H Aquariums is a new online retailer that is about to begin selling
aquariums and other items for aquarium hobbyists. In recent months, many companies
have been featured in the news because of information security breaches that have
exposed customers’ credit card data. S&H Aquariums’ management team is worried
about the negative impact a potential breach could have on the company’s reputation
and business standing.
S&H Aquariums has hired you, an information systems security expert, to ensure that
the company is prepared to accept credit card payments for purchases made through
the company’s Web site. To kick off the planning phase, the board of directors would
like you to write a report explaining what the company will need to do to minimize
risks to sensitive data and comply with applicable laws and regulations, as well as
industry standards. In preparation, you sit down with the company’s president and
discuss the following details:
• Per the company’s strategic plan, the company expects to have between
20,000 and 1,000,000 credit card transactions during the first year of
operations. However, the board would like to know what differences to
anticipate as the volume of credit card transactions grows in the coming years.
• The company will initially accept payments made with MasterCard and Visa
only, but it may decide to accept other credit cards in the future.
MIS 680 Cyber Security Audit
Assignment 2
Student Name: __________________________________
3
• The board of directors is discussing the possibility of opening a bricks-and-
mortar store in the future, and the board would like to consider any
compliance-related issues prior to making that decision.
• The board consists of professionals from a variety of fields. It is unlikely that
any of the board members are familiar with complex information security
concepts or with PCI DSS, the set of requirements that prescribes operational
and technical controls to protect cardholder data.
Tasks
• Review the information related to PCI DSS compliance provided in the course
textbook and in the Internet resources listed for this project. Consider how this
information relates to the description of S&H Aquariums provided in the
scenario above.
• Write a report for S&H Aquariums’ board of directors. Include the following:
o Introduction
o PCI DSS Overview
• Include a discussion of the six principles, twelve primary requirements, and
the sub requirements of PCI DSS.
o Rationale
Explain why the company needs to address the PCI DSS requirements and describe
potential consequences if the company is not able to demonstrate compliance.
o Immediate Considerations for PCI DSS Compliance
Analyze factors (including those introduced in the scenario above) that will influence
S&H Aquariums’ immediate plans for PCI DSS compliance. Discuss payment brands
MIS 680 Cyber Security Audit
Assignment 2
Student Name: __________________________________
4
(credit card companies), transaction volumes, merchant levels (i.e., 1 through 4), and
types of reporting required in relation to S&H Aquariums’ business projections.
o Future Considerations for PCI DSS Compliance:
• Analyze contingencies that may influence PCI DSS compliance in the future.
Address potential questions from the board, including but not limited to:
• What would be expected of the company if credit card volume increases past
1,000,000 transactions in future years?
• What should S&H Aquariums do to demonstrate PCI DSS compliance if it
begins to accept American Express or Discover?
• How would opening a bricks-and-mortar store affect the company’s
responsibilities for PCI DSS compliance?
o Conclusion
• Describe the main key findings and key takeaways.
Submission Requirements: · Format: Microsoft Word · Font: Times new Roman 12-point, double-spaced · References: Citation Style must follow APA style guide · Length: 4 pages
