Paper (W8K)

Walmart IT Security Policy

Student Name:

Institutional Affiliation:

Course Name:

Course Number:

Course Instructor:

Submission Date:

Security needs and objectives of Walmart

Walmart is an online store where customers can purchase goods and be delivered to their homes. Due to the nature of the business, consumer privacy is a major concern and the company has outlined various privacy policies such as supplier, visitor, and applicant privacy policies. Information collected by this company includes personally identifiable information such as email, telephone numbers, age, date of birth, gender, nationality, purchase history, and location information (Walmart, 2021). Walmart collects such personal information to fulfill its legal obligations, conduct business research, help in the prevention of fraud, and monitor customer transactions. Additionally, collected personal information is shared with third parties such as shipping vendors, refund vendors, payment card processors, and advertising companies(Walmart, 2021). The company might also share personal data in the event of business mergers or acquisitions with the successor business. Legal requirements that the company deems fit may lead to disclosures of personal data to security agencies. These legal requirements entail; addressing financial fraud, breach of an agreement, and addressing crimes on the company’s property.

Walmart Security policy and objectives

Walmart’s security policy objective is geared toward protecting personal data obtained from customers, suppliers, and cloud storage providers. To secure data on rest, Walmart employs a variety of security techniques such as; technical safeguards, administrative and physical measures. The main objective of the security policy in this company is to protect the integrity and confidentiality of customers' personal information(Walmart, 2021). Walmart's security policy outlines the responsibilities of employees as they handle customer data to perform their tasks. For instance, the policy states that employees who disclose personal data to adversaries are held criminally liable and might face stiff disciplinary action including termination of their employment contracts. In circumstances where the chief information security officer (CISO) believes the employee failed to comply with any of privacy- security policies, legal actions may be instituted against such worker. New employees are required to read and understand the company’s security policy before they sign the document.

Physical protection of IT resources in the company is a top priority. Protection of information resources is vital against natural disasters, burglary theft, terrorist activities, and vandalism. Physical security ensures that the company's hardware, network, software, and personnel are safe from actions that might lead to loss of data or cause a security breach. In implementing physical security, the company has employed the use of access control technologies to limit access/ exposure to information resources and ensure only authorized personnel are allowed to access certain assets. Walmart physical stores are fitted with surveillance systems such as CCTV cameras in addition to security guards who monitor people's movement in the company premises (Manteigueiro, 2020). Any criminal behavior captured by surveillance systems is quickly acted upon to prevent any security breach.

The company has disaster recovery plans which are crucial during cyber—attacks. The security response plan details how the security team can identify respond and contain a threat. Employees are the first line of defense especially for an e-commerce company like Walmart and therefore they are expected to be “cyber aware” at all times. Towards this end, employees in the company are routinely trained on cyber security preventive measures. The company's password policy outlines the characteristics of a strong password that employees and customers are expected to abide by. Employees are not allowed to share passwords with colleagues and privilege restrictions are implemented for every user account to enable them to perform their tasks (Manteigueiro, 2020). Moreover, the password policy defines a strong password is one that contains at least one uppercase, lowercase, numbers, and special character which is eight characters long. All Walmart account users are expected to change their passwords after every three months. It is the responsibility of security officers managing IT infrastructure in the company to ensure user names and passwords supplied by customers/employees are encrypted to prevent any security breach.

Comparing security policies and business needs

Comparing the business needs of Walmart and their security policies, it's evident that they are conflicting. Issues surrounding data protection and information security are not guaranteed especially when personal identifiable information is shared with third parties. Vulnerabilities can be exploited by adversaries due to some weaknesses in security policies. For instance, Trojan horse viruses can be injected into Walmart's e-commerce site to mine personal data for customers without their knowledge (Cram, 2017). Attackers are known to bypass authentication and authorization security measures used in online shopping stores such as Walmart. Stolen personal data can be used by cybercriminals to commit identity theft.

Aspects of security policy inclusions/ omissions

Walmart's security policy has strongly emphasized the need of using strong passwords. This aspect helps to minimize brute force and DDoS attacks which are common for e-commerce sites. Additionally, the security policy has elaborated on the need for developing a disaster response plan in case of a cyber-attack. The response plan ensures the availability of e-commerce sites in case of downtimes occasioned by malicious attacks which can potentially plug the business in uncertainties (Chun, 2019). However, the security policy does not address how insider threats can be mitigated. Malicious employees can introduce viruses or other malicious programs to disrupt business operations. Additionally, the security policy does not address how firmware for hardware devices should be updated to fix any vulnerability that might exist. Also, software updates and installation of security patches are omitted in the security policy.

Recommendations

A risk assessment should be conducted to evaluate potential security risks such as ransomware, phishing, zero-day exploits, social engineering, and SQL injections (Chun, 2019). Intrusion detection systems should be implemented in the company's computer systems to help in the identification of threats. Lastly, a data governance framework should be adopted to ensure effective use of information in the organization.

References

Walmart (July 1st, 2021).Privacy & Security.https://corporate.walmart.com/privacy-security/walmart-privacy-policy

Chun, Se-Hak. "E-commerce liability and security breaches in mobile payment for e-business sustainability." Sustainability 11, no. 3 (2019): 715.

Cram, W. A., Proudfoot, J. G., & D’arcy, J. (2017). Organizational information security policies: a review and research framework. European Journal of Information Systems, 26(6), 605-641.

Manteigueiro, J., Crocker, P., & Barrico, C. (2020, July). Identity Management and Access Control for the GNSS Community within a European Research Infrastructure. In 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC) (pp. 1616-1621). IEEE.