SECURITY AND RISK MANAGEMENT

ASSET SECURITY
SECURITY ARCHITECTURE AND ENGINEERING
COMMUNICATION AND NETWORK SECURITY
IDENTITY AND ACCESS MANAGEMENT(IAM)
SECURITY ASSESSMENT AND TESTING
SECURITY OPERATIONS
SOFTWARE DEVELOPMENT SECURITY
BUSINESS CONTINUITY PLAN(BCP)
DISASTER RECOVERY PLAN(DRP)
INFORMATION SECURITY AUDITING

A CASE STUDY ON SECURITY MANAGEMENT : SKY BLUE INC. EXPERIENCE

I. Introduction

Sky Blue Inc is one of the Philippines ' top pharmaceutical retailers, with over 500
branches in strategic locations all over the country, providing the customers with easy access to
quality health and beauty products. Committed to offering the best health and beauty shopping
experience to customers with the unique touch of passionate care, Sky Blue Inc. continues to
expand its services beyond conventional limits - serving customers at the comfort of their own
homes with Sky Blue Express Delivery, fulfilling health and beauty need across the country with
Sky Blue Pharmacy Online Store's nationwide delivery.

The daily routine of a person in charge is cleaning before opening the store. Checking
records every day and having an inventory every month checking on the product needs to be
filled up. They also ensure that the product is delivered to the customer. The current routine of
Sky Blue Inc. is shown below.
 This aims to Propose an IT infrastructure for their efficient scheduling and attendance
process, Attendance Systems (AS) and Scheduling Systems (SS) to aid their scheduling,
attendance process, and effective working process.

Most of the other companies are using attendance systems and the scheduling system;
finding the appropriate plan for the business is what you need to consider first. Since many
methods already exist, the attendance system will track your employee hours. It is a system you
will use to document your employees' time when they began, and the time they take off. In
addition, it enables you to monitor your employees' late arrivals and working hours, early
departures, time taken on breaks, and absenteeism.

Customer Intelligence is a type of Customer Relationship Management (CRM) that

focuses on the collecting of customer information to gain insights into behavior. Companies may
use Customer Intelligence methods to collect and analyze data to uncover customers'
preferences, motivations, patterns, wants, and wants, and then build their strategy on that
information to provide a better customer experience.

Furthermore, customer intelligence offering provides companies with strategic customer

analytics, customer intelligence, and customer experience management solutions. We assist
companies in obtaining a single view of their customers, receiving insight into customer
characteristics and behavior, and executing relationship-building programs that effectively reach
their customer base.

II. Security requirements

Customer Intelligence has never been more important to your decision-making process in
an era where customers know exactly what they want. This article will describe what customer
intelligence is and why you should include it into your business processes. Listening to each
customer, embracing their requirements, and using that data to respond effect on your current job
and any future job opportunities . to them in a timely fashion is what customer intelligence is
about. This post describes seven effective ways to improve your Customer Intelligence capability
by analyzing your customer data in the context of millions of unique customer journeys using
customer journey analytics. Your customers are your company's lifeblood.
Without their approval, your business will not be able to grow, which is why customer
service is so important. People are becoming more vocal about their experiences with businesses
whether good or bad now more than ever, thanks to the internet and social media. In Attendance
System, maintaining attendance is important as an employee as well as you’re standing with your
employer. Being there on time improves your work credibility and history. If you are
consistently absent or tardy, it may influence your current job and any future job opportunities.

System Functionality
 Use to track when employees start to work and to stop.
 Monitors their employees' working hours and late arrivals.
 It is easier to check the attendance x It helps the company to monitor their
employees.
 Build a good personality of being punctual.

System Architecture

III. Security framework

The key standards in this area that need to be relied on are ISO / IEC 27001: 2013, NIST
SP 800-30, and BS 7799-3: 2017. However, despite significant achievements, there is currently
no single system vision of all aspects of the problem, the nature, and features of research tools,
and its place in the process of multifactor risk analysis of a distributed system, considering the
entire complex of interrelations and mutual influence of the processes associated with it. The
different degree of depth of elaboration of certain aspects of this problem has led to the need for
effective models and methods of reconciliation and analytical processing of heterogeneous data
for rapid analysis of the current state of information security of a distributed system.

IV. Risk management

 Information security risk assessment is an extremely important part of a company's data
protection strategy. It is conducted out to support decision-making and immediate response to
identified threats (risk response). Information security risk analysis allows you to determine the
necessary and sufficient set of information security tools, regulatory and organizational
mechanisms to reduce information security risks, allowing to ensure the process of building the
most effective information security management system architecture for a given organization.
The study of risk factors in a distributed environment deserves special attention.
According to ISACA's annual STATE OF ENTERPRISE RISK MANAGEMENT 2020 survey,
the biggest challenges in corporate risk are factors related to the emergence of new threats,
changes/advances in technology development, as well as weak human resources and lack of
necessary skills and experience of specialists and existing cybersecurity teams (Figure 1).

On the other hand, according to this study, the most frequently used control to
prevent/mitigate potential security concerns is to raise awareness and conduct training on
cybersecurity among staff (Figure 2).
V. Security measures

Information security risk management process as shown in Fig. 1, the point of departure
of the information security risk management process is the establishment of the context
concerning the organization and which expresses its objectives and strategy. Then, a risk
assessment is done to classify the risks according to an order of priority.
 The information security risk management process has the peculiarity to be
iterative. Two points of decision favor this. The first point of decision aims at the
result of risk appreciation. If it is not satisfactory, that is the appreciation does not
provide enough information to correctly determine the necessary actions to return the
risks to an acceptable level, then iteration towards the context establishment is
required. Should the opposite occur, the process of risk management continues
towards the stage of the risk treatment. The second decision point comes
consequently.
If the results of the risks treatment are not satisfactory, the risk management
process will be resumed either since the stage of the context establishment or since
the stage of risk treatment. According to ISO 27005 standard, the starting point for
the resumption of risk management process is not indicated. To remedy this
vagueness and represent this aspect, we choose to create a third decision point. Thus,
if the level of risk is high then the risk management process will be repeated since the
context establishment.
 Otherwise, the process will be repeated since the risk treatment. Now that the
treatment was able to improve the level of the residual risk, the risks acceptance will
take place in the process. The standard requires a continuous monitoring and review
of the risk during all the risk management process. Let us note that activity diagram
concerning the risk management process has no full stop seen the notion of continuity
and risk management in the time which characterize the ISO 27005 standard
regarding the other existing methods. Throughout the risk management process, the
results should be communicated to the administration and all users. To model the
communication process, we choose to integrate it as the last action in the five activity
diagrams specific to the various activities of the overall risk management process.
According to ISO 27005, a general rule to apply is: if the lack of information
security can result in significant adverse consequences to an organization, its business
processes, or its assets, then a second iteration risk assessment, at more detailed level,
is necessary to identify potential risks. In other words, the decision at this point
depends on the nature of the risk. If it is a major risk, that is an event of high severity
but a very low probability of occurrence, then it is worth reiterating at the risk
assessment process.

Otherwise, if the risk is minor, that it is characterized by a very high likelihood

and a low impact, then the decision to take is to continue to risk treatment. Then,
formulation of the criteria is a key element. It should enable the distinction between
major and minor risks. Indeed, if the objectives of an asset are extremely important
for the conduct of organization, or if the assets present a high risk, it should make a
second iteration of the risk assessment on the specific information assets . As if the
risks appreciated are minor, the transition to the stage of risk treatment is
recommended. On the other hand, the classification of risks in order of priority means
that we can easily establish the threshold distinction between major and minor risks.
Knowing that major risks have generally an extremely low frequency rate, unlike the
minor risks that are most often higher probability of occurrence, we choose to start
this distinction by major risks.

VI. Development

1) Risk identification : It is advisable first, to identify assets which all have some value for the
organization. According to the appendix B of the ISO 27005 standard, there are two types of
assets: Primary assets: they are the information and the businesses processes. Supporting
assets: they are physical assets as staff, material, site, etc. Even if the ISO 27005 standard
does not clarify it, it is better at this stage to establish a scale of assets valuation. For
example, we can, wonder about the replaceability of the asset, the skills necessary for its
use, its purchase cost, its maintenance cost , etc.
 If the list of assets is ready, it is necessary to identify the threats. All that has the
potential to damage assets. Let us note that the threats identification is made only on
supporting assets and that every asset can be exposed to several threats. Then, it is
necessary to identify the existing control to avoid the redundancy. From what precedes, the
vulnerabilities identification (the asset weaknesses) is feasible as well as the formulation of
the incident scenarios. Indeed, an incident scenario is the description of a threat exploiting
certain vulnerability or a set of vulnerabilities in an information security incident [10]. So,
and for every incident scenario, we shall determine the consequences that losses of
confidentiality, integrity and availability can have on assets . It is clear that the direct
passage to the risk acceptance is determined by the degree of acceptability of residual risks.
It follows that the manager is reduced to estimate the level of residual risks in order to
compare it with the acceptance criteria that are based on the context and objectives of the
organization. In case the value of the residual risk exceeds the acceptance criteria threshold,
the manager is in an awkward choice between a new iteration of the risk assessment with
probably a revised context, and implementation of additional security measures. During the
first iterations, the best solution is to lower threshold of risk acceptance, previously
established. In the case where the residual risk is not always fulfill the acceptance

VII. Conclusion

Sky Blue Inc. needs a system that will aid the efficiency of their business process.
Therefore, it's obligatory to propose an IT infrastructure to gain operational excellence,
resulting in significant profits for the store. This will help the growth of the business as
well.
 The study shows that it is required to improve the business's attendance in acquiring
Information systems and IT infrastructure. The researchers avidly recommended
Attendance and Scheduling Systems to achieve operational greatness. We recommend
this in our proposal to increase efficiency and improve the existing business.
 The recommended system aids in the management of attendance and schedule. The
designed methodology will aid in the improvement of the management of attendance
and schedule of the current business.
 They should have external consultants to modernize and basic diagnostics in term of
technical control.

References