SnowBe Online is a lifestyle brand for those who love the beach and snow. The owners started
Question:
SnowBe Online is a lifestyle brand for those who love the beach and snow. The owners started the company with a laid-back culture. Their customers instantly connected with their brand taking them to $100 million in sales in three years. After being so successful, the management team decided to take the company public.
Technical Information:
The majority of their sales are processed online through their website, which is housed on the AWS platform.
All credit cards are accepted and stored on the company's website.
All customer information and purchase history are stored on the website indefinitely.
They have multiple storefronts in the U.S. and Europe, which accept checks, cash, or credit cards. The credit card transactions are processed using bank-provided credit card terminals in each store.
There are twenty desktops and thirty laptops in the main office in Los Angeles.
The desktops are used to run the business and customer support.
The thirty laptops are used for sales (retail and wholesale). The laptops use a VPN to log into the office to access company applications.
There are six servers (on-premise and on AWS) for access management, storage, customer relations management, order management, accounting, and vendor applications.
As a result of SnowBe's laid-back culture, they neglected to implement technical controls and processes. They recently hired a technical consultant to assist with getting their neglected system and processes under control. The consultant started with implementing controls using the NIST 800-53 framework.
Additional Information added in Week 2:
Due to SnowBe's laid-back culture, the technical consultant was impressed to find a well-run company with no reported technical issues or breaches. Although, there had been a few attempts that did not cause any harm or alerts to worry anyone. The technical consultant analyzed the risk of the company using the NIST Risk Management Framework. Here are some initial steps he suggested:
- The need to update the firmware of all network devices.
- The need to update the patches for all PCs and Windows servers so they are on the latest Windows version.
- The need to update their Anti-Virus and backup software.
- The need to implement more processes into the access management system since most employees had access to almost all data on each server.
- The need to lock the servers in a secured area of the office.
- The need to update the companies WordPress shopping cart.
- Answer the following questions using the NIST Privacy Framework Core Document. You will find all the documentation in the Resources Section below.
NIST Privacy Framework Tool for Risk Management:
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf
NIST Privacy Framework CORE:
https://www.nist.gov/system/files/documents/2021/05/05/NIST-Privacy-Framework-V1.0-Core-PDF.pdf
- Using the Function column in the NIST Privacy Framework CORE document (Identify-P, Govern-P, Control-P, Communicate-P, and the Protect-P), describe how each selected function can add value and benefits to your company's specific situation.
- Using the Category column in the document, select one category for each function that offers the most benefit to your company. You should have a total of five of the most beneficial categories listed for your company. Describe how each of the selected categories can add value to your company's privacy.
- Using the Subcategory column in the document, select one subcategory for each category you selected in item 2 above that offers the most benefit to your company. You should have a total of five of the most beneficial subcategories listed for your company. Describe how each of the selected subcategories can add value to your company's privacy.
- For each of the items, you selected in item 3 above, describe a security control (policy, procedure, hardware, or software) that could be used to help with your company's privacy.
- Using the Subcategory column in the document, select four other subcategories that offer the most benefit to your company. Describe how each of these additional subcategories can add value to your company's privacy.
- Using the Category column in the document, select one category for each function that offers the least benefit to your company. You should have a total of five of the least beneficial categories listed for your company. Describe why each of the selected categories adds the least amount of value to your company's privacy.
- Using the Subcategory column in the document, select one subcategory for each category you selected in 2, that offers the least benefit to your company. You should have a total of five of the least beneficial subcategories listed for your company. Describe how each of the selected subcategories adds the least amount of value to your company's privacy.