McNick's fast food is a multinational organization that sells burgers and fries in nearly every country in the world. The corporation consists of a corporate headquarters in Denver, Colorado, and a massive food processing plant located in Laredo, Texas. Its products are shipped to thousands of locations around the world. McNick's was one of the first fast food vendors to implement RFID tracking of inventory using pallet level RFID tags to keep track of movement of products throughout their systems. Pallet tags are scanned using a set of readers built into the delivery dock entry as product is delivered and loaded for shipping. Delivery vehicles scan the RFID information as the last piece of tracking information at the individual stores. McNick's evaluated the ability to encrypt the information being transmitted between the tag, the reader, and the backend database and have opted to pass due to the cost per tag of adding this functionality.
McNick's has an extremely complex network, including the RFID tracking databases and software, thousands of electronic purchase of service (PoS) terminals at its stores, sophisticated Peoplesoft systems that track and integrate all of the information being collected and stored on their network from inventory to payroll and HR, and hundreds of business-unit-related software that has been custom built throughout the years. McNick's marketing staff have moved into social media with an aggressive Facebook and Twitter campaign that includes integration of these social media with the corporate Web site. All IT support is centralized at the Denver headquarters and the CIO has issued contracts to local IT shops to facilitate troubleshooting of technical problems in the remote locations. The store managers are responsible for selecting the local support. Each location has a small Windows server with their own domain that has a trust relationship with the top of the domain tree that allows the stores to remain functional in the event of an Internet outage. Some of the locations in underdeveloped countries function using a satellite connection; the managers at each shop have been given a protocol for uploading any data they have collected locally during an outage. Nearly all of these servers are located in the business office of the store.
McNick's has a large access control team. The workflow includes creation of role profiles within the Peoplesoft system where new hires throughout their entire system are entered. This information is then passed to the access control team to create new accounts. The account is created based on existing roles within the active directory system and the password is set to a standard password used for all new accounts. The complexity of managing accounts across the world has prevented access control team recommendations that complexity be enabled in the password structure. Currently the only password configuration rules are that the password must be at least six characters and be recycled every 180 days. The account ID and password information is then distributed to the manager making the request via e-mail. Recently, one of the access control staff had a slow day and was perusing the accounts. He discovered that fully 20 percent of the accounts created were apparently never used. Another noted that her cousin in the UK had left his job at McNick's several years ago, yet the account was still active in the AD system: apparently IT had never been asked to close the account, and perhaps any account.
Use the study materials and engage in any research needed to fill in knowledge gaps. Write a 2-3 page paper that covers the following:
What are the initial steps you would take when planning an enterprise-level risk assessment of technology tools and procedures?
Where are potential areas of vulnerability in the scenario as described?
What potential mitigations can you recommend that would reduce the risk of the vulnerabilities identified, including strategies to offset or monitor risk that cannot be fully mitigated?