CIS8018 Assignment1 Cybersecurity at Woolworths

By

Student Name
Abstract

Writing a research paper on the cyber-security as part of course curriculum helps in improving

research skills and knowledge on cybersecurity trends and issues. As Woolworth’s retail food

business is operating in the e-commerce field, it is prone to security and privacy issues to data.

But, handling security issues and removing weaknesses from the internal and external side of the

business is hard. An information security program is required for Woolworths by performing

analysis on current programs, laws, and ethics following to meet regulatory compliance, strategic

planning and governance activities, and developing policy for improving security. The findings

produced in the report will help Woolworth to take further actions and enhancing security

posture.
Table of Contents

Abstract............................................................................................................................................1

1. Introduction..............................................................................................................................2

2. Analyzing the Security Posture of Woolworths Australia.......................................................2

2.1 Managing Information Security at Woolworths...............................................................2

2.2 Laws and Ethics to Meet Regulatory Compliance............................................................4

2.3 Strategic Planning and Governance to Information Security............................................5

2.4 Developing Information Security Policy..........................................................................6

3. Discussion and Conclusion......................................................................................................7

References........................................................................................................................................8

Appendix..........................................................................................................................................9
 1. Introduction

Woolworths is considered as the top retailer and eCommerce Company in Australia. It sells a

variety of products and services to customers. It is the most valuable brand in Australia. The

brands offered by Woolworth include fruit and vegetables, bakery items, drinks, freezer, pet care,

baby care, household, health and beauty, seafood and meat, etc. Woolworth Australia has the

biggest supermarket chain of 995 stores throughout Australia. It depended on 115,000 employees

in the distribution centers, stores, and supporting offices to add value to customers [ CITATION

Woo20 \l 1033 ]. It facilitating many opportunities to shop with it from home and comfort of

customers to deliver fresh meat, vegetables, and food. Woolworths serving millions of customers

regularly by selling trusted and recognizable brands over its website. More than 2.1 million

customers are visiting the website of Woolworths to purchase products over the internet.

Woolworths is closely working with Australian farmers and growers to make the best and high-

quality products are available to customers.

Research problem: As Woolworths is operating in the e-commerce environment, it will

experience issues related to cyber-security. It needs to avoid these issues to ensure protection for

customer data as well as business data. Cyber-security is important nowadays to operate the

business successfully in the competitive market. It needs to facilitate protection to customer’s

data to avoid customers experience scams in online shopping[ CITATION Moh13 \l 1033 ]. To

become a legitimate and valid business in the market, Woolworths requires to focus on internal

vulnerabilities and weaknesses presented with networks and communication assets by assessing

current security posture. It helps in taking protective measures to avoid access to financial data

and personal information of customers.

The current report is to prepare a research paper by studying cyber-security practices followed by

Woolworths Australia is running e-commerce business by covering key concepts such as

managing information security at Woolworths, laws, and ethics followed to meet regulatory

compliance, strategic planning and governance to improve information security, and developing

information security policy.

2. Analyzing the Security Posture of Woolworths Australia

2.1 Managing Information Security at Woolworths

As Woolworth is a popular e-commerce platform in the Australian context,

https://www.woolworths.com.au/ requires the security settings and protocols to improve safety

and security transactions made over the internet in purchasing food products and services and

ensure protection to customer databases to protect confidential and sensitive data. The security

programs undertaken by Woolworths need to reflect the roles developed for implementing

security programs. Designing an effective security program is required for e-commerce

organizations to meet the requirements of security. Effective security standards are essential for

Woolworths to initiate, execute, and managing the programs enhancing security

posture[ CITATION Woo194 \l 1033 ]. To analyze the security posture of Woolworths, a model

called CNSS is considered to perform an investigation on the three security aspects including

confidentiality, integrity, and availability, and understand the strategies following for improving

network security, physical security, cyber-security, communication security, and operations

security.

The CIA triad followed at Woolworths is described as mentioned below.

Confidentiality: This principle has been following at Woolworths to facilitate access to

information only to authorized and authenticated people. The measures against the data while it

in storage, cryptography, authentication through usernames and passwords, and authorization by

sending one time passwords to registered emails and mobile phones.

Integrity: Integrity is maintaining for financial and business data to avoid destruction, damage,

corruption, and disruption when it is storage, processing, and transmitting mode. The methods

like validation and error checking are considered to enhance data integrity [ CITATION Suh16 \l

1033 ]. It involves the allocation of required access to employees of Woolworths based on their

roles and responsibilities.

Availability: Availability principle supporting the company in ensuring the correct format of

data to users and facilitating access to systems and registered users. It indicates information is

available only to authorized users whenever required. For example, customer email addresses,

contact, and past purchasing history are only used for promotional purposes and communicating

new offers, discounts, and rewards on a specific category of products.

Privacy: Woolworths has a good privacy policy to manage the information collected from

customers and users. It has been following good practices for the management of information in

several ways. Those include the type of personal information collected from customers, the

method used for gathering and holding data, the procedure to complain against the privacy issues

by customers, the intention of collecting, using, holding, and disclosing information, user rights

to access data, and practices to share data for overseas[ CITATION Woo201 \l 1033 ].

Mainly five types of security needing to be implemented at Woolworths to ensure guaranteed

protection for information assets.

Network security: The protocols available for improving network security including SSL,

Virtual private networks, and IPSec. These are using to improve the email process, remote

communication, and managing network connections. It has been improving to reduce the chances

of cyber-attacks and governing flow data in the networks.

Physical security: Physical security is giving importance at Woolworths to ensure safety to

employees, computers, and network components used regularly. Physical security measures are

placed at stores and distribution centers including alarm systems, CCTVs, and panic buttons to

ensure safety to human assets and information technology assets.

Cyber-security: To facilitate cyber-security to the operations and systems of Woolworths,

various strategies have been following effectively including providing training to employees on

the key principles of security, protecting the information of customers and their orders by

establishing secure connections, improving security through firewalls, protecting networks and

computers from viruses by installing antivirus and antimalware software.

Communication security: For improving communication with customers, it mainly depending

on the website and email communication to promote new offers on products and services.

Security of communication is being improved through adopting encryption standards into email

sending and firewalls to protect internal communication on the intranet.

Operations security: Operational security is improved to collect and share information of

customers and partners in selling and buying businesses and best practices to disclose personal

information of customers. While collecting payment from customers, a secure process is

established to ensure the protection of credit card or debit card details.

 2.2 Laws and Ethics to Meet Regulatory Compliance

Ethics followed by Woolworths to meet regulatory compliance: Woolworth developed a set

of ethical practices to conduct business ethically and avoid cyber-security issues to business. It

has an e-commerce platform that requires ethics to sell products through the website. Ethics are

important in promoting the use of social media to get connect with customers and utilization of

their persona data like name, email addresses, contact, profiles, bank information, and

purchasing history to promote their products and services. The ethical practices of Woolworths

are identified as

 The e-commerce website uses to gather information like address, age, telephone, and gender

to know the buying preferences of customers.

 Information gathered from only people clicked on links for registering with the company and

wants to become part of customer loyalty programs or clubs

 Woolworths has strict practices with third parties to utilize the services for storing and

processing data. It focused on the elimination of issues and risks presented to businesses in

facilitating unauthorized access to business and information of customers. It executing best

practices to avoid alteration, misuse, and loss of data.

 The ethics followed by Woolworths are divided into three categories including trust, loyalty,

and security and privacy [ CITATION Gaj14 \l 1033 ]

 The ethics of the e-commerce business of Woolworths are helping in building positive

relationships with customers and minimizing the complexities presented in making

transactions and minimized chances to deceive consumers.

 The ethics principles including informed consent, use of effective marketing materials, user

authentication, data integrity, data availability, and data confidentiality supporting in

avoiding privacy and security issues in the online business environment.

 Customer loyalty has great significance in the e-commerce business. Personal collecting

while purchasing products and services from the website is associated with loyalty programs

to facilitate redemptions and rewards.

Laws followed by Woolworths to meet regulatory compliance: Woolworth has to implement

various laws that are categorized into four types including statutory law, constitutional law,

common laws, and regulatory laws to conduct e-commerce operations in a competitive

environment.

 The privacy act 1988 is the main law adopted by Woolworths to improve protection to

customer information, business data, and trade secrets. Other privacy laws including the

Electronic Communication Privacy Act 1986 and Federal Privacy Act 1974. As per these

acts, Woolworth is protecting business partners and individual customers to avoid revealing

information without their consent. ECPA regulates oral and electronic communication made

with clients and customers.

 PCI DSS standards and guidelines are following for protection of sensitive financial data of

debit cards and credit cards used by customers for making an online payment. To align with

the security requirements of PCI DSS, various initiatives like encryption programs, anti-

virus, and malware are implemented[ CITATION Mem18 \l 1033 ].

 Copyrights and intellectual property rights are created for e-commerce websites, trade

secrets, and business ideas to avoid hackers engaging in high tech crimes and ruining the

reputation of the business.

 Woolworths also requires to implement a law called Health Insurance Portability and

Accountability Act (HIPAA) to ensure protection for the private information related to the

health status of customer’s whey they purchased insurance and food products [ CITATION

Pet162 \l 1033 ].

 It requires to reduce the criminal activities performed by hackers by accessing network and

computer systems. It involves reducing authority levels to unregistered users on the e-

commerce website to deny access to order products and services over the internet as per the

act ‘National Information Infrastructure Protection Act’.

 Woolworths applying different privacy laws to manage business processes and collect and

use personal information of customers. It wants to achieve compliance by changing

processes, systems, and practices to comply with laws developed to avoid spam

activities[ CITATION Cam20 \l 1033 ]. Marketing communications to customers are sending

according to the SPAM act and the unsubscribe option is facilitated for customers that don’t

want to receive marketing emails regarding products and services.

2.3 Strategic Planning and Governance to Information Security

Woolworths giving importance to strategic planning and governance activities to add worth to

the security initiatives and programs implemented.

Strategic planning to improve information security: Strategic planning is a key area of

security enhancement of Woolworth's organization. Information security strategic planning is

done to align with the mission, vision, and values of the business. Strategic planning is done at

the top level and implemented at a middle and low level. This process at Woolworths is

described as [ CITATION Man132 \l 1033 ]

 InfoSec planning is created in top-level Chief Information Officer and Chief Information

Security Officer (CISO) as a part of IT strategy. The main role of CIO and CISO is to the

protection of information assets and achieving security planning objectives. Planning is

created effectively for different levels of security including system-level security, network-

level security, and transaction-level security. This planning is more than 5 years.

 In the second level, strategic plans are converted into tactical plans to implement by cyber-

security officers, system managers, network managers, and security managers. The short-

term tactical planning is to improve security to operating systems, networks, information

assurance, access, and system controls implementation, and protecting

telecommunications[ CITATION Gar09 \l 1033 ].

 In the third level, tactical planning is converted into operational planning to improve security

in regular business operations like customer orders, managing online transactions, and

updating inventory and paid databases. In this level, network technologies, security audits

and assessment, network security, firewalls, and intrusion detection are focused on creating

good operational plans.

Governance activities: Woolworth decided to consolidate all business data into the cloud

platform offered by Google Company to make better improvements to the generation of insights

and suggesting required action for team members. This decision supporting in easier upgrading

of IT infrastructure and platform to enhance opportunities in improving data security. The

governance activities are further supporting Woolworths in the establishment of the business

resilience and cybersecurity teams to enhance physical security and information security to avoid

dangers from external threats from hackers. The company also developed different policies such

as acceptable use of information systems policy and group cybersecurity policy to gather, use,
share, manage, and secure information. The main benefit of security governance activities is that

avoiding loss generated from data and information assets and avoiding abuse of supplier,

customer, and sensitive information of the organization and unauthorized disclosure of data.

The board committee established by Woolworths responsible for managing key activities like

reviewing security standards, procedures, and training programs implementing at the company. It

also focuses on minimizing risks generated from cyber fraud, cyber-security, and data privacy

issues. To gain the benefits associated with governance on information security, selecting a good

model is required[ CITATION Ste20 \l 1033 ]. The model called IDEAL that abbreviated as

initiating, diagnosing, establishing, acting, and learning to gain various benefits like utilization of

allocated resources for security programs, making information security as a key part of system

development life cycle, performing regular testing and auditing on security programs, and

facilitation of training and awareness to employees. In the initiating phase, groundwork is done

for the governance framework. Diagnosing step is to determine the future state of security

improvements at Woolworths, establishing a phase is to establish a path to reach security goals,

the acting phase is to implement a security plan, and learning is to utilize experience to make

improvements to future security requirements. It is identified that governance initiative activities

are controlled by an Act called the Corporations Act 2001[ CITATION Int19 \l 1033 ]. As per this

act, Woolworth’s organization has to take responsibility for cyber-security issues caused by

criminals by taking good security measures.

2.4 Developing Information Security Policy

This section is to development of the information security policy for Woolworth's organization to

avoid the occurrence of issues. The policy developed needs to cover three areas including

applications, systems, and networks. It is described as mentioned below.

Policies: information security policy is required to ensure protection for applications, systems,

and networks. These are developed by top management to create policies aligning with the

strategic plan. For improving application security, it needs to separate the production

environment from the testing environment, performing risk evaluation on the applications used

for collecting, storing, and transmitting personal information, and separation of roles and

responsibilities[ CITATION Was20 \l 1033 ] . These are implemented during stages of the software

development life cycle. To improve the security of systems, security analysis and configuration

plays an important role. The policies such as password policy, least privilege policy, and

permissions to access files stored in a system. Finally, network security is improved by various

key policies including device policy, wireless LAN policy, communication policy, firewall

policy, remote connection policy, internet access policy, and demilitarized policy.

Procedures: Procedures are required for promoting awareness on the new security policies,

reporting a violation of security practices, scheduled reviewing of policy, penalties imposed for

violation of policies, and controls used for improving the security posture of a firm. Computer-

based and classroom-based training is facilitated to employees on the new security programs and

controls taken for improving security. To report a violation of privacy or security policy, a

privacy officer or security officer role is established. Complaint form facilitated needs to be

utilized by employees and customers. In the policy statement, procedure for reviewing security

policy twice or thrice a year to find out the loopholes presented for external attacks on the

website and extranets. Knowledge of controls like encryption, virus protection, physical security,

employee monitoring, and protecting data stored in the cloud.

Standards: The International Standardization Organization (ISO) provided useful practices to

strengthen the security at Woolworths. Implementing ISO standards supports removing

uncertainties presented in enhancing security posture. ISO 27002 is an important security

standard useful in enhancing information security and motivates taking initiatives. It provides

practices and guidelines required for meeting compliance with legislations and regulations and

accomplishing security objectives of confidentiality, availability, and integrity of data [ CITATION

Moh191 \l 1033 ]. It facilitates content for different areas of security including asset management,

access controls, operations security, information security, environmental and physical security,

human resource security, information security incident management, and business continuity

management. ISO provides security controls and clauses to protect the information in the era of

the e-commerce business.

Guidelines: ISO 27002 is used as a reference document to provide guidelines for information

security in e-commerce firms. It is used for giving assurance to clients and customers regarding

the information security practices followed at Woolworths and gaining a competitive advantage

over competitors[ CITATION SHS09 \l 1033 ]. It supports trading with e-commerce partners and

managing corporate governance.

3. Discussion and Conclusion

Information security playing crucial in managing e-commerce businesses. By completing a

research paper on the information security management at Woolworth organization, it is

identified that it is performing good in managing information of customers and implementing the

privacy policies developed for collecting and managing personal information and management of

the customer loyalty programs. The Woolworth Company is performing well in terms of

enhancing security and managing customer information and data. The present report covered

effectively the security aspects of Woolworths covering managing information security, laws and

ethics followed to meet regulatory compliance, strategic planning, and governance to manage
security programs, and developing information security policy. It is learned that triad of security

principles including confidentiality, integrity, and availability, privacy laws followed, and types

of security programs established such as network security, physical security, cyber-security,

communication security, and operations security. The company promoting different regulatory

laws including privacy act 1988, Electronic Communication Privacy Act 1986, and the Federal

Privacy Act 1974, the National Information Infrastructure Protection Act’, HIPAA, and SPAM

act. Strategic planning required for improving information security is developed in three levels of

hierarchy including top-level, middle level, and low level and it is learned that governance

activities are monitoring and managing by board committee taking several initiatives. Finally, an

information security policy is created for Woolworths to take security to the next level. Several

things are recommended for the company including policies, procedures, standards, and

guidelines required to facilitate protection for communication assets and e-commerce

technologies to avoid security issues in the future.

References

Abbott, C. & O’Dowd, K., 2020. Woolworths Hit With Largest Spam Infringement To Date.

[Online]

Available at: https://www.cyberwatchaustralia.com/2020/07/woolworths-hit-with-largest-spam-

infringement-to-date/

[Accessed 21 August 2020].

Anwar, M. J., Gill, A. Q. & Beydoun, G., 2018. A review of information privacy laws and

standards for secure digital ecosystems. Australia, s.n.

Chrapavy, P., 2016. Cybersecurity Risks: Are They Inflated?. Salus Journal , 4(2), pp. 19-31.

Hasib, M., 2013. Impact of Security Culture on Security Compliance in Healthcare in the United

States of America A Strategic Information Assurance Approach. s.l.:CreateSpace Independent

Publishing Platform.

Hussain, M. A., 2013. A Study of Information Security in E- Commerce Applications.

International Journal of Computer Engineering Science (IJCES), 3(3), pp. 1-9.

International Comparative Legal Studies, 2019. Australia: Cybersecurity Laws and Regulations

2020. [Online]

Available at: https://iclg.com/practice-areas/cybersecurity-laws-and-

regulations/australia#:~:text=In%20Australia%2C%20unauthorised%20access%20to,both

%20State%20and%20Federal%20legislation.&text=Persons%20suspected%20of

%20unauthorised%20access,modification%20of%2C%20re

[Accessed 21 August 2020].

Mir, S. Q. & Quadri's, S. M. K., 2016. Information Availability: An Insight into the Most

Important Attribute of Information Security. Journal of Information Security, 7(3), pp. 185-194.

Schinagl, S. & Shahim, A., 2020. What do we know about information security governance?

“From the basement to the boardroom”: towards digital security governance. Information and

Computer Security, 28(2), pp. 261-292.

Sharma, G. & Lijuan, W., 2014. Ethical perspectives on e-commerce: an empirical investigation.

Internet Research , 24(4), pp. 414-435.

Sharma, M. et al., 2019. IAS Mains Paper 3 Technology Economic Development Bio Diversity

Environment, Security & Disaster Management 2020. s.l.:Arihant Publications (India) Liimited.

Solms, S. & Solms, R., 2009. Information Security Governance. 1st ed. New York: Springer US.

Washington University, 2020. Application Security Policy. [Online]

Available at: https://informationsecurity.wustl.edu/policies/application-security-policy/

[Accessed 21 August 2020].

White, G., 2009. Strategic, Tactical, & Operational Management Security Model. Journal of

Computer Information Systems, pp. 71-75.

Woolworth Group, 2020. Australian Food Woolworths Supermarkets. [Online]

Available at: https://www.woolworthsgroup.com.au/page/about-us/our-

brands/supermarkets/Woolworths/

[Accessed 20 August 2020].

Woolworths Group, 2019. Better Together 2019 Annual Report, Australia: Woolworths Group.
Woolworths, 2020. Woolworths Group Privacy Policy. [Online]

Available at: https://www.woolworths.com.au/shop/discover/about-us/privacy-policy

[Accessed 21 August 2020].

Appendix

Mission: The mission of Woolworths is to develop and deliver best, value-adding, convenient,

and high-quality products to customers

Vision: The vision of Woolworths is to facilitate passionate commitment towards the people,

customers, planet, and way of doing business.

Values: The core values followed by Woolworths to run business include

 Inspirational

 Collaborative

 Customer obsessed

 Quality

 Being responsible

URL of the website: https://www.woolworthsgroup.com.au/page/about-us#:~:text=A

%20BUSINESS%20BUILT%20ON%20INTEGRITY,-Unwavering

%20dedication&text=Unwavering%20dedication-,We%20are%20on%20a%20mission%20to

%20deliver%20the%20best%20in,and%20quality%20for%20our%20customers.&text=We

%20employ%20201%2C000%20team%20members,across%20our%20brands%20every

%20week.