Java Reference
In-Depth Information
6.2.1.2 Financial Impact
Panthera's management understands that a breach of sensitive customer information or customer
credit card information would be a serious inancial and reputational setback for their business.
First, upon learning of a breach, customers would not bestow their faith in Panthera Retail, natu-
rally causing a serious drop in their revenues; the other consequence of a security breach, especially
in the case of a breach of credit card information, will be the ines levied by the issuing banks and
payment brands on Panthera. hese ines, coupled with lower revenues from customers, would
result in seriously adverse conditions for Panthera's inances, reputation, and growth prospects.
Prevention of an information security breach, thereby preventing an adverse inancial impact, is
one of the key security policy objectives for Panthera.
6.2.1.3 Security Compliance and Regulations
Security compliance is one of the important objectives for Panthera. Merchants all across the United
States have been driven by their acquiring banks and the payment brands to comply with the
requirements of the PCI-DSS Standards. Panthera's acquiring bank, BancoAmerica, has required
them to get compliant with the PCI requirements for them to accept credit card transactions.
Panthera is also concerned about the large ines being levied on entities that breach customer credit
card information. here have been several instances in recent times where customer credit card
information has been stolen from large merchants and credit card processors. hese entities have
been ined heavily for the security breach.
6.3 threat Analysis
6.3.1 Threat Proiling
Panthera's management and operational stakeholders have identiied the critical information
assets, security objectives, and broad security requirements for the application. hreat proiling is
the next logical and important step in the risk assessment process for a Web application. A threat
proile is where a range of threat scenarios are identiied, where threats to the critical information
assets are envisioned and documented. he threat-proiling phase is made more efective with the
inclusion of certain important stakeholders such as application architects and information security
professionals in the organization. hese stakeholders would be able to provide the much-clearer
technical security viewpoint based on the organization's requirement.
While it is important for threat proiling to be as comprehensive as possible, it is very
important to take into consideration that all possible threats cannot be envisioned at this
initial stage. Several threat scenarios might undergo change as the application and design
undergoes change or while performing application security testing. hreat proiles need to be
updated based on these changes, and protection strategies might have to be developed based
on the same.
Table 6.3 shows the results of Panthera's threat-proiling phase.
Search WWH ::
Custom Search