Ambiguous Ltd is a travel agency located in Madrid, Spain. Their business is selling retail travel packages both online and through their offices, which are street level on a main street. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings. This system interfaces with the Amadeus GDS system (checking availability and bookings), with VISA (payments), and with an equivalent system of a Moroccan partner (MTravel), as it is a popular destination for Spanish tourist and represents a significant part of the company's business.

The owner of Ambiguous Ltd has put Myrna in charge of IT, among other responsibilities. Myrna has hired you do find out which security measures (controls or processes) would provide the highest return of investment for Ambiguous Ltd. Myrna will take care of implementation. Your first (and only) task is to make an assessment of Ambiguous SL security needs.

Myrna has named Ignatius as the project manager for the Package Sales System. He is an employee of the company (Confederacy SL) that develops and maintains the Package Sales System for Ambiguous Ltd.

The Package Sales System functionality is as follows (please note this a Use Case, so it is simpler than a real life case):

• Create, Modify and Delete Travel Packages.
• Sell Travel Packages both online and at the office.
• Receive feedback from customers and the public in general.
• Send Travel Package offers to subscribers.
• Manage Claims and Issues.

A high level view of the Package Sales System Database reveals the following data resources:

• Travel Package Archive
• Sales Archive
• Feedback Archive
• Offers Archive
• Claims, Feedback and Incidences Archive

The following list of actions can be performed on each data resource:

• Travel Package Archive: Create, Update, Retire, Publish, Unpublish.
• Sales Archive: Book, Release, Sell, Refund, Update.
• Feedback Archive: Create, Update, Close.
• Offers Archive: Create, Update, Retire, Publish.
• Claims, Feedback and Incidences Archive: Create, Update, Close
• Sales Statistics Report Archive: Create, Close

There are certain requirements about who can do what, and where they can do it:

• Only the sales manager can Create, Update and Publish Travel Packages.
• Each salesperson can only view the personal information of his or her own clients.
• Only the sales manager and the person assigned to Feedback and Claims can view the personal information of all clients.
• Only the owner of the company can access the Sales Statistics Report.
• Only the sales manager can create Offers

Certain parts of the Package Sales System are licensed, namely the Operating System, Application Server and Database.
As the company and systems are located in Spain, the Package Sales System needs to comply with the DPA. Since the Package Sales System manages VISA payments, it needs to comply with PCI-DSS.

Some of the users of the Package Sales System are employees of Ambiguous Ltd, some are temps from Adecco. The administrators of the Package Sales System are employees of Confederacy SL. The general public of Spain is a user and they can purchase Travel Packages through the application. The application does not serve the public of countries other than Spain. Persons under the age of 18 can ask for feedback and signup for offers, but they can't purchase Travel Packages.

The system is located in a properly conditioned room inside the office. The system interfaces with Internet via a high speed fiber optic connection. The system interfaces with the interconnected systems and users via mail, file transfers and a VPN that connects directly with the MTravel network.

The system is expected to work 24x7, but because of maintenance stoppages of no more than one hour per week during no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable. The longest time that the system can be offline during business hours is 2 hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel. It is understood that all "live" transactions would be lost in case of an incident.
Data needs to be archived for 5 years in order to meet tax regulations. After ten years data should be deleted permanently, as customer behaviour changes over time and data is no longer useful for Business Intelligence.
Sales representatives and customers sometimes make mistakes entering data. This is acceptable as long as there is no more than one percent of the records contain inaccurate information.

In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The email states what functions the user should be able to perform. The general public doesn't need an account to provide feedback or sign up for the Offers newsletter.

Customer who lose their passwords to the Package Sales Systemcan request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note.

As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds.

There is a development environment, that Confederacy SL maintains in their own data center, and a pre-production environment, at Ambiguous SL office.
The current administrator is subscribed to email lists that notify him of security updates. The Administrator has configured the system using security guidelines found on Internet for every component. Security patches have not been applied since a patch caused a half day downtime.
The Administrator changes about once every six months.

The system has no malware protection.
The domain has been registered with Piensasolutions.es. The digital certificates used by the system are from Thawte. No one has been assigned with the responsibility to manage the domain or the certificates.
The systems logs all the sales activity, but not any other activity.
There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide "clean" traffic.

No part of the Package Sales System is located in a publicly accesible location.
No part of the Package Sales System is accesible via Mobile application, but there are plans to incorporate a solution for this.
No part of the Package Sales System is exposed to extreme environmental conditions.