An information security risk assessment of Topshop retail

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Top Shop

IS Audit Report


Executive summary

Case Background


Audit plan

Audit Plan Framework

Interview Questions & Documents



Executive summary

An information security risk assessment is a continuing process characterized by discovering, correcting and preventing security problems. The threat assessment is an essential part of a risk management practice designed to provide suitable levels of security for information systems. An information security risk assessment is a component of sound protection practices and is needed by the Commonwealth Enterprise Information Security Policy (Davis, 2011). The risk assessments and interrelated documentation are also an important part of compliance with Health Insurance Portability Accountability Act security standards.

A Risk assessment will assist each agency decide the tolerable level of risk and the consequential security requirements for every system. The agency then plan execute and examine a set of security measures to address the level of known risk.

The Executive summary report outlines the significant security vulnerabilities that pertain the theft of credit card data which is an information security risk associated with Top shop retail (Gillies, 2011). The risks and vulnerabilities indicated in this audit report that is related to the following key areas:

  1. Probable theft of data through manipulation of card reading at the Point of Sales systems
  2. Probable breaches within the Top shop retail company’s network
  3. Probable theft of information from company servers
  4. Each department as outlined indicates audit objectives to be met in order to ensure Top Shop Company is in the full conformity with the set standards and regulations. All parties anticipate strict compliance during the audit process where significant questions will be answered in an honest way and providing any supporting documentation for the appropriate objectives will be obtainable once requested.

Recommendations have been offered with expected compliance from Top Shop retail to ensure the security of its current systems and information, as well as information relating to its customers.

Case Background

Top shop retail is a Britain multinational fashion retailer of clothing, shoes, make-ups and accessories. The Top Shop has around 500 stores globally in which around 300 shops are located in the UK plus online operations in a number of its market. The Top Shop started as a brand extension of the department of stores which initially sold fashion by young British designers. The Top Shop expanded rapidly because it changed its name to Top Shop which resulted in increased sales and making high profits (Vacca, 2012). To helped maintain and managed its diverse range of chains and customers. Top shop used a number of Security Information System to assist with the task. The employed information systems include:

Top shop embraced widespread of the network throughout the offices, where all the computers were linked to one central point. One manager is installed at the server office to monitor all the linked systems in it. Top shop being a largest shop that sells highly rated clothes embraced this kind of security method where the general screen being installed in an open place allowing real-time monitoring of stocks from different locations.

Point of sale system that allows over the counter transaction and monitoring various types of goods where top shop employed three types of security systems;

Managers from different vicinity had point of sales installed on their computers to help them manage existing stock values, pricing, and locations

Check out point to handle the transactions, monitor the flow of stocks and how they are being sold or refunded.

Managers have other staffs installed at the door to counter check the actual sales with the receipt produced by the system. This helps to reduce the occurrence of unrecorded transactions that lead to loss of products (Whitman, 2011). This audit report mainly focuses on top shop instant checkout point of sale which is a credit card based system. Top shop has several points of sale terminals that are linked to one central server operated by a senior manager in the organization. The server serves as a temporally cache where information are sent from the card reader, decoded and instantly compared with the Top Shop records before it is re- encrypted and forwarded through a secured internet connection to the appropriate financial point. Each system installed on a particular system as a card reader handles the following primary functions.

  1. The system can read the details on the credit card
  2. The system can validate credit card details
  3. The system is able to collect credit card details
  4. The system is able to receive transaction details.

The system is able to print transaction details such as list of items purchased, information such as time and date the purchases took place.


Risks being the major threat for top shop retail shop that is much known for being vulnerable to major threats in its day to day operations (Vacca, 2012). Weak risks areas include;

  1. Risks of device tampering that may take place at the point of manufacturing, where the implication causes exceptional loss of customer information and impact multiple businesses that rely on the manufacturer for the units. The affected business and the manufacturer will lose its reputation due to the loss.
  2. Device tampering at the business storage that could make a company lose its reputation from the loss of several customers’ information and exposes flaws in the company practices that are deemed helpful.
  3. A Point of sale manipulation with the company systems, Point of Sale tampering would cause loss of customer’s information, exposes the customers to significant risks and eventually loss of business reputation.
  4. A Broken network that causes loss of customer information from the system that would cause loss of reputation and eventually loss of its customers (Montesino, 2011).
  5. Compromised errors that may cause a big loss of customer information exposes risks in the company network system leading to loss of company good reputation.
  6. Open servers that may cause loss of customer’s information, loss of the Top shop most sensitive information and also leads to loss of company reputation.

Audit plan

An audit plan is the specific guidelines to be followed when conducting an audit that helps the auditor to obtain appropriate evidence that are sufficient for the circumstances.

Audit Area


Gadget card readers

  1. Make sure all component functionality is tested once they are received.
  2. Make sure all elements are acquiescent with appropriate standards & practices
  3. Make sure testing area has proper protection and anti-virus scanners

Device manipulation prevention

  1. To make sure proper staff segregation of duties are enforced
  2. Ensure appropriate security actions are in place such as restricted personnel access
  3. To make sure all storage location is enough for high risk things
  4. To inspect how device is installed at point of sale

Top shop Company network

  1. To verify passwords used is valid and functioning
  2. Make sure traffic check is in use to observe for suspect information
  3. Make sure proper security protocols and practices in place such as:
  4. Anti virus
  5. Staff access restrictions
  6. Verify how external drives such as flash drives are treated and if procedures are in place to avert infections from spreading

Top shop retail


  1. To make sure passwords used is valid and functioning
  2. Make sure proper security protocols and practices in place such as:
  3. Anti virus
  4. Staff access restrictions
  5. Verify how external drives such as flash drives are treated and if procedures are in place to avert infections from spreading
  6. To make sure proper staff division of duties are enforced
  7. To make sure proper server segregation is enforced.

Audit Plan Framework

The International Accounting Auditing has taken steps to develop a framework for Audit Quality that articulates on the inputs and outputs factors that contributes to audit quality at the engagement. Linux audit framework because it helps make the system more secure by providing a means to analyze what is happening on the system in great details as well as an aid in writing/implementing new Information Technology control systems (Whitman, 2011).

Linux audit framework is able to provide the following features making it well suited for this examination including:

  1. Capability to provide the requested party with audits opinions.
  2. Defines objectives and ways they can align with company goals.
  3. Gratify statutory requirements

Interview Questions & Documents

Audit Objective

Asked Question /Evidence collected

Make sure all components functionality is tested once received

Steps used to test functionality

Demonstrate testing

Make sure all components are amenable with significant standards & practices

  1. Demonstrate how the unit is amenable with standards & procedures
  2. Ask for conformity reports
  3. Steps taken to make sure unit is in conformity.

Testing area has proper protection such as anti-virus scanners

  1. Show reports regarding protection used in testing area along with their features
  2. Show what protection is in place
  3. Demonstrate whether if the protection functions as intended

Appropriate staff division of duties are imposed

  1. Provide list of staff and their access places
  2. Ask staffs randomly about their access places
  3. Get list of whom has access to areas of high risk

Suitable security actions are in place such restricted personnel access

  1. make sure security measures are installed
  2. Exhibit such security is functioning as intended
  3. Present documentation on installed security devices
  4. Provide offices layout of where gadgets are located

Storage location is sufficient for high risk products

  1. Inspect the type of security measures in place
  2. Request for layout of storage room
  3. Staff access logs to room

Inspect how device is installed at point of sale

  1. Inspect how device is installed at the point of sale
  2. Requests for records on who has access to device
  3. Security measures in place to prevent manipulation

Authenticate password used is valid and functioning properly

  1. Question what practices in place to ensure keys are valid, unique and secure
  2. Inspect who has access to the key and what duties they have
  3. Log report on previous keys

Traffic checking in use to watch for suspect data

  1. Methods in place to detect suspect data and how they are handled
  2. Traffic monitoring reports/logs
  3. Demonstration& test of how suspect data is dealt with

Check how external media such flash drives are treated and if measures are in place to prevent infections from spreading

  1. Procedures in place to handle external media
  2. Demonstration & test of how it’s handled
  3. What steps are taken if virus is detected

Proper server segregation is enforced

  1. Check server locations
  2. Ask what happens regarding various scenarios to determine if only one or multiple systems are affected
  3. Check of server logs


The following is a listing of recommendations to moderate, identify or handle risks indicated in this audit report.

Device manipulation:

All components received should be appropriately tested to ensure no manipulation has occurred and that they are normally functioning (Montesino, 2011). Any units established to have substandard modifications or contain viruses would be plainly discoverable and can prevent theft of customer data. This makes it easier to draw back to where such problems may have come from.

Storage The storage facility used to store the point of sale gadget should be substantially protected to prevent unauthorized contact with some staff or even outsiders (Whitman, 2013). These facilities should have cameras to watch the situation connected with an alarm and constrained staff access that uses passwords to log in. This makes it very easy to discover who has been in the store area should any issues happen.

Ready device

As the appliance has been set up, the location should be accurately checked to make sure that no susceptible areas are present. For example, the exposure of certain parts could mean either a staff or customer inconspicuously mismanage the device. Moreover, the area should remain under supervision to record apprehensive doings.

Manipulated Network

Appropriate security actions would make sure no suspected staff or outside entrance to transpire on the network (Zhu, 2011). The accomplishment of a firewall would significantly limit access to only authorized personnel while anti-malware applications detect threats inside to prevent possible information outflow.

Manipulated password

A manipulated password would mean that any protected data if taken off from a server or network would be easily decoded and viewable. To alleviate this risk, the use of a strong key is vital. However, this can also be further improved through the changing of the password after a definite time.

Open servers

Server rooms; It’s fundamental that they remain well protected because they contain company vital information that is much sensitive (Gillies, 2011). Accurate measures that are able to scan for malware and firewalls would eradicate a lot of risks; conversely server separation would make sure that all components are separately kept.


Maggs, d. (2012). Topshop potential threats. [Online] Available at: [Accessed 16 Apr. 2015].


Davis, C. S. M. &. W. K., 2011. IT auditing: using controls to protect information assets. s.l.:McGraw-Hill.

Gillies, A., 2011. Improving the quality of information security management systems with ISO27000. The TQM Journal, 23(4), pp. 367-376.

Montesino, R. &. F. S., 2011. Information security automation: how far can we go?. In Availability, Reliability and Security (ARES), 2011 Sixth International Conference. s.l., s.n., pp. 280-285.

Vacca, J. R., 2012. Computer and information security handbook. Newnes. s.l.:s.n.

Whitman, M. &. M. H., 2011. Principles of information security. s.l.:Cengage Learning.

Whitman, M. &. M. H., 2013. Management of information security. s.l.:Cengage Learning.

Zhu, Y. W. H., 2011. Dynamic audit services for integrity verification of outsourced storages in clouds. In Proceedings of the 2011 ACM Symposium on Applied Computing. pp. 1550-1557.