Angela Adventure is a major national retailer specializing in outdoor sports, hunting, fishing, and camping, including a wide variety of all-terrain vehicles (ATVs), which inspired its name. The company has operations currently based in the Philippines and has a long-term business plan to expand its retail centers to selected parts of South-East Asia (SEA). As part of ongoing current operations, management has asked an internal information system (IS) auditor to review the company’s readiness for complying with requirements for protecting cardholder information. This is meant to be a high-level overview of where the firm stands and not a point-by-point review of its compliance with the specific standard. The point-by-point review would be undertaken as a separate engagement later in the year.
During the initial assessment, the IS auditor learned the following information:
• Point-of-sale (POS) register encryption. The retailer uses wireless POS registers that connect
to application servers located at each store. These registers use wired equivalent protection
(WEP) encryption.
• POS local application server locations. The POS application server, usually located in the
middle of each store’s customer service area, forwards all sales data over a frame relay
network to database servers located at the retailer’s corporate headquarters, with strong
encryption applied to the data, which are then sent over a virtual private network (VPN) to the
credit card processor for approval of the sale.
• Corporate database location. Corporate databases are located on a protected screened subset of the corporate local area network.
• Sales data distribution. Weekly aggregated sales data, by product line, are copied as-is from
the corporate databases to magnetic media and mailed to a third party for analysis of buying
patterns.
• Current enterprise resource planning (ERP) system compliance. The current state of the
company’s ERP system is such that it may be out of compliance with newer laws and
regulations. During the initial assessment, the IS auditor determined that the ERP system does
not adhere to the EU’s General Data Protection Regulation (GDPR).
Additionally, Angela Adventure’s database software has not been patched in over two (2) years, due to a few factors:
• The vendor’s support for the database package was dropped due to it being acquired by a
competitor and refocusing the remaining business to other software services

• The company’s management has implemented plans to upgrade to a new database package.
The upgrade is underway; however, it is taking longer than anticipated.
Sizeable customizations were anticipated and are being carried out with a phased approach of partial deliverables about the database upgrade. These deliverables are released to users for pilot usage on real data and actual projects. Concurrently, the design and programming of the next phase are ongoing. Despite positive initial test results, the internal audit group has voiced that it has not been included in key compliance decisions regarding the configuration and testing of the new system. Also, operational transactions are often queued, or “hang” during execution, and more and more frequently, data are corrupted in the database. Additional problems have shown up wherein errors already corrected have started occurring again and functional modifications already tested tend to present other errors. The project, already late, is now in a critical situation.

Required: 

a. Identify the event in the above scenario that would present the MOST significant risk to the retailer.Justify your answer

b. Identify the MOST important detail/item that an IS auditor must include in its preliminary report to the management about the database upgrade. Justify your answer sentences.

c. Identify the control in the above scenario that is MOST important to be implemented. Justify your answer