Scenario The Entertainment Team (ET — part of Resort Operations at Padgett-Bea

Scenario
The Entertainment Team (ET — part of Resort Operations
at Padgett-Beale, Inc.) is excited about a new event management platform and is
ready to go to contract with the vendor. This platform is a cloud-based service
that provides end-to-end management for events (conferences, concerts,
festivals). The head of Marketing & Media (M&M) is on board and
strongly supports the use of this system. M&M believes that the data
collection and analysis capabilities of the system will prove extremely valuable
for its efforts. Resort Operations (RO) also believes that the technology could
be leveraged to provide additional capabilities for managing participation in
hotel sponsored “kids programs” and related children-only events.
The arm of a hotel guest wearing an RFID band while
sitting poolside
For an additional fee, the event management platform’s
vendor will provide customized Radio Frequency Identification (RFID) bands to
be worn by attendees. 
The RFID bands and RFID readers use near-field
communications to identify the wearer and complete the desired transactions
(e.g. record a booth visit, make a purchase, vote for a favorite activity or
performer, etc.).
The RFID bands have unique identifiers embedded in the
band that allow tracking of attendees (admittance, where they go within the
venue, what they “like,” how long they stay in a given location,
etc.). 
The RFID bands can also be connected to an attendee’s
credit card or debit card account and then used by the attendee to make
purchases for food, beverages, and souvenirs. 
For children, the RFID bands can be paired with a
parent’s band, loaded with allergy information, and have a parent specified
spending limit or spending preauthorization tied to the parent’s credit card
account.
The head of Corporate IT has tentatively given approval
for this outsourcing because it leverages cloud-computing capabilities. IT’s
approval is very important to supporters of this the acquisition because of the
company’s ban on “Shadow IT.” (Only Corporate IT is allowed to issue
contracts for information technology related purchases, acquisitions, and
outsourcing contracts.) Corporate IT also supports a cloud-based platform since
this reduces the amount of infrastructure which IT must support and manage directly.
The project has come to a screeching halt, however, due
to an objection by the Chief Financial Officer. The CFO has asked that the IT
Governance Board investigate this project and obtain more information about the
benefits and risks of using RFID bands linked to an external system which
processes transactions and authorizations of mobile / cashless payments for
goods and services. The CFO is concerned that the company’s PCI Compliance
status may be adversely affected.
The Chief Privacy Officer has also expressed an objection
about this project. The CPO is concerned about the privacy implications of
tracking both movement of individuals and the tracking of their purchasing
behaviors.
The IT Governance Board agreed that the concerns
expressed by two of its members (the CFO and CPO) have merit. The board has
requested an unbiased analysis of the proposed use cases and the security and
privacy issues which could be reasonably expected to arise. 
The IT Governance Board has also agreed to a request from
the Chief of Staff that the management interns be allowed to participate in
this analysis as their final project. Per the agreement, their involvement will
be limited to providing background research into the defined use cases for
cashless purchases.
Case:
Task
Purchases for craft
materials and snacks by children (under the age of 13) attending a hotel
sponsored “kids club” program.
Research one or more of the Use Cases
E. (2024, June 17). What benefits of RFID wristbands for
hotels, resorts & theme parks? RFIDSilicone. Retrieved June 17, 2024, from https://www.rfidsilicone.com/blog/industry-news/what-benefits-of-rfid-wristbands-for-hotels-resorts-theme-parks.html
(see section 4: Family Freedom)
Zougar, Y. (2018, July 27). An introduction to RFID.
INFOSEC. Retrieved June 13, 2024, from https://www.infosecinstitute.com/resources/general-security/an-introduction-to-rfid/#:~:text=RFID%20stands%20for%20Radio%20Frequency,order%20to%20transmit%20and%20receive
A. W. (2019, June 15). TAPPIT LAUNCHES NEW RFID WRISTBAND
SAFETY FUNCTIONALITY. TAPPIT. Retrieved June 17, 2024, from https://tappit.com/resources/blog/rfid-wristband-safety
4. Find and review at least two additional
resources on your own that provides information about privacy and security
related laws that could limit or impose additional responsibilities upon
Padgett-Beale’s collection, storage, transmission, and use of data about
guests. (Note: laws may differ with respect to collecting data from or about
children.) You should also investigate laws, regulations, or standards which
impact the use of the RFID bands for mobile purchases.
5. Using all of your readings, identify and
research at least 7 security and privacy issues which the IT Governance Board
needs to consider and address as it considers the implications of your chosen
use case upon the adoption or rejection of the proposed IT project (Event
Management Platform & RFID bands).
6. Then, identify 7 best practices that you can
recommend to Padgett-Beale’s leadership team to reduce and/or manage risks
associated with the security and privacy of data associated with the event
management platform.
Write
Write a five to seven (5-7) page report using your research.
At a minimum, your report must include the following:
An introduction or overview of event management systems and
the potential security and privacy concerns which could arise when implementing
this technology.  This introduction
should be suitable for an executive audience. Provide a brief explanation as to
why three major operating units believe the company needs this capability.
An analysis section in which you address the following:
Identify and describe your chosen Use Case
·        
Identify and describe 7 or more types of
personal / private information or data that will be collected, stored,
processed, and transmitted in conjunction with the use case.  
·        
Identify and describe 5 or more compliance
issues related to the use of the RFID bands to make and track mobile purchases.
·        
Analyze and discuss 7 or more privacy and
security issues related to the use case.
·        
Identify and discuss 3 or more relevant laws,
regulations, or standards which could impact the planned implementation of the
event management system with RFID wrist bands.
A recommendations section in which you
identify and discuss 8 or more best practices for security and privacy that
should be implemented before the technology is put into use by the company.
Include at least 2 recommendations in each of the following categories: people,
processes, policies, and technologies.
A closing section (summary) in which you summarize
the issues related to your chosen use case and the event management platform
overall. Include a summary of your recommendations to the IT Governance Board.
Must incorporate at least 5 of these resources into
your final deliverable. You must also include 2 resources that you found on
your own.
Research report should use standard terms and definitions
for cybersecurity.
References
GOV, U. (n.d.). Protecting Intellectual Property in the
United States: A Guide for Small and Medium-Sized Enterprises in the United
Kingdom. STOPfakes:Uspto.gov. Retrieved June 9, 2024, from https://www.uspto.gov/sites/default/files/documents/UK-SME-IP-Toolkit_FINAL.pdf
Alto, P. (n.d.). What is an Exploit Kit? Palo Alto.
Retrieved June 9, 2024, from https://www.uspto.gov/sites/default/files/documents/UK-SME-IP-Toolkit_FINAL.pdf
Z. (n.d.). Anatomy of APT: Advanced Persistent Threat
Guide. Zenarmor. Retrieved June 9, 2024, from https://www.zenarmor.com/docs/network-security-tutorials/what-is-advanced-persistent-threat-apt
Limacher, M.,
& Fauconnet, L. (n.d.). The Legal and Ethical Guardrails for Sound
Competitive Intelligence. Pragmatic Institute. Retrieved June 13, 2024, from https://www.pragmaticinstitute.com/resources/articles/product/the-legal-and-ethical-guardrails-for-sound-competitive-intelligence/
Radar, C. (n.d.). The Legal and Ethical Guardrails for
Sound Competitive Intelligence. CI Radar. Retrieved June 13, 2024, from https://ciradar.com/competitive-intelligence-blog/insights/2017/12/22/the-ethics-of-competitive-intelligence-where-uber-crossed-the-line
Zougar, Y. (2018, July 27). An
introduction to RFID. INFOSEC. Retrieved June 13, 2024, from https://www.infosecinstitute.com/resources/general-security/an-introduction-to-rfid/#:~:text=RFID%20stands%20for%20Radio%20Frequency,order%20to%20transmit%20and%20receive
Awati, R. (2022, June 12). Segregation of duties (SoD).
WHATIs. Retrieved June 13, 2024, from https://www.techtarget.com/whatis/definition/segregation-of-duties-SoD
Counsel, U. (2022, October 27). Intellectual Theft:
Everything You Need to Know. UpCounsel. Retrieved June 9, 2024, from https://www.uspto.gov/sites/default/files/documents/UK-SME-IP-Toolkit_FINAL.pdf
Miller, M. (2023, June 13). What Is Least Privilege &
Why Do You Need It? BeyondTrust. Retrieved June 13, 2024, from https://www.beyondtrust.com/blog/entry/what-is-least-privilege
S. (2023, June 27). Data Exfiltration: Prevention, Risks
& Best Practices. Splunk’. Retrieved June 9, 2024, from https://www.splunk.com/en_us/blog/learn/data-exfiltration.html
M. D. (2023, August 31). An IP Guide for the Corporate
Legal Practitioner: IP Theft and the Major Threats to Your Client’s IP.
DILWORTH. Retrieved June 13, 2024, from https://www.dilworthip.com/resources/news/threats-to-intellectual-property/
A. W. (2023, October 3). The Top 3 Cyber Attack Vectors.
ARTICWOLF. Retrieved June 9, 2024, from https://arcticwolf.com/resources/blog/top-five-cyberattack-vectors/