1. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
1
FINAL PROPOSAL
University of Washington - iSchool
Information Systems Analysis and Design
INFO 380 - Winter 2015 - Team AE5
Emmanuel “Izzy” Gambliel, Prottush Hossain
Sunny Jayswal, Seth Kvam
EXECUTIVE SUMMARY
Green Lake Games currently has a Shipping Process that has no major flaws with it
that impede day-to-day operations. However, there are several refinements that can
be implemented to make the entire system more efficient, robust, scalable, and
resilient to interference.
INTRODUCTION
A dependable order processing structure is paramount for the success of any business
wishing to satisfy its customers--especially so for a business exposed to 21st century
America’s growing desire of instantaneous gratification. Amazon Prime, Amazon
Fresh, digital downloads, and countless other technological innovations are
conditioning us to expect our desired products quickly. This may cause us to cease use
of any service that fails, or is simply not fast enough, on that expectation. What an
average customer can’t see easily are the moving pieces constituting their order. The
transfer of information to complete the order all happens behind the scenes. These
are the payment processing, order sorting, order picking, product sorting, package
formation, and package transportation processes. It is critical that these processes do
their best to remain out of customers’ minds as well, as that indicates they are
working to their potential. A satisfied customer should never need to spend energy
worrying of the logistics of their order’s processing and instead focus on the product
itself and its market. This is what can be achieved with dependable order processing.
2. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
2
Over this quarter, our team has interviewed employees, examined documents, and
shadowed procedures to obtain a comprehensive grasp over Green Lake Games’ order
processing system. Using the knowledge, strategies, and conceptual thinking taught in
the UW iSchool’s ‘Information Systems Analysis and Design’ course, we will present
our analysis and professional opinion for potential increases in efficiency.
3. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
3
TABLE OF CONTENTS
Executive Summary
Introduction
Table of Contents
Problem Statement
Project Scope
Behavioral Analysis
Placing the Order: Customers, Amazon, and CrystalCommerce
Order Sorter
Product Picker
Product Sorter
Order Packers
Post Office Delivery
Structural Analysis
Pull Sheets
Shipping Labels
Customer Invoice
Entity Relationship Diagram and Analysis
Security Analysis
User Authentication Analysis
Amazon / CrystalCommerce Trust Boundary
CrystalCommerce / Green Lake Games Trust Boundary
Green Lake Games / U.S. Post Office Trust Boundary
Security Breach Response Procedures
Analysis
Change Proposal
4. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
4
PROBLEM STATEMENT
Over time, Green Lake Games has developed its operations into a very efficient order
processing system consisting of time tested inventory management software in
CrystalCommerce, a well trained staff, and a well-established work culture. This
means that the problems Green Lake Games does face are few and miniscule in
comparison to the risk of breaking up an already well established system; however
there is always potential for growth and improvement over the years to prevent
business stagnation. With this, it means that there is no single large problem that
we can point out as a cause for concern, but instead several smaller refinements
that can be implemented to improve the system in place.
PROJECT SCOPE
This project will cover the flow of shipping processes used by Green Lake Games
from the point that a customer places an order online to the point that the product is
passed to the Post Office. We are doing a detailed analysis with Amazon being the
primary point of contact for customer ordering, but with additional analysis done in
places to cover orders that come in directly through Green Lake Games webstore on
the CrystalCommerce platform.
Since this is an analysis of the Shipping Processes of Green Lake Games, it is
important to note what is not covered by this analysis project:
● Shipping done through Amazon Fulfillment
● Orders placed through EBay or In-Store sales
● Processes occurring before the Point-Of-Sale or after transfer to Post Office
● Customer Service, HR, or Management processes
● Business Analytics processes
5. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
5
BEHAVIORAL ANALYSIS
Green Lake Games has a well-defined set of tasks and roles in their system of
processing orders for shipment. An efficient shipping process is crucial to Green Lake
Game’s customer satisfaction as customers have high expectations of a speedy
delivery once the order is placed. Once the order is placed, Green Lake Games has
full control of the shipping process until the product is properly packaged and
delivered to the U.S. Post Office for end user delivery. This section of analysis will
cover the physical process that an order goes through, from initial placement to the
point it reaches the Post Office.
Data Flow Overview
6. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
6
PLACING THE ORDER: CUSTOMERS, AMAZON, AND CRYSTALCOMMERCE
Customers order Green Lake Games’ products primarily on Amazon but can through
their own website as well, which is hosted by CrystalCommerce. CrystalCommerce
handles all of Green Lake Games’ online order processing. Amazon and
CrystalCommerce are synced and once the item is paid for on Amazon, it is placed
into a “Payment Received” category on CrystalCommerce. Going one step further,
CrystalCommerce is synced accurately with Green Lake Games’ physical inventory
counts at all times. This process is relatively seamless and highly automated.
Customers order from Amazon
7. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
7
ORDER SORTER
An Order Sorter employee first logs in to CrystalCommerce on a web browser to begin
organizing the orders to pick and ship for that day. Next, they separate the orders
into two categories: “Preorders” and “Processing.” Orders to be moved to
“Preorders” include multiple orders placed by the same customer, orders with a
negative value created by a glitch in CrystalCommerce in combination with Amazon
promotions, all orders above $4, all orders containing more than 10 items, and
international orders. It is important to note that the title of “Preorders” is nothing
more than a placeholder for the categorical tool the store uses within
CrystalCommerce. It provides an easy way to separate orders within the full batch,
according to what their shipping grade will be. In an ideal world, this might simply be
called “Large” orders. All the remaining, “Small” orders, are grouped into
“Processing”. Again, it is important to note that all the orders could theoretically be
placed into “Processing,” but this separation is beneficial to the logistics of
shipping items with different grades. Next, the employee confirms each order has a
correct shipping grade and updated order weight. This involves iterating through all
the orders. Multiple orders by the same customer are synchronized to one shipping
label and package here. Finally, the employee begins printing the pull sheets,
invoices, and shipping labels simultaneously, with a separate printer for the shipping
labels and the pull sheets/invoices.
8. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
8
9. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
9
10. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
10
PRODUCT PICKER
The pull sheets are given to the Product Picker who enters the back room and picks
the cards from their places on the wall. The products on the wall and the orders on
the pull sheets are each alphabetically arranged by their respective larger group of
card set. This allows for very easy picking because the cards and the actual
arrangement of stock follow the same organization as the pull sheet. The pull sheet’s
nature is to be synchronous with the physical location of the inventory to make the
Product Picker’s job as straight-forward as possible.
11. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
11
PRODUCT SORTER
The Product Sorter then
obtains the shipping labels,
pulled cards, and invoices.
He arranges the cards by
their card set and then goes
through each invoice and
manually picks the cards
each called for. These cards
are then put into their own
pile which will be in order
with the pile of the invoices.
For example, an invoice pile
of: A,B,C would be matched
with a card pile of: a1, a2,
b1, b2, b3, b4, c1.
12. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
12
ORDER PACKERS
Once the products have been sorted they are packed in various ways depending on the
type of product at hand. This process is defined separately for small orders, large
orders, and board games.
The small order packing process involves stacking all the invoices, cards, and
envelopes in preparation for packing. For each order, the packer checks how many
cards there are - if the order has less than 4 cards, filler cards are added until the
total count of cards is 4. These filler cards have no reasonable value. The set of cards
is then sealed in a soft plastic sleeve and placed with the invoice in an envelope. If
there are more than 4 cards in an envelope, a stamp is required otherwise a stamp is
not needed. Small orders are grouped together into large post office bins for bulk
mail shipping.
The large order packing process is similar to that of small orders, with a few key
differences. The packer first checks the invoices to see if there are multiple orders
from the same customer. After compiling all the appropriate cards from all the
invoices, the packer then assess which cards are considered “valuable” and will put
those cards in a heavier protective plastic sleeve. This assessment is rather arbitrary,
where there is not a clear system for how to judge whether to protect the cards with
the heavier card sleeve, but is generally left to the judgment of the employee. The
packer will then check the invoice or label to see if it is Regular, First-Class, or
Priority mail, and place the cards and invoice into an appropriate envelope. Finally,
the label is attached to the outside, covering the envelope seal for extra protection.
The board game packing process begins with finding the weight and dimensions of
the board game package and inputting them into a computer system, this system
calculates which form of packaging will be the most cost efficient for a specific game
going to a specific address. Games that go in envelopes or flat-rate shipping will
simply be packed in the appropriate containers. If first class parcel is selected as the
most appropriate for the game board, the packer will travel to the store warehouse
and spend a reasonable amount of time finding a best-fitting box, which can be
inefficient.
13. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
13
14. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
14
POST OFFICE DELIVERY
Every few days, enough bulk mail orders are queued up
to necessitate a trip to the Post Office. This is done
whenever the number of bulk mail orders is over 500
waiting or approximately three full bins of bulk mail
orders.
An employee with a car will take all the bins of orders
and sort them so that all the local bulk mail is in one
group and the priority and large orders for that day are
in another. The remaining bins of bulk mail are put in
another group for processing.
All the mail is loaded into a car, and the employee
verifies if any new stamps need to be purchased for
further non-bulk mail orders. The employee drives to the
Bitter Lake Post Office and unloads all the mail in the
back door where the Bulk Mail office is. The post office
employee weighs the bulk mail and calculates the cost,
then provides the Green Lake Games employee with an
invoice. The Green Lake Games employee then takes the
invoice to the front counter and pays for the bulk mail
and any needed stamps.
15. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
15
STRUCTURAL ANALYSIS
The structure of the information that Green Lake Games uses comes mainly in the
form of customer shipping addresses and product data. All of this is used in the
company’s shipping system in a variety of formats, ranging from computer databases
to printed sheets.
PULL SHEETS
Pull sheets are printed pages of paper which detail
the products that have been ordered online. There
are three vertical columns on these pages:
quantity, name, and information. Quantity is the
number of a given product that must be pulled.
Name is the name or title of the product.
Information is the state of the card: regular or foil.
Foil is a glossy finish on the card that increases its
value and regular is default. Additionally, there is
subtext underneath the name which gives the
condition grade and language of the card. These pull
sheets are divided by bold headers that describe the
category of the products. Within each of these
categories, all products are listed alphabetically.
Once the compilation of the pull sheets is
understood, their practicality becomes apparent.
The form mimics the physical arrangement of the
cards in the inventory storage room. Each header
correlates with a storage drawer with a matching
name. In this drawer lies all of the cards in alphabetical order. This then is easily
traversed using the alphabetized list on the pull sheet. Next, the desired quantities
are removed in an orderly fashion and we are ready for the next stage of the
system.
16. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
16
SHIPPING LABELS
Shipping labels come in three varieties--those for parcels, letters, and small orders.
They are stickers with various shipping information that the staff places on packages
to be mailed. They contain the customer’s shipping information in the middle, the
return mailing address of Green Lake Games in the upper left corner, the shipping
class (priority, first class, standard, etc.) in the top right corner, and the tracking
information with bar code at the bottom*
Examples of shipping labels
Other shipping information
indicating the payment of shipping
fees, payment rate, date of
shipment, and zip code of sender.
*small orders (usually 1-4 cards) only contain
the customer shipping information and are put
together with other small orders in bulk in a
special type of envelope with a label to
indicate bulk shipping.
A bulk envelope with shipping label
17. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
17
CUSTOMER INVOICE
The customer invoice contains information about the various purchases made by the
customer in their order (with prices and product names) as well as shipping
information (customer shipping address) and order information (order id, order date,
customer name, phone number, items in order, and sender name). There is also a bar
code for matching the invoice to the order id. At the bottom there is an area showing
payment information of the customer.
A customer invoice
18. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
18
These invoices are sent to the customer along with their orders for their own
information. There are also smaller receipts which contain the same information but
in a condensed manner for small orders.
A small order invoice
19. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
19
ENTITY RELATIONSHIP DIAGRAM AND ANALYSIS
An Entity Relationship Diagram represents the structure of unique information
produced and contained in the system. We call the data structures producing and
containing information entities and the diagram seeks to study the relationship
between these entities, hence the name. Through this diagram, we sought to capture
the attributes of each entity and the general nature of data in the system.
Entity-Relationship Diagram
20. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
20
Green Lake Game’s order processing is structured in a way that data is pulled from
both the product and customer into the customer’s order which is then
consolidated into a shipping label for shipping purposes. There are also additional
data structures like the invoice and pull sheets which are not modeled here
because they merely replicate data from the order for various purposes as opposed to
contributing new data for the system. A line item table acts as an intermediary
between products and the customer’s orders for orders with either multiple distinct
products or multiple quantities of the same product. In most cases the data model is
sufficient for Green Lake Game’s needs and covers the order processing and shipping
methods in a well-tested manner.
One minor issue is that there is no easy way in the client system to illustrate the
relationship between customers and orders and how customers may have multiple
orders. Even though one order may have many products, there are some customers
who place multiple orders because they do not fully understand the online shopping
features or for various other reasons. This can cause a headache for the shipping
employees as they try to match orders to customers but have trouble distinguishing
between two orders from the same person or two orders by two separate people with
the same name. If multiple orders could be consolidated into one by the online
system, Crystal Commerce, or if there was a more apparent way to link orders
together (like a username or some sort of unique identification for each user who
orders online) then that would greatly help ease this problem.
Another minor issue is that data entry from products relies on a hugely manual
method where each product must be specially analyzed. This is a slow and tedious
process but may be absolutely necessary given the nature of the work and Green Lake
Games has defined methods to make the process easier. Nevertheless this is an issue
that is out of context with our chosen task of analyzing problems associated to order
processing and shipping.
21. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
21
SECURITY ANALYSIS
Security is a cornerstone to any user’s dependability in any given system. When
purchasing and trading items in good faith over the internet, users make themselves
vulnerable by supplying sensitive information to the vendor such as their names, home
addresses, and credit card details. In order for that vendor to retain users and match
their expectation for responsible security, they too must act in good faith by
practicing holistic, up-to-date security measures in that transaction. After companies’
poor security practices have been revealed, it is very difficult, if not impossible, for
them to fully regain the users trust. Rather than working tirelessly to correct security
leaks after-the-fact, an optimal system would embed values of proper security as
early as in the design phase. It is, of course, never too late to implement sufficient
security measures. This is a small, yet invaluable aspect of a proper system design.
USER AUTHENTICATION ANALYSIS
A wise man named Dr. David Stearns once told us, “the best way to do user
authentication...is to have someone else do it.” Green Lake Games has the fortune of
having user authentication, on every front, covered by Amazon or
CrystalCommerce. The information Green Lake Games receives from Amazon, of
which the vast majority of orders are placed, are: the items a customer has ordered,
a masked-Amazon email address for that customer, their Amazon tracking number,
their mailing address, and their phone number. The email address listed is masked,
and therefore a controlled variable due to Amazon’s “fake” email address generation
process, this is a factor of Amazon’s security. Sign-on, user authentication, and
payment services are handled within Amazon and then only the necessary information
is passed on to Green Lake Games to complete the order. This is a benefit to Green
Lake Games because no store resources need to be spent on authentication.
Similarly, CrystalCommerce handles customer information for orders placed through
them and keeps payment information secure. The last four digits of credit card
numbers are stored within CrystalCommerce, but are not accessible to the
employees. Additionally, CrystalCommerce operates a Fraud Detector that monitors
IP addresses of users.
Once the order details are synchronized from Amazon into CrystalCommerce’s order
processing database, a Green Lake Games employee uses CrystalCommerce’s login to
authenticate themselves and view received orders. Only the owner and designated
22. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
22
employees have the clearance and password to sign-on to CrystalCommerce. Once the
browser is signed-in, there is at least one employee stationed on the computer at
all times to maintain the physical security of the machine. During the order packing
process, there are order invoices containing sensitive information that are physically
in motion. As outlined above, this includes the user’s shipping address, email address,
phone number, and Amazon tracking number (if applicable.) Green Lake Games
controls this potentially sensitive information during the order packing process by
using specialization amongst employees and secure disposal. The employees packing
the orders have the authorization and knowledge to do so securely and keep
everything within line-of-sight at all times. In the instance of any leftover or unused
invoices, those invoices are shredded and disposed of. The final leg of the shipping
process is handled by either the post office’s employees during store pick-up or by an
authorized Green Lake Games employee who personally delivers orders to the post
office.
The actions I have listed are all internal of Green Lake Games or its sourced vendors;
end users have virtually no ability or authentication within the system. Outsourcing
payment processing and user authentication to the services of Amazon and
CrystalCommerce relieves a tremendous amount of risk from Green Lake Games.
Data Flow Diagram with Trust Boundaries illustrated
23. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
23
AMAZON / CRYSTALCOMMERCE TRUST BOUNDARY
Since this trust boundary exists between two external vendors in our system, we are
not considering it within the scope of our analysis. However, it is important to note
that it exists. If those trust boundaries are breached, the impact could affect many
different parts of Green Lake Games’ business model, including the shipping
processes.
CRYSTALCOMMERCE / GREEN LAKE GAMES TRUST BOUNDARY
Common threats by spoofing include fake emails or websites sent to employees to
gather data or login info. These are very common on the internet and many email
servers and modern day browsers can detect these frauds but due to the widespread
nature of this phenomenon it is still a likely threat for Green Lake Games which
leaves potential access for compromising the whole system. In order to counter this
Green Lake Games can educate employees on how to avoid spoofers, use a service
with stronger filters for email, restrict usage of the computer for business only, and
keep the system up to date. This is a threat that can be completely avoided if these
proper prevention techniques are used.
Hacking into the CrystalCommerce site and changing customer data is a method of
tampering that could potentially be used to steal orders or sensitive information of
the customers. This would likely lead to decreased customer trust in Green Lake
Games, as well as potentially create liability costs and lawsuits against Green Lake
Games. However, as Green Lake Games is not a major corporation, we can assume
that not many enemies exist with high-levels of combined motivation and skill to hack
Green Lake Games website or the Crystal Commerce system. As such, this threat is
not very likely. Most fixes for this tampering are out of Green Lake Games hands
directly, although following proper online safety standards and investing in web
security for the website will help.
Similarly, hacking into the CrystalCommerce site and removing customer orders that
have already been shipped is a form of repudiation that is not directly stealing, but
does interfere with the shipping process and damages customer relations. Like the
prior hacking threats, this is not very likely and as such the same mitigations of
improved web security and safety standards apply.
Finally, hacking can be used to gain customer data in an act of information
disclosure that could severely hurt the customers and lead to lawsuits and liability
costs for Green Lake Games, not to mention the decreased customer trust and
24. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
24
relations. This is an unlikely, but still potentially threatening, event that
improvements in web security and online safety will help mitigate.
Shoulder-surfing customer data in store during order processing or shipping/packaging
processes is another way someone could disclose information. However, as the shop
is relatively small, closely monitored, and has low levels of traffic this threat is not
very likely. The effects of this one would be relatively small scale if to occur and may
just result in one dissatisfied customer which is still a liability for Green Lake Games.
Improvements in store policies to protect customer data and employee training can
help mitigate this threat.
Taking down the CrystalCommerce site can lead to a Denial of Service which could
setback Green Lake Game’s activities indefinitely. Since Green Lake Games is usually
not the target of such threats and the traffic on the site is usually not very high, this
threat is not very likely. It is advised to watch server performance and adjust as
necessary but this is relatively in the hands of Crystal Commerce, so fostering
transparent relations with CrystalCommerce is crucial.
Someone can steal user logins to the CrystalCommerce site to access it as an
employee as an elevation of privilege attack to severely compromise the system’s
performance and steal sensitive information. This is threat is likely as this information
is in the hands of employees and could potentially be breached in varieties of ways.
It’s important to protect sensitive user account information by requiring mandatory
password changes for employees in order to mitigate this threat.
GREEN LAKE GAMES / U.S. POST OFFICE TRUST BOUNDARY
One common spoofing threat that would arise from Green Lake Games’ relationship
with the U.S. Post Office would be an individual posing as a Green Lake Games
employee, and tampering with the mail at the Post Office. Though this threat is not
likely, it could have a significant impact on the business: high-cost orders could be
regularly and easily tampered with, which could severely impact Green Lake Games’
revenue stream, and limit their product stock. To mitigate this threat, a regular
checking of identification could be done - each time a Green Lake Games employee
interacts with the U.S. Post Office, the employee would show proof of employment,
to assure that the mail does not get tampered with. In addition, bulk mail could only
be delivered to the Bitterlake Bulk Mail Office employee, to assure no unverified
employees are involved.
25. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
25
One possible tampering threat involves damaging Green Lake Games’ mail, and
stealing its contents. Due to the value of some orders, and the high volume of general
theft, this threat would be a likely one. This threat would also be of high impact to
the business, as stolen goods lead to losses in revenue and stock, as well as loss in
trust in the business itself. To mitigate this tampering threat, each employee should
make sure each piece of mail is properly sealed and securely transferred. In addition,
sensitive information such as tracking numbers and addresses should be kept in safe
hands.
The most likely repudiation threat involves the proof of an individual ordering making
it to the Post Office. There is no repudiation with Bulk Mail processing for individual
orders, which is simply a part of the cost of business with having a bulk mail license.
This means that lost parts of these bulk orders may go unaccounted for. Due to the
frequency of orders and shipments, this threat is a likely one. To mitigate this threat,
the most expensive pieces of each bulk order could be verified, to make sure they
were not lost. Losing smaller, low-cost parts of the order could be accepted as cost of
business, and would not be checked.
One relevant information disclosure threat would be scanning and opening envelopes
for phone numbers, email addresses, and physical addresses. Though this threat is not
likely, as there is little interest to do it, it still serves as a threat to customers and
the business. Basic pieces of information can be used to breach other sources of
information, and are a serious violation of a customer’s privacy - customers expect
their information to be kept private, and have a level of trust with the business
because of it. To mitigate this threat, all packages should be properly sealing and
transferred. In addition, proper storage and disposal of sensitive information should
be done, including shredding unneeded sensitive documents.
One possible denial of service threat at Green Lake Games would be if the Post
Office were closed. Green Lake Games needs to the Post Office to conduct their
shipping procedures, and cannot do so if it is closed. Though this threat is not likely,
as the office is usually open, not being able to do shipping procedures at any given
time would really set back Green Lake Games schedule. Always checking the status of
the Post Office before leaving the store would be an easy way to mitigate this threat.
Another possible denial of service threat at Green Lake Games would be if a driving
route were crowded and overflowed. This is a likely threat, as urban traffic is often
unpredictable, and can seriously change the amount of time it takes to travel
between two places. This threat could severely impact the efficiency of Green Lake
Games operations, where driving times to areas take much longer than anticipated.
To mitigate this threat employees should check online traffic maps before leaving the
26. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
26
store, so that they can account for the level of traffic on the roads. In addition,
deliveries should be scheduled for earlier in the day, where there is generally less
traffic and crowding.
The most probable elevation of privilege threat would be a person stealing payment
checks from the Green Lake Games employee and using it to buy alternate products.
As the theft of individual checks is rarely done anymore, this threat is not likely.
Mitigating this threat would involve training all employees on proper handling of
employee checks, and how to handle any issue with a check so that the check issuer
can be contacted and the proper fraud report is handled in a timely manner.
SECURITY BREACH RESPONSE PROCEDURES
Currently there is no particular response plans if Green Lake Games suffers a
security breach of some sort. Since a majority of the information is handled within
the Crystal Commerce and Amazon system, breaches will occur mainly inside the
vendor side of the trust boundaries of the Data Flow model.
Two specific processes were noted as the probable response path from their General
Manager, as mitigation processes to handle supposed data breach scenarios.
1. If a data breach has occurred on Amazon or CrystalCommerce, then Green Lake
Games would reset the passwords of all their accounts on both of those
systems to remove that as a potential avenue of attack. The same would be
done of all Green Lake Games email accounts, to cover the potential
compromise of other systems.
2. If a list of affected customers is known, then an email would be crafted by
Customer Service to inform the affected customers about the breach.
No other notification techniques would be utilized in this situation. One of the major
concerns of the Green Lake Games organization is the trust of their customers,
especially when dealing with the volatile nature of online sales. By reducing the
visibility of the breach, they hope to maintain the implicit assumption of safety
that their customers would have by ordering from them.
27. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
27
ANALYSIS
While Green Lake Games has a variety of avenues that a potential threat can utilize
to interfere with their regular shipping operations, the likelihood of many of these
security breaches are fairly low. A majority of the reason for this is because the
impact of any particular order is low, with most orders being only a couple dollars at
most. The only Personal Identifiable Information that is utilized in the system is
contact data, which has little value to an attacker without a specific motivation.
Thus, the low cost of a majority of individual orders, along with many of the internal
processes being manual in nature means that an active threat would either need to
have access to a method of identifying specific orders, either for the PII or for the
contents of a particular order.
Furthermore, a majority of the security processes are handled by the external
vendors, so the controls that can be utilized to mitigate these particular attacks are
controlled by them. For these reasons, it’s important for Green Lake Games to
continue to build the relationships with these vendors so that security issues can be
identified and communicated quickly in this ever-evolving world of security.
Thus, it would show that Green Lake Games has two attack vectors they would need
to be most cognizant about. First are the larger generalized threats that are not
malignant in nature, but originate from more natural threats, such as inclimate
weather or changing traffic patterns. Having backup procedures ready in case large
amounts of physical information are affected, such as a disaster destroying the orders
being stored for delivery, or orders being worked on by employees on any given day.
Second are the targeted attacks that are internal in nature, since the value of any
particular order would require internal knowledge and access to the physical space
where orders are processed. This can be mitigated through strong physical controls,
such as making sure all orders and their representative components are always in the
hands of employees. Additionally, care should be taken in ensuring all new hires at
the company are trustworthy and would not have any reason to exfiltrate products or
information for their own purposes.
However, it is still important to consider all the security implications in the shipping
process and maintain all the free or low-cost controls that can be used to alleviate
any potential breaches. By periodically checking and updating the controls that are
in place, a secure environment can be maintained throughout the entire work flow at
Green Lake Games.
28. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
28
CHANGE PROPOSAL
Due to Green Lake Games’ development of a very efficient process over the years,
there are no big issues that could potentially compromise the whole system. As such
we have not identified just one problem and changes to that specific problem. Instead
what follows is a list of refinements to the order processing and shipping system.
One notable problem is the complexity and requirements in the Order Sorting process.
This procedure is tightly coupled, so that if one part of the task breaks, the entire
process will cascade into failure and need to be started over. In addition, it’s highly
complex with many different tasks done in a process that is known to only a few
employees. These processes can cause setbacks and delays in the process, or can
lead to packing errors which would need to be tracked down over the rest of the day.
There are two options that we can recommend to alleviate these problems:
● Create a posted document of the task process or workflow diagram in a place
that is easily accessed. This can be done with a low cost up-front, and would
only need to be updated periodically as other changes come by. There is a
medium benefit to this, as it will help reduce potential errors during the
process by having a visual aid while working.
● Install MediaWiki* software on Green Lake Games hosted webspace, a free
open-source wiki software package. Here, tasks can be documented in a way
that all employees can access and understand. The initial investment would be
small, since MediaWiki is free, but there still is a medium cost, since employee
hours would need to be devoted to document tasks. We believe that this has a
high benefit, though, since it will allow employees to cover tasks when
needed. This will alleviate stress on the people with specific process
knowledge, allowing them to not worry about the store if they are sick or on
vacation.
* http://www.mediawiki.org/
A common problem is distinguishing multiple orders placed by the same customer in
the system. While this is not a common issue, it does occur when customers do not
know how to properly utilize the online order system and can cause a headache for
employees when they are processing these orders for shipment. There are two
solutions we recommend for this problem:
29. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
29
● Appeal for changes in the online order system to Crystal Commerce that would
combine multiple orders before they are even processed. This is a medium to
high cost solution that possibly requires implementation of new software
functionality. This is a medium benefit solution as it would completely
alleviate the problem but at the same time the problem may not be significant
enough to warrant such an investment.
● Use some sort of quick identification tag for customers in manual processing of
orders before preparing shipments. This can be relatively easy and low cost to
implement with just pen and paper, but will require some changes in
procedure and thus training on behalf of the employees. While still requiring
some manual processing on behalf of the employees, it would go a long way in
improving efficiency overall and be an overall medium benefit solution.
The next notable problem involves the Order Sorter’s order processing tasks in
CrystalCommerce. The Order Sorting requires a specialized employee to undergo
time-consuming, tedious, and prone-to-error tasks in CrystalCommerce. For
reference, these tasks include grouping large and small orders into “Preorders” and
“Processing”, respectively, manually assigning each order an order weight and
shipping grade, and manually adjusting shipping label printing settings using pre-
formatted Microsoft Word and Excel documents. There are three suggested solutions
to improve this process:
● Increase CrystalCommerce’s capability to automate sorting of large and small
orders, using business logic provided by Green Lake Games to determine the
rules of the categorizations (ex: “if order items are more than 10, place in
‘Large’”) under the oversight of employee that currently does the process
manually to ensure correct decisions are made. Going hand-in-hand with this
added feature would be dedicated categories for “Large-Processing” and
“Small-Processing” orders rather than resorting to using “Preorders” for large.
The cost is low for this because CrystalCommerce is a proprietary service that
Green Lake Games is already partnered with and this would be implemented by
CrystalCommerce, externally. The benefit is medium for this implementation
because it would create a less error-prone and more time-efficient order
sorting process. Additionally, the higher-specialized employee originally doing
order sorting could either continue overseeing this process OR spend time on
any other matters at hand and hand this off to a less-specialized employee that
could be more capable now that automation is in place.
● Create software to be run complementary to CrystalCommerce that’s job is
solely to run scripts that execute the differing one-by-one tasks the Order
30. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
30
Sorter completes when they use the Word and Excel documents to arrange
printing successfully between items. This could also be implemented into
CrystalCommerce as a plug-in and used with just a button or tab in
CrystalCommerce. This could have a friendly and direct UI. The cost is medium
for this because it would require a developer to create this piece of software.
The benefit is low because it would make the process easier, more structured,
and more time-efficient, but the specialized employee already has this
knowledge and nothing would be done better from a functional standpoint.
Rather, it would be done more securely.
● Assign each inventory item a weight in CrystalCommerce’s system that will be
automatically considered during shipping grade choice and produce accurate
total shipping weights. The cost is low for this because coordination between
Green Lake Games’ management and CrystalCommerce could implement this
ability. If weights of all items in current inventory are ignored, but all weights
of incoming shipments of inventory are recorded into a database as they arrive,
eventually the database would be complete (Chinese proverb: the best time to
plant a tree was twenty years ago; the second best time is today.) The cost
would be medium for this if a route independent of CrystalCommerce was
taken. This could be accomplished by managing a Relational Database
Management System (RDBMS) independently, such as Oracle* and MySQL*.
There is a medium benefit to this because while the specialized employee
already has sufficient knowledge or order weights to simplify the process, new
weights will always come into play and this would be an effective way to store
this knowledge to pass it down. This promotes scalability of the system.
*http://www.oracle.com
*http://www.mysql.com
Packaging board games for first parcel involves eyeballing various boxes in the
warehouse, and arbitrarily picking the most appropriate box which can be time
consuming and inefficient. There are two solutions to this problem:
● Each board game’s dimensions and weight can be logged with an appropriate
box size and available boxes can be organized by dimension in the warehouse.
This will allow for finding the most appropriate box nearly instantaneously and
also ensure that the box used is the most space efficient box that is available.
Overall this is a medium benefit solution as it would save a lot of time and is
relatively low cost to implement but will require an initial investment in time
to organize the boxes and subsequently maintain the organization.
31. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
31
● Another medium benefit solution is to have standardized box sizes that are
chosen based on the most-purchased board games and most-used boxes. This
solution is at a mid-level cost range as it requires purchasing standardized
boxes and sacrificing having the most space efficient boxes in favor of
standardized sizes. In the long run however, there would be no need to
measure any boxes or board games and finding the right box will be a quick and
easy process.
The system in place doesn’t scale to higher dimensions very well, in particular due to
restrictions on physical space and product storage. If there is a significant increase in
orders, Green Lake Games is restricted in capacity by the size of its facilities. The
throughput of particular processes is limited by the space available to employees and
inventory. This is further compounded by much of the active space in the store being
used for customer events. The events are a key part of Green Lake Games core
mission, so restructuring those is not included in our analysis. However, if business
continues to grow, this might be one of the main problems that Green Lake Games
would face. Here are two suggestions that we can provide.
● Altering the times that shipping and packaging are done would help keep any
space conflicts between events and the shipping employees to a minimum.
Events primarily occur in the evenings, so starting the Order Sorting process
early in the morning would provide time to complete the daily shipping
processes even if an abnormal number of orders are present. There is little
cost to this, as it would require scheduling employees slightly differently.
There is only a small amount of benefit to it a well, unless the number of
orders starts increasing on a consistent basis. Then, this may be a excellent
measure to implement.
● Another suggestion is the locating of a larger space to operate out of. This may
be done by finding a separate location to handle shipping, keeping the retail
store in its current location. The potential for additional space can allow for
no restrictions on shipping and packaging processes, and keep it from
interfering with in-store events. There is a very high cost to this, though, as
larger space is not cheap in the Seattle area and moving would cause a whole
host of other issues that would need to be addressed. There is a high benefit
to this, however, as additional space can allow for much larger throughput in
order processing, leading to larger profits in the wake of increased sales.
32. INFO 380 - Team AE5 - Green Lake Games Shipping Analysis Project
32
APPENDIX A: WORK FLOW DIAGRAM
As the complete Work Flow Diagram is too large to fit in this document, it is presented as a separate
diagram for use by Green Lake Games.