Nt1330 Unit 6 Paper
and detailed work strategies, monitoring progress, and determining issues solutions. Finally, organizations should dedicate a team of security analysts directed by the expertise of a Chief information security office (CISO) that reports to the Chief information office (CIO) and provides detailed security information to management for assessment and further expansion opportunities to the security infrastructure. Thus, management and a team of dedicated security experts measure system goals, develop strategies towards a more secure organization environment that prevents risks of any magnitude by safeguarding every corner.
Fourth, in the aftermath of the attack, the risks and threats that the company is exposed are further security breaches that could expose critical and private secret trading information of the company. This could lead to financial loses since hackers can …show more content…
sell this information or use it to extort management as the Sony breach case were hacktivists extorted high profile executives with threats of data leaks. Furthermore, data destruction poses a threat as important information can be deleted by malware used by hackers. Thus, it can financially impact the company as rebuilding systems that are wiped like this is still time-consuming and expensive, and the backups restore process are thoroughly disinfected so that remaining malware won’t re-wipe systems once restored. Lastly, further card breaches can hurt customer loyalty and hugely impact the sales of the company since customers will be aware of future breaches and possibly will avoid purchasing at the company stores. “To keep up with the competition, organizations must design and create safe environments in which business processes and procedures can function. These environments must maintain confidentiality and privacy and assure the integrity of organizational data—objectives that are met via the application of the principles of risk management.” (Whitman, 2012, p.119). Therefore, recommendations such as risk management must be a priority that requires risk identification, risk control and risk assessment. Thus, feasibility and cost-benefit analysis provides and becomes a fundamental part for making business decisions which are based on arrangements between the costs of employing information systems security controls and benefits accomplished from the operation of secured systems. “When an organization’s general management team determines that risks from information security (InfoSec) threats are creating a competitive disadvantage, it empowers the IT and InfoSec communities of interest to control those risks” (Whitman, 2013, p.315). Furthermore, a security team needs to be assembled in order plan for security, contingencies, security policies, security programs, PCI DDS certifications, conduct risk assessments and strategies such us defense, transferal, mitigation, acceptance and termination. For instance, hiring new IT employees, implementing new security systems, purchasing new security systems, training employees on new systems. To emphasize, TJX needs a substantial investment in sophisticated technologies to help monitor, prevent and detect intrusions, purchase high-end firewalls to monitor and protect company kiosks and wireless networks.
Fifth, In the case of TJX, I disagree with the argument that PCI-DSS standard is not effective or does not do enough to protect card holder data.
In my opinion the PCI-DSS standards in place should lead to a secure network and ultimately protect the cardholder data. The Payment Card Industry (PCI) data security standard has important requirements like maintaining a firewall configuration, regularly updating anti-virus software, encrypting transmission of cardholder data across open, public networks to name a few. Unfortunately, the auditing practices at TJX were poor and did not identify the real problems with the TJX systems. The were three crucial issues with the TXJ systems. The first one was the absence of network monitoring; according to the PCI standards, a firewall or a “do not use vendor-supplied defaults for system passwords” was required. They also violated the second PCI standard of protecting the cardholder data by not keeping data logs, and the presence of unencrypted data stored on the system. The stolen information was from old transactions from 2002 which were supposed to be
purged.
Perhaps, if TJX had follow the Payment Card Industry (PCI) Data Security Standards by the book, this security breach could have been prevented.
There are a couple of things that could have been done different to improve on the effectiveness of the PCI-DSS. The first one is to hire a security contractor to ensure that the PCI standards are fully implemented throughout the company. The second is to have an internal team to overview audit logs and employee training.
In conclusion, “Security needs to be in place, tested, and enforced from Day one. A good security plan will consist of the software products needed to ensure proper and secure access but will also consider physical access and user security awareness.” (Motiwalla, 2011, p. 290). Thus, the network intrusion at TJX that led to the loss of customer’s personal data, driver’s license and credit and debit card data of millions of customers is the lack of security standards, lack of security tools and lack of sophisticated technology to help detect, prevent and monitor intrusions. All in all, it ultimately led to the network breach which had an estimated cost to TJX in millions of dollars in loss of revenue, various settlements, legal fees, investigation fees, and overall loss of customer confidence in the brand.
Fourth, in the aftermath of the attack, the risks and threats that the company is exposed are further security breaches that could expose critical and private secret trading information of the company. This could lead to financial loses since hackers can …show more content…
sell this information or use it to extort management as the Sony breach case were hacktivists extorted high profile executives with threats of data leaks. Furthermore, data destruction poses a threat as important information can be deleted by malware used by hackers. Thus, it can financially impact the company as rebuilding systems that are wiped like this is still time-consuming and expensive, and the backups restore process are thoroughly disinfected so that remaining malware won’t re-wipe systems once restored. Lastly, further card breaches can hurt customer loyalty and hugely impact the sales of the company since customers will be aware of future breaches and possibly will avoid purchasing at the company stores. “To keep up with the competition, organizations must design and create safe environments in which business processes and procedures can function. These environments must maintain confidentiality and privacy and assure the integrity of organizational data—objectives that are met via the application of the principles of risk management.” (Whitman, 2012, p.119). Therefore, recommendations such as risk management must be a priority that requires risk identification, risk control and risk assessment. Thus, feasibility and cost-benefit analysis provides and becomes a fundamental part for making business decisions which are based on arrangements between the costs of employing information systems security controls and benefits accomplished from the operation of secured systems. “When an organization’s general management team determines that risks from information security (InfoSec) threats are creating a competitive disadvantage, it empowers the IT and InfoSec communities of interest to control those risks” (Whitman, 2013, p.315). Furthermore, a security team needs to be assembled in order plan for security, contingencies, security policies, security programs, PCI DDS certifications, conduct risk assessments and strategies such us defense, transferal, mitigation, acceptance and termination. For instance, hiring new IT employees, implementing new security systems, purchasing new security systems, training employees on new systems. To emphasize, TJX needs a substantial investment in sophisticated technologies to help monitor, prevent and detect intrusions, purchase high-end firewalls to monitor and protect company kiosks and wireless networks.
Fifth, In the case of TJX, I disagree with the argument that PCI-DSS standard is not effective or does not do enough to protect card holder data.
In my opinion the PCI-DSS standards in place should lead to a secure network and ultimately protect the cardholder data. The Payment Card Industry (PCI) data security standard has important requirements like maintaining a firewall configuration, regularly updating anti-virus software, encrypting transmission of cardholder data across open, public networks to name a few. Unfortunately, the auditing practices at TJX were poor and did not identify the real problems with the TJX systems. The were three crucial issues with the TXJ systems. The first one was the absence of network monitoring; according to the PCI standards, a firewall or a “do not use vendor-supplied defaults for system passwords” was required. They also violated the second PCI standard of protecting the cardholder data by not keeping data logs, and the presence of unencrypted data stored on the system. The stolen information was from old transactions from 2002 which were supposed to be
purged.
Perhaps, if TJX had follow the Payment Card Industry (PCI) Data Security Standards by the book, this security breach could have been prevented.
There are a couple of things that could have been done different to improve on the effectiveness of the PCI-DSS. The first one is to hire a security contractor to ensure that the PCI standards are fully implemented throughout the company. The second is to have an internal team to overview audit logs and employee training.
In conclusion, “Security needs to be in place, tested, and enforced from Day one. A good security plan will consist of the software products needed to ensure proper and secure access but will also consider physical access and user security awareness.” (Motiwalla, 2011, p. 290). Thus, the network intrusion at TJX that led to the loss of customer’s personal data, driver’s license and credit and debit card data of millions of customers is the lack of security standards, lack of security tools and lack of sophisticated technology to help detect, prevent and monitor intrusions. All in all, it ultimately led to the network breach which had an estimated cost to TJX in millions of dollars in loss of revenue, various settlements, legal fees, investigation fees, and overall loss of customer confidence in the brand.