SlideShare a Scribd company logo

Bullzeye is a discount retailer offering a wide range of products,.docx

Download as DOCX, PDF
C
CruzIbarra161

Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys, and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online store. Due to the recent credit card data breaches of various prominent national retail companies (e.g., Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information security, especially as it pertains to the protection of credit cardholder data within the Bullzeye environment. The Board has asked executive management to evaluate and strengthen the enterprise’s information security infrastructure, where needed. In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and recommend control remediation strategies to prevent or to detect and appropriately respond to data breaches. Your firm has been requested to liaison with the Internal Audit Department during the engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO). The following key information was obtained. Background IT Security Framework/Policy - Bullzeye has an information security policy, which was developed by the CISO. The policy was developed in response to an internal audit conducted by an external firm hired by the CAE. The policy is not based on one specific IT control framework but considers elements contained within several frameworks. An information security committee has been recently formed to discuss new security risks and to develop mitigation strategies. The meeting will be held monthly and include the CISO and other key IT Directors reporting to the CIO. In addition, a training program was implemented last year in order to provide education on various information security topics (e.g., social engineering, malware, etc.). The program requires that all staff within the IT department complete an annual information security training webinar and corresponding quiz. The training program is complemented by a monthly e-mail sent to IT staff, which highlights relevant information security topics. General IT Environment - Most employees in the corporate office are assigned a standard desktop computer, although certain management personnel in the corporate and retail locations are issued a laptop if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows operating system image, which includes anti-malware/anti-virus software and patch update software among others. In addition, new laptops are now encrypted; however, desktops and existing laptops are not currently encrypted due to budget concerns. The user provisioning.

Education
1 of 7
Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys, and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online store. Due to the recent credit card data breaches of various prominent national retail companies (e.g., Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information security, especially as it pertains to the protection of credit cardholder data within the Bullzeye environment. The Board has asked executive management to evaluate and strengthen the enterprise’s information security infrastructure, where needed. In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and recommend control remediation strategies to prevent or to detect and appropriately respond to data breaches. Your firm has been requested to liaison with the Internal Audit Department during the engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO). The following key information was obtained. Background IT Security Framework/Policy -
Bullzeye has an information security policy, which was developed by the CISO. The policy was developed in response to an internal audit conducted by an external firm hired by the CAE. The policy is not based on one specific IT control framework but considers elements contained within several frameworks. An information security committee has been recently formed to discuss new security risks and to develop mitigation strategies. The meeting will be held monthly and include the CISO and other key IT Directors reporting to the CIO. In addition, a training program was implemented last year in order to provide education on various information security topics (e.g., social engineering, malware, etc.). The program requires that all staff within the IT department complete an annual information security training webinar and corresponding quiz. The training program is complemented by a monthly e- mail sent to IT staff, which highlights relevant information security topics. General IT Environment - Most employees in the corporate office are assigned a standard desktop computer, although certain management personnel in the corporate and retail locations are issued a laptop if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows operating system image, which includes anti-malware/anti-virus software and patch update software among others. In addition, new laptops are now encrypted; however, desktops and existing laptops are not currently encrypted due to budget concerns. The user provisioning procedures require that the access level assigned by the IT administrator be approved by the user’s supervisor.
The IT administrator generally determines the access level based on the access level of the former employee or other staff in the department. User accounts are configured to require strong, complex passwords that must be changed every 12 months. Procedures are established to periodically confirm that the user is still employed and thereby continues to require their assigned access level and to disable user access upon employment termination. Servers and Network – Procedures are established topatch servers; however, certain servers are not being patched on the frequency interval recommended by the operating system vendor. In addition, the servers responsible for processing or storing credit card data are not segmented from the rest of the network. These servers store the following cardholder data in plain-text: card numbers (referred to as “primary account numbers”), cardholder names, and expiration dates. CVV2 codes (the three- or four-digit number printed on the back/front of a card) used for verifying online purchases are not stored on the servers. User access to the servers is role-based and limited to members of the “administrator” role, which also provides the ability to add and remove users to/from the network. Bullzeye contracts with several vendors to maintain key portions of the IT environment, including the Point of Sale (POS) application that processes credit card transactions. In accordance with the responsibilities outlined in the contract, the
vendors are responsible for managing their administrator access to the Bullzeye’s systems and data, which includes new user provisioning and disabling access for former employees. The contract also requires that the vendors implement strong information security control requirements in maintaining the Bullzeye IT environment. The Bullzeye network is protected from external attacks via both firewalls and an intrusion detection system (IDS), which identifies unusual and potentially malicious activity. The IDS relies on its database of previously identified attacks to detect potentially malicious activity. It is configured to notify IT Infrastructure staff in the event that malicious activity was detected. The notification is via email to a designated account which is reviewed weekly by IT staff. Point-of-Sale (POS) Devices - The POS terminals (cash register computers with credit card readers) used in-store were last patched 12 months ago. Additionally, the operating system image installed on the POS terminals was a default image that did not include anti- malware/anti-virus software. The POS terminals, which are connected to the Bullzeye network, are configured to load the cash register software upon startup, which prevents the user (who is generally a cashier) from entering the operating system environment. Because the organization has not adopted Endpoint Encryption for the credit card transaction lifecycle, card data scanned at the card reader is stored in unencrypted plain text.
Information Security Improvement Project - A capital project has been approved for the current fiscal year to strengthen information security. It is expected that the project will be executed in phases over the next three years. A project budget for year 1 has been established and a project charter is under development. It is expected that the project will include internal IT staff as well as external consulting resources plus hardware and software costs. The CIO expressed some concern regarding Bullzeye’s bandwidth to support this initiative as well as to perform ongoing IT operational support for the enterprise, including other project work. The CFO expressed some concern regarding the source of funding to support both the operational and capital costs for years 2 and 3 of the project. The CFO and CIO agreed to provide you with the latest update of the project management implementation guide and the associated capitalization policy. Insurance – The CFO plans to investigate the purchase ofcybersecurity insurance in order to limit the financial exposure to the costs associated with the forensic investigation that is typically required after a data breach, as well as credit monitoring and legal fees associated with any lawsuits filed against the company as a result of a breach. Bullzeye Data Breach Readiness Assessment IIA – Case Study Questions
Your firm has been requested to present their assessment findings and recommendations at an upcoming meeting attended by key executives in preparation for the next scheduled Board of Directors meeting. Please respond to the following information requests and questions in your presentation remarks. IT Control Environment – Highlight the most significant IT control deficiencies that you noted from your discussions with the key leaders. Describe the associated risk implication for each deficiency. IT Control Environment - What best practice control techniques would you recommend to correct the control deficiencies identified? IT Control Environment – Are there any established or planned IT controls that appear to be well designed? Data Breach Prevention - What technology options being considered by other retailers to reduce the likelihood of credit card information being stolen should Bullzeye consider implementing? Data Breach Response – What protocols should Bullzeye implement in order to enhance their response in the event of a data breach? Be sure to consider the lessons learned from data breaches at the national retailers regarding the effectiveness of their response plans. Capital Project – Identify the key financial (e.g., budgeting,
cost capitalization) and operational (e.g., system development life cycle) project risks and recommend how these risks should be addressed. Be sure to reference applicable accounting standards and relevant project governance best practices. Capital Project – What key activities should the Internal Audit department include in their annual Audit Plan in regards to the IT Security project? What factors should the CAE consider in determining what resources (internal or external) to assign to this audit project? Insurance – What factors should the CFO consider in conjunction with investigating the purchase of cybersecurity insurance?

Recommended

Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxalfred4lewis58146
 
IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4National Management Olympiad
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
Background  A small non-profit organization (SNPO-MC) has rec.docx
Background  A small non-profit organization (SNPO-MC) has rec.docxBackground  A small non-profit organization (SNPO-MC) has rec.docx
Background  A small non-profit organization (SNPO-MC) has rec.docxAMMY30
 
Bi in financial industry
Bi in financial industryBi in financial industry
Bi in financial industrySouvik Chakraborty
 
Bi in financial industry
Bi in financial industryBi in financial industry
Bi in financial industrySouvik Chakraborty
 
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docxRunning head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docxjeanettehully
 
Information-Systems-and-Technology.pptx
Information-Systems-and-Technology.pptxInformation-Systems-and-Technology.pptx
Information-Systems-and-Technology.pptxAhimsaBhardwaj
 

Recommended

Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxalfred4lewis58146
 
IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4IT Department Roadmap | National Management Olympiad Season 4
IT Department Roadmap | National Management Olympiad Season 4National Management Olympiad
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
Background  A small non-profit organization (SNPO-MC) has rec.docx
Background  A small non-profit organization (SNPO-MC) has rec.docxBackground  A small non-profit organization (SNPO-MC) has rec.docx
Background  A small non-profit organization (SNPO-MC) has rec.docxAMMY30
 
Bi in financial industry
Bi in financial industryBi in financial industry
Bi in financial industrySouvik Chakraborty
 
Bi in financial industry
Bi in financial industryBi in financial industry
Bi in financial industrySouvik Chakraborty
 
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docxRunning head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docx
Running head PROJECT PLAN INCEPTION1PROJECT PLAN INCEPTION .docxjeanettehully
 
Information-Systems-and-Technology.pptx
Information-Systems-and-Technology.pptxInformation-Systems-and-Technology.pptx
Information-Systems-and-Technology.pptxAhimsaBhardwaj
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Ajay Kumar Uppal
 
Cfo insights evaluating_it
Cfo insights evaluating_itCfo insights evaluating_it
Cfo insights evaluating_itKamalakar Yadav
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxbudbarber38650
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
Issues and challenges in e-business
Issues and challenges in e-businessIssues and challenges in e-business
Issues and challenges in e-businessNishant Pahad
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBookPatrick Whelan, CISA
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information SecurityAjay Kumar Uppal
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxlorainedeserre
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxjesusamckone
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
IoT - threats and opportunities to the organization
IoT - threats and opportunities to the organizationIoT - threats and opportunities to the organization
IoT - threats and opportunities to the organizationThieu Nguyen Bao Chau
 
PwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValuePwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValueEileen Chan
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
The 20 Best IT Jobs for 2013 and Beyond
The 20 Best IT Jobs for 2013 and BeyondThe 20 Best IT Jobs for 2013 and Beyond
The 20 Best IT Jobs for 2013 and BeyondMark Paszkowiak ☁
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsChris Farwell
 
Business and Government Relations  Please respond to the following.docx
Business and Government Relations  Please respond to the following.docxBusiness and Government Relations  Please respond to the following.docx
Business and Government Relations  Please respond to the following.docxCruzIbarra161
 
Business Continuity Planning Explain how components of the busine.docx
Business Continuity Planning Explain how components of the busine.docxBusiness Continuity Planning Explain how components of the busine.docx
Business Continuity Planning Explain how components of the busine.docxCruzIbarra161
 
business and its environment Discuss the genesis, contributing fac.docx
business and its environment Discuss the genesis, contributing fac.docxbusiness and its environment Discuss the genesis, contributing fac.docx
business and its environment Discuss the genesis, contributing fac.docxCruzIbarra161
 
business and its environment Discuss the genesis, contributing facto.docx
business and its environment Discuss the genesis, contributing facto.docxbusiness and its environment Discuss the genesis, contributing facto.docx
business and its environment Discuss the genesis, contributing facto.docxCruzIbarra161
 

More Related Content

Similar to Bullzeye is a discount retailer offering a wide range of products,.docx

Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Ajay Kumar Uppal
 
Cfo insights evaluating_it
Cfo insights evaluating_itCfo insights evaluating_it
Cfo insights evaluating_itKamalakar Yadav
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxbudbarber38650
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
Issues and challenges in e-business
Issues and challenges in e-businessIssues and challenges in e-business
Issues and challenges in e-businessNishant Pahad
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information SecurityAjay Kumar Uppal
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxlorainedeserre
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxjesusamckone
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
IoT - threats and opportunities to the organization
IoT - threats and opportunities to the organizationIoT - threats and opportunities to the organization
IoT - threats and opportunities to the organizationThieu Nguyen Bao Chau
 
PwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValuePwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValueEileen Chan
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
The 20 Best IT Jobs for 2013 and Beyond
The 20 Best IT Jobs for 2013 and BeyondThe 20 Best IT Jobs for 2013 and Beyond
The 20 Best IT Jobs for 2013 and BeyondMark Paszkowiak ☁
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsChris Farwell
 

Similar to Bullzeye is a discount retailer offering a wide range of products,.docx (18)

Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture
 
Cfo insights evaluating_it
Cfo insights evaluating_itCfo insights evaluating_it
Cfo insights evaluating_it
 
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docxGLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a.docx
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
Issues and challenges in e-business
Issues and challenges in e-businessIssues and challenges in e-business
Issues and challenges in e-business
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information Security
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
IoT - threats and opportunities to the organization
IoT - threats and opportunities to the organizationIoT - threats and opportunities to the organization
IoT - threats and opportunities to the organization
 
PwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValuePwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital Value
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 
The 20 Best IT Jobs for 2013 and Beyond
The 20 Best IT Jobs for 2013 and BeyondThe 20 Best IT Jobs for 2013 and Beyond
The 20 Best IT Jobs for 2013 and Beyond
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
 

More from CruzIbarra161

Business and Government Relations  Please respond to the following.docx
Business and Government Relations  Please respond to the following.docxBusiness and Government Relations  Please respond to the following.docx
Business and Government Relations  Please respond to the following.docxCruzIbarra161
 
Business Continuity Planning Explain how components of the busine.docx
Business Continuity Planning Explain how components of the busine.docxBusiness Continuity Planning Explain how components of the busine.docx
Business Continuity Planning Explain how components of the busine.docxCruzIbarra161
 
business and its environment Discuss the genesis, contributing fac.docx
business and its environment Discuss the genesis, contributing fac.docxbusiness and its environment Discuss the genesis, contributing fac.docx
business and its environment Discuss the genesis, contributing fac.docxCruzIbarra161
 
business and its environment Discuss the genesis, contributing facto.docx
business and its environment Discuss the genesis, contributing facto.docxbusiness and its environment Discuss the genesis, contributing facto.docx
business and its environment Discuss the genesis, contributing facto.docxCruzIbarra161
 
Business BUS 210 research outline1.Cover page 2.Table .docx
Business BUS 210 research outline1.Cover page 2.Table .docxBusiness BUS 210 research outline1.Cover page 2.Table .docx
Business BUS 210 research outline1.Cover page 2.Table .docxCruzIbarra161
 
BUS 439 International Human Resource ManagementInstructor Steven .docx
BUS 439 International Human Resource ManagementInstructor Steven .docxBUS 439 International Human Resource ManagementInstructor Steven .docx
BUS 439 International Human Resource ManagementInstructor Steven .docxCruzIbarra161
 
BUS 439 International Human Resource ManagementEmployee Value Pr.docx
BUS 439 International Human Resource ManagementEmployee Value Pr.docxBUS 439 International Human Resource ManagementEmployee Value Pr.docx
BUS 439 International Human Resource ManagementEmployee Value Pr.docxCruzIbarra161
 
Building on the work that you prepared for Milestones One through Th.docx
Building on the work that you prepared for Milestones One through Th.docxBuilding on the work that you prepared for Milestones One through Th.docx
Building on the work that you prepared for Milestones One through Th.docxCruzIbarra161
 
Budget Legislation Once the budget has been prepared by the vari.docx
Budget Legislation Once the budget has been prepared by the vari.docxBudget Legislation Once the budget has been prepared by the vari.docx
Budget Legislation Once the budget has been prepared by the vari.docxCruzIbarra161
 
Browsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docx
Browsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docxBrowsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docx
Browsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docxCruzIbarra161
 
Brown Primary Care Dental clinics Oral Health Initiative p.docx
Brown Primary Care Dental clinics Oral Health Initiative p.docxBrown Primary Care Dental clinics Oral Health Initiative p.docx
Brown Primary Care Dental clinics Oral Health Initiative p.docxCruzIbarra161
 
BUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docx
BUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docxBUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docx
BUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docxCruzIbarra161
 
Build a binary search tree that holds first names.Create a menu .docx
Build a binary search tree that holds first names.Create a menu .docxBuild a binary search tree that holds first names.Create a menu .docx
Build a binary search tree that holds first names.Create a menu .docxCruzIbarra161
 
Briefly describe the development of the string quartet. How would yo.docx
Briefly describe the development of the string quartet. How would yo.docxBriefly describe the development of the string quartet. How would yo.docx
Briefly describe the development of the string quartet. How would yo.docxCruzIbarra161
 
Briefly describe a time when you were misled by everyday observation.docx
Briefly describe a time when you were misled by everyday observation.docxBriefly describe a time when you were misled by everyday observation.docx
Briefly describe a time when you were misled by everyday observation.docxCruzIbarra161
 
Broadening Your Perspective 8-1The financial statements of Toots.docx
Broadening Your Perspective 8-1The financial statements of Toots.docxBroadening Your Perspective 8-1The financial statements of Toots.docx
Broadening Your Perspective 8-1The financial statements of Toots.docxCruzIbarra161
 
Briefly discuss the differences in the old Minimum Foundation Prog.docx
Briefly discuss the differences in the old Minimum Foundation Prog.docxBriefly discuss the differences in the old Minimum Foundation Prog.docx
Briefly discuss the differences in the old Minimum Foundation Prog.docxCruzIbarra161
 
Briefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docx
Briefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docxBriefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docx
Briefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docxCruzIbarra161
 
Brief Exercise 9-11Suppose Nike, Inc. reported the followin.docx
Brief Exercise 9-11Suppose Nike, Inc. reported the followin.docxBrief Exercise 9-11Suppose Nike, Inc. reported the followin.docx
Brief Exercise 9-11Suppose Nike, Inc. reported the followin.docxCruzIbarra161
 
Brief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docx
Brief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docxBrief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docx
Brief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docxCruzIbarra161
 

More from CruzIbarra161 (20)

Business and Government Relations  Please respond to the following.docx
Business and Government Relations  Please respond to the following.docxBusiness and Government Relations  Please respond to the following.docx
Business and Government Relations  Please respond to the following.docx
 
Business Continuity Planning Explain how components of the busine.docx
Business Continuity Planning Explain how components of the busine.docxBusiness Continuity Planning Explain how components of the busine.docx
Business Continuity Planning Explain how components of the busine.docx
 
business and its environment Discuss the genesis, contributing fac.docx
business and its environment Discuss the genesis, contributing fac.docxbusiness and its environment Discuss the genesis, contributing fac.docx
business and its environment Discuss the genesis, contributing fac.docx
 
business and its environment Discuss the genesis, contributing facto.docx
business and its environment Discuss the genesis, contributing facto.docxbusiness and its environment Discuss the genesis, contributing facto.docx
business and its environment Discuss the genesis, contributing facto.docx
 
Business BUS 210 research outline1.Cover page 2.Table .docx
Business BUS 210 research outline1.Cover page 2.Table .docxBusiness BUS 210 research outline1.Cover page 2.Table .docx
Business BUS 210 research outline1.Cover page 2.Table .docx
 
BUS 439 International Human Resource ManagementInstructor Steven .docx
BUS 439 International Human Resource ManagementInstructor Steven .docxBUS 439 International Human Resource ManagementInstructor Steven .docx
BUS 439 International Human Resource ManagementInstructor Steven .docx
 
BUS 439 International Human Resource ManagementEmployee Value Pr.docx
BUS 439 International Human Resource ManagementEmployee Value Pr.docxBUS 439 International Human Resource ManagementEmployee Value Pr.docx
BUS 439 International Human Resource ManagementEmployee Value Pr.docx
 
Building on the work that you prepared for Milestones One through Th.docx
Building on the work that you prepared for Milestones One through Th.docxBuilding on the work that you prepared for Milestones One through Th.docx
Building on the work that you prepared for Milestones One through Th.docx
 
Budget Legislation Once the budget has been prepared by the vari.docx
Budget Legislation Once the budget has been prepared by the vari.docxBudget Legislation Once the budget has been prepared by the vari.docx
Budget Legislation Once the budget has been prepared by the vari.docx
 
Browsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docx
Browsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docxBrowsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docx
Browsing the podcasts on iTunes or YouTube, listen to a few of Gramm.docx
 
Brown Primary Care Dental clinics Oral Health Initiative p.docx
Brown Primary Care Dental clinics Oral Health Initiative p.docxBrown Primary Care Dental clinics Oral Health Initiative p.docx
Brown Primary Care Dental clinics Oral Health Initiative p.docx
 
BUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docx
BUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docxBUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docx
BUDDHISMWEEK 3Cosmogony - Origin of the UniverseNature of .docx
 
Build a binary search tree that holds first names.Create a menu .docx
Build a binary search tree that holds first names.Create a menu .docxBuild a binary search tree that holds first names.Create a menu .docx
Build a binary search tree that holds first names.Create a menu .docx
 
Briefly describe the development of the string quartet. How would yo.docx
Briefly describe the development of the string quartet. How would yo.docxBriefly describe the development of the string quartet. How would yo.docx
Briefly describe the development of the string quartet. How would yo.docx
 
Briefly describe a time when you were misled by everyday observation.docx
Briefly describe a time when you were misled by everyday observation.docxBriefly describe a time when you were misled by everyday observation.docx
Briefly describe a time when you were misled by everyday observation.docx
 
Broadening Your Perspective 8-1The financial statements of Toots.docx
Broadening Your Perspective 8-1The financial statements of Toots.docxBroadening Your Perspective 8-1The financial statements of Toots.docx
Broadening Your Perspective 8-1The financial statements of Toots.docx
 
Briefly discuss the differences in the old Minimum Foundation Prog.docx
Briefly discuss the differences in the old Minimum Foundation Prog.docxBriefly discuss the differences in the old Minimum Foundation Prog.docx
Briefly discuss the differences in the old Minimum Foundation Prog.docx
 
Briefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docx
Briefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docxBriefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docx
Briefly compare and contrast EHRs, EMRs, and PHRs. Include the typic.docx
 
Brief Exercise 9-11Suppose Nike, Inc. reported the followin.docx
Brief Exercise 9-11Suppose Nike, Inc. reported the followin.docxBrief Exercise 9-11Suppose Nike, Inc. reported the followin.docx
Brief Exercise 9-11Suppose Nike, Inc. reported the followin.docx
 
Brief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docx
Brief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docxBrief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docx
Brief Exercise 13-3Takemoto Corporation borrowed $74,480 on No.docx
 

Recently uploaded

“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 

Recently uploaded (20)

“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 

Bullzeye is a discount retailer offering a wide range of products,.docx

  • 1. Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys, and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online store. Due to the recent credit card data breaches of various prominent national retail companies (e.g., Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information security, especially as it pertains to the protection of credit cardholder data within the Bullzeye environment. The Board has asked executive management to evaluate and strengthen the enterprise’s information security infrastructure, where needed. In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and recommend control remediation strategies to prevent or to detect and appropriately respond to data breaches. Your firm has been requested to liaison with the Internal Audit Department during the engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO). The following key information was obtained. Background IT Security Framework/Policy -
  • 2. Bullzeye has an information security policy, which was developed by the CISO. The policy was developed in response to an internal audit conducted by an external firm hired by the CAE. The policy is not based on one specific IT control framework but considers elements contained within several frameworks. An information security committee has been recently formed to discuss new security risks and to develop mitigation strategies. The meeting will be held monthly and include the CISO and other key IT Directors reporting to the CIO. In addition, a training program was implemented last year in order to provide education on various information security topics (e.g., social engineering, malware, etc.). The program requires that all staff within the IT department complete an annual information security training webinar and corresponding quiz. The training program is complemented by a monthly e- mail sent to IT staff, which highlights relevant information security topics. General IT Environment - Most employees in the corporate office are assigned a standard desktop computer, although certain management personnel in the corporate and retail locations are issued a laptop if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows operating system image, which includes anti-malware/anti-virus software and patch update software among others. In addition, new laptops are now encrypted; however, desktops and existing laptops are not currently encrypted due to budget concerns. The user provisioning procedures require that the access level assigned by the IT administrator be approved by the user’s supervisor.
  • 3. The IT administrator generally determines the access level based on the access level of the former employee or other staff in the department. User accounts are configured to require strong, complex passwords that must be changed every 12 months. Procedures are established to periodically confirm that the user is still employed and thereby continues to require their assigned access level and to disable user access upon employment termination. Servers and Network – Procedures are established topatch servers; however, certain servers are not being patched on the frequency interval recommended by the operating system vendor. In addition, the servers responsible for processing or storing credit card data are not segmented from the rest of the network. These servers store the following cardholder data in plain-text: card numbers (referred to as “primary account numbers”), cardholder names, and expiration dates. CVV2 codes (the three- or four-digit number printed on the back/front of a card) used for verifying online purchases are not stored on the servers. User access to the servers is role-based and limited to members of the “administrator” role, which also provides the ability to add and remove users to/from the network. Bullzeye contracts with several vendors to maintain key portions of the IT environment, including the Point of Sale (POS) application that processes credit card transactions. In accordance with the responsibilities outlined in the contract, the
  • 4. vendors are responsible for managing their administrator access to the Bullzeye’s systems and data, which includes new user provisioning and disabling access for former employees. The contract also requires that the vendors implement strong information security control requirements in maintaining the Bullzeye IT environment. The Bullzeye network is protected from external attacks via both firewalls and an intrusion detection system (IDS), which identifies unusual and potentially malicious activity. The IDS relies on its database of previously identified attacks to detect potentially malicious activity. It is configured to notify IT Infrastructure staff in the event that malicious activity was detected. The notification is via email to a designated account which is reviewed weekly by IT staff. Point-of-Sale (POS) Devices - The POS terminals (cash register computers with credit card readers) used in-store were last patched 12 months ago. Additionally, the operating system image installed on the POS terminals was a default image that did not include anti- malware/anti-virus software. The POS terminals, which are connected to the Bullzeye network, are configured to load the cash register software upon startup, which prevents the user (who is generally a cashier) from entering the operating system environment. Because the organization has not adopted Endpoint Encryption for the credit card transaction lifecycle, card data scanned at the card reader is stored in unencrypted plain text.
  • 5. Information Security Improvement Project - A capital project has been approved for the current fiscal year to strengthen information security. It is expected that the project will be executed in phases over the next three years. A project budget for year 1 has been established and a project charter is under development. It is expected that the project will include internal IT staff as well as external consulting resources plus hardware and software costs. The CIO expressed some concern regarding Bullzeye’s bandwidth to support this initiative as well as to perform ongoing IT operational support for the enterprise, including other project work. The CFO expressed some concern regarding the source of funding to support both the operational and capital costs for years 2 and 3 of the project. The CFO and CIO agreed to provide you with the latest update of the project management implementation guide and the associated capitalization policy. Insurance – The CFO plans to investigate the purchase ofcybersecurity insurance in order to limit the financial exposure to the costs associated with the forensic investigation that is typically required after a data breach, as well as credit monitoring and legal fees associated with any lawsuits filed against the company as a result of a breach. Bullzeye Data Breach Readiness Assessment IIA – Case Study Questions
  • 6. Your firm has been requested to present their assessment findings and recommendations at an upcoming meeting attended by key executives in preparation for the next scheduled Board of Directors meeting. Please respond to the following information requests and questions in your presentation remarks. IT Control Environment – Highlight the most significant IT control deficiencies that you noted from your discussions with the key leaders. Describe the associated risk implication for each deficiency. IT Control Environment - What best practice control techniques would you recommend to correct the control deficiencies identified? IT Control Environment – Are there any established or planned IT controls that appear to be well designed? Data Breach Prevention - What technology options being considered by other retailers to reduce the likelihood of credit card information being stolen should Bullzeye consider implementing? Data Breach Response – What protocols should Bullzeye implement in order to enhance their response in the event of a data breach? Be sure to consider the lessons learned from data breaches at the national retailers regarding the effectiveness of their response plans. Capital Project – Identify the key financial (e.g., budgeting,
  • 7. cost capitalization) and operational (e.g., system development life cycle) project risks and recommend how these risks should be addressed. Be sure to reference applicable accounting standards and relevant project governance best practices. Capital Project – What key activities should the Internal Audit department include in their annual Audit Plan in regards to the IT Security project? What factors should the CAE consider in determining what resources (internal or external) to assign to this audit project? Insurance – What factors should the CFO consider in conjunction with investigating the purchase of cybersecurity insurance?