Cloud Computing Is An Altering Technology Essay

Cloud Computing Is An Altering Technology Essay
Executive Summary Cloud computing is an altering technology which is enjoying increasing rates
of adoption. Cloud computing is a model for enabling convenient, on–demand network access to a
shared pool of configurable computing resources including networks, servers, storage, applications,
and services that can be rapidly provisioned and released with minimal management effort or
service provider interaction. The use of Cloud services is proven effective across diverse set of
industries, reducing costs associated with computing while increasing flexibility and scalability for
computer processes. For instance, Cloud computing services, like Amazon's, can be used by all
business types and more ideal for smaller businesses or especially ideal for businesses just starting.
This report is a recommendation for moving all our company's data center functions on to the cloud.
This report outlines supporting details determining how our company could reap the most benefits
by adopting cloud services from any of the high–quality cloud service providers available in the
market today such as Amazon, Microsoft, Rackspace, and Verizon Terremark cloud services. The
benefits of adoption cloud computing services are substantial including reduced infrastructure costs,
increased scalability, availability, capacity, speed, backup and mobility. However, these benefits are
not free from possible pitfalls. So, to maximize the benefits and minimize risks associated with the
move to the cloud, it is
... Get more on HelpWriting.net ...

Tjx Security Breach Essay
The TJX companies breach has been labeled the largest data breach in the history of security breach
and the ultimate wake up call for corporations (Dash, 2007). TJX is the parent company of chains
such as TJ Maxx, Marshalls, Homegoods, and a host of retail stores across the US and Canada. In
January 2007, it was discovered that hackers stole as many as 200 million customer records due to a
failed security system by TJX which resulted in a $4.8 billion dollars' worth of damages (Swann,
2007). It is said that the breach occurred because they did not have any security measures in place to
protect consumer's data such as their debit cards, credit cards, checking account information, and
driver's license numbers. Reports identified three major ... Show more content on Helpwriting.net ...
In fact, researchers at Darmstadt Technical University in Germany have demonstrated that a WEP
key can be broken in less than a minute (Berg, Freeman, & Schneider, 2008). More important, WEP
does not satisfy industry standards that require the use of the much stronger WPA (Wi–Fi Protected
Access) protocol (Berg, Freeman, & Schneider, 2008). First, they broke into the store's network and
stole employees' usernames and password, which they were able to gained access to the TJX main
database at the corporate headquarters and use those credentials to create their own accounts within
the employee database. Once they gain entry into the corporate network, they were able to breach
security and gather credit card numbers, and any customer information they wanted. The consumer
information was compromised for approximately 18 before TJX became aware of what had been
happening. The TJX data storage practices also appear to have violated industry standards. Reports
indicate that the company was storing the full–track contents scanned from each customer's card
(Swann, 2007). Additionally, customer records seem to have contained the card–validation code
(CVC) number and the personal identification numbers (PIN) associated with the customer cards.
PCI Data Security Standard 3.2 clearly states that after payment authorization is received, a
merchant is not to store sensitive data, such as the CVC, PIN, or full–track information (Berg,
Freeman, & Schneider,

Case Study Of Bharti Airte1
Chapter – 1
COMPANY PROFILE
Bharti Airte1, incorporated on Ju1y 7, 1995 is the f1agship company of Bharti Enterprises. The
Bharti group has a diverse business portfo1io and has created g1oba1 brands in the
te1ecommunication sector. Bharti Airte1, is Asia's 1eading integrated te1ecom services provider
with operations in India and Sri Lanka. Bharti Airte1 has been the forefront of the te1ecom
revo1ution and has transformed the sector with its wor1d–c1ass services bui1t on 1eading edge
techno1ogies.
Bharti Airte1 is India's 1argest integrated and the first private te1ecom service provider with a
footprint in a11 the 23 te1ecom circ1es. Bharti Airte1 since its inception has been at the forefront of
techno1ogy and has steered the course of the ... Show more content on Helpwriting.net ...
Anti–virus software must be used on a11 systems common1y affected by ma1ware to protect
systems from current and evo1ving ma1icious software threats. Additiona1 anti–ma1ware so1utions
may supp1ement (but not rep1ace) anti–virus software.
5.1 Dep1oy anti–virus software on a11 systems common1y affected by ma1icious software
(particu1ar1y persona1 computers and servers). For systems not affected common1y by ma1icious
software, perform periodic eva1uations to eva1uate evo1ving ma1ware threats and confirm whether
such systems continue to not require anti–virus software.
5.2 Ensure that a11 anti–virus mechanisms are kept current, perform periodic scans generate audit
1ogs, which are retained per PCI DSS Requirement 10.7.
5.3 Ensure that anti–virus mechanisms are active1y running and cannot be disab1ed or a1tered by
users, un1ess specifica11y authorized by management on a case–by–case basis for a 1imited time
period.
5.4 Ensure that re1ated security po1icies and operationa1 procedures are documented, in use, and
known to a11 affected parties.
Requirement 6: Deve1op and maintain secure systems and

Data Security Policy For Ecommerce Payment Card Applications
Data Security Policy for ecommerce Payment Card Applications
This record depicts the IT Security and IT Services strategies and practices for overseeing IT
Services ' stage for University–facilitated ecommerce, particularly installment card transactions, and
the information identified with ecommerce. This arrangement is proposed to consent to the
necessities of the Payment Card Industry Data Security Standard ("PCI DSS"). The PCI DSS is
incorporated by reference in this; be that as it may, IT Security will be the sole determinant of how
PCI DSS ' necessities will be connected inside IT Services ' operations. This report will be yearly
evaluated and upgraded as proper to keep up agreeability with the PCI DSS.
For the reasons of this report, the ecommerce base comprises of the processing assets (i.e., servers,
stockpiling, system and capacity switches, firewalls, physical racks containing these, and related
programming) that process, transmit, or store installment card information, or can straightforwardly
get to such assets. Servers that are a piece of the ecommerce foundation and any frameworks that
can generally specifically get to processing assets that contain installment cardholder information
must be enlisted as directed machines.
ROLES AND RESPONSIBILITIES
College faculty who access data assets that transmit, process, or store installment card information
are in charge of the application of this and related approaches. On account of foremen who oblige
such get

Standards rely heavily on the network effect, which is the...
Standards rely heavily on the network effect, which is the idea that the effectiveness of a standard is
based on the number of people who use it. As a result, standards that are complicated to implement,
especially ones dealing with technology, are heavily dependent on incentives in order to get a
sufficient amount of people to use it. Looking at PICS and PCI DSS, two Internet standards, where
one succeeded and the other failed, we can see what makes standards effective online.
Platform for Internet Control Selection (PICS) was an Internet standard formed by W3C in 1996 to
allow parents to filter content, primarily nudity. It was completely voluntary and up to the website
owners themselves to label their own site. This is because the ... Show more content on
Helpwriting.net ...
Payment card industries must follow step–by–step instructions in order to have transactions
accepted. So why do these demanding standards work?
As Larry Lessig mentions in Code is Law, there are four areas that influence policy: law, economy,
architecture, and social norms. Working on a sole standard together for security benefits everyone
and is thus economical because the cost of losing customer data is enormous. On the other hand,
competition for filtering software can at worst lead some to filter less porn than others. After the
Communications Decency Act, which tried to limit obscenity and indecency on the web, was ruled
unconstitutional, it removed all legal ramifications for not using PICS software. There is no reason
to limit information. On the flip side ignoring PCI could land a company in court for negligence. A
strong and commonly used standard works well as a legal benchmark for liability in protecting data.
The burden on the user also differs. Individuals are not expected to make sure their cards are PCI
certified; the vetting process is done at a higher level and simply offers the user a binary choice of
using a protected card or not. PICS not only requires owners to rate their sites, but also requires each
user to choose what they find acceptable or not, placing much more burden on the individual.
Based on comparing where PCI succeeded and PICS failed, it appears that the core motivator is the
law. The consequences of disobeying PCI

A Plan For Physical And Digital Security Protocols
7. PCI DSS Validation
The Payment Card industry Data Security Standard applies to companies that use, store and transmit
protected financial information. Companies bear responsibility for compliance, but many of the
company 's payment processors offer compliance tools for businesses they serve. It 's essential that
companies implement PCI standards. Developing a plan for physical and digital security protocols is
essential if companies want to avoid fines, penalties, customer lawsuits and even cancellations of
their payment processing privileges due to security breaches caused by noncompliance.
8. PCI Compliance Guide
The compliance required for B2B companies includes implementing training programs for
employees to educate them about security risks. B2B companies can develop stricter digital and
physical safeguard that fall outside of the practices that credit card companies recommend because
developers can build and integrate various compliance tools for the eCommerce platform to fulfill
baseline requirements or higher standards. The PCI DSS website explains the requirements of
getting PCI–certified, which is an essential starting point for defining what's needed on the platform
and for in–house training and security practices.
9. Automated Auditing
An automated auditing tool for B2B eCommerce platforms offers many advantages, but each
eCommerce operation is different and requires custom integrations and features to enable auditing
applications to manage and audit the

Essay about PCI Compliance
What is PCI Compliance?
PCI Compliance is maintaining adherence to the PCI DSS standard that was developed by major
credit card companies as a "guideline to help prevent credit card fraud" ("PCI DSS"). Credit card
fraud has taken the spotlight in the past several years due to the massive growth of e–commerce and
online transaction processing. With the proliferation of e–businesses, it has become easier than ever
to commit fraud over the internet.
Major credit card issuers such as MasterCard, Visa, American Express, Discover, and JCB
International joined together to create a standard known as PCI DSS or Payment Card Industry Data
Security Standard. In order to process credit card payments merchants and vendors are required to
be ... Show more content on Helpwriting.net ...
In September of 2006 the PCI Data Security Standard was updated to version 1.1 which is currently
in–use today. The PCI Security Council works to promote the broad industry adoption of this
standard, and also generates tools to assist companies in complying with these standards. Some of
the tools are guidelines, scanning requirements, and even a self–assessment questionnaire.
Before the PCI Security Council and Data Security Standard existed, each of the five credit card
issuers had their own internal extensive compliance policies. But vendors or merchants who wanted
to process more than one type of credit card would have to comply with requirements defined by
each card issuer. By coming together under the umbrella of the PCI Security Council these major
brands were able to codify their corporate standards into a public standard, and place pressure on
organizations that process credit transactions to protect cardholder data against fraud and theft.
The founding organizations not only developed this standard, but also incorporated these standards
into their own data security compliance programs. All five organizations share equally in governing
the council; have equal input regarding issues; and all the organizations share responsibility for
maintaining the PCI Data Security Standard.
Case Study: TJX Companies
In March of 2007, just last year, TJX Companies, owner of TJ Maxx and Marshall's revealed the
extent of damage of a number of

Case Study : Southern New Hampshire University
TJX Group Case Study
Team 3
Southern New Hampshire University Introduction According to a recent Travelers survey, identify
theft, cyber security, and person privacy rank as the top concerns for most Americans. Forty percent
of individuals who participated in the survey believe they were a victim to one of these heinous
crimes (Survey: Cyber Risk, 2015). Companies are focusing attention on this topic and investing
vast resources to combating these crimes. Questions arise regarding TJX's role and responsibility to
apprise stakeholders of a data breach. In 2008, TJX found themselves in the unenviable position of
needing to address these questions and concerns. This paper explores TJX response to compliance
problems, utilization of strategy, influence response and decision–making has on the stakeholders
and corporate brand, and the possible effects on TJX.
Compliance Issues & Strategic Response
Identity theft is, unfortunately, a commonplace in today's world. Technology is ever advancing and
evolving making today's purchases obsolete. The obsolesces of technology plagued TJX. The
company was attempting to get through under the radar with the enterprise security systems.
"Because of the lax security systems at TJX, the hackers had an open doorway to the company 's
entire computer system" (Weiss, 2014). TJX was cognizant of the breach and withheld information
from stakeholders of the business. "Once a breach is discovered notification to consumers is
paramount."

Case Study Of PCI DSS Compliance
PCI DSS Compliance and How to Become PCI DSS Compliant.
PCI compliance is officially known as Payment Card Industry Data Security Standard (PCI DSS).
It's a proprietary information security standard for all organizations that store, process or transmit
branded credit cards from the major card schemes including Visa, MasterCard, American Express,
Discover.
It's a universal security standard that was first set up in December 2004 when the credit card
companies came together to form Payment Card Industry Security Standards Council (PCI SSC) the
organization behind PCI DSS. The most current PCI DSS (version 3.2) came out in April 2016.
Before the formal security standard was established, the different credit card companies had their
own set of rules and ... Show more content on Helpwriting.net ...
An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools
(ASV scan solutions) that conduct external vulnerability scanning services to validate with the
external scanning requirements.
As for if you need it, it depends.
If you're applying for an SAQ A–EP, you need it. It's one of the questions in the form and while
AOC A it doesn't necessarily mean that you need to be performing scans by approved ASVs.
So, from the point of view of SAQ/AOC A, an ASV scan is not needed. At the same time, some
acquirers (payment providers) have it as one of the requirements to use their services. Again, it's
important to your providers directly even if you are applying for SAQ A. The scanning vendors ASV
scan solution is tested and approved by PCI SSC before an ASV added to list.
Compliance Process Summary
1. Determine your compliance level with your bank and different credit card companies. Remember,
each has their own slightly different rules.
2. Complete the relevant Self–Assessment Questionnaire according to its instructions.
3. Complete the relevant Attestation of Compliance form (contained in your SAQ

Federal Cloud Compliance Program (Fedrap)
A. INTRODUCTION
Federal organizations are moving their services to the cloud to minimize their software and
infrastructure footprint and to save money, time, and resources. As cloud service providers (CSPs)
are becoming prevalent, we must analyze the security of these services to ensure compliance with
standards and laws that protect customers, citizens, and information. Therefore, this paper analyzes a
new federal cloud compliance program called the Federal Risk and Authorization Management
Program (FedRAMP). This paper also establishes that FedRAMP can indirectly aid federal
government organizations to be compliant with the following laws: Health Insurance Portability and
Accountability Act of 1996 (HIPAA); the Family Educational Rights and Privacy Act (FERPA); the
International Traffic in Arms Regulations (ITAR); and the Payment Card Industry Data Security
Standard (PCI DSS). This paper will briefly explain these four laws and cloud computing
discussions regarding these laws. This paper will also explain FedRAMP and the way it can help
federal organizations to be complaint with these laws.
B. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA was originally established in 1996 to mandate the Department of Health and Human
Services (HHS) to establish national standards for the transfer of electronic medical records with the
intent to facilitate transferring of medical records; it applies to health plans, health care
clearinghouses, and health

Company And Preliminary Accounting Analysis
Industry, Company and preliminary Accounting Analysis
Industry Analysis
To start the analysis of the industry, firstly the identification of which industry Blackmores is should
be made. Since Blackmores is the company which identified as the natural health company, so the
industry that Blackmores involved is the health care sector. Based on the Global Industry
Classification Standard (GICS), the health care sector could be broken into two broad industries:
one is health care equipment and services and the other is pharmaceuticals, biotechnology and life
science. And Blackmores would be classified as the pharmaceuticals, biotechnology and life science
industry which is called biotech & pharma industry.
In the biotech & pharma industry, companies usually product three types of products: prescription
therapeutics and prophylactics (medicine that treat or cure medical conditions or diseases and
vaccines that prevent diseases), diagnostics (devices and tests used to diagnose disease), and over–
the–counter consumer products, such as drugs and vitamins. Moreover, some experts also conduct
medical technology (medtech) manufacturing under the pharma/biotech industry with sufficient
facilities and advanced equipment.
As the biotech & pharma industry is a tech–dominated industry, it focus on innovation and research
on products but also includes the manufacture and supply. So there are many players involve in this
industry. The players could be classified as three main parts:

PCI Compliance Report
As an information security analyst, I have been tasked with identifying the need for compliance with
Payment Card Industry Data Security Standards (PCI DSS). A business accepting any amount of
payment from credit cards is required to be in compliance. This report will provide a high–level
explanation of PCI compliance, how to move through the process, and consequences of
noncompliance.
The PCI DSS is a set of policies and standards that was developed by major credit–card companies.
These companies include Visa, Master Card, Discover and American Express. These standards are
not law, but are required in order to accept payments from clients that are holders of these types of
cards. The standards are aimed at providing security to the clients'

A Brief Note On Federal Information Security Management...
Introduction This paper will talk about six Acts/Laws which are implied for the advancement of
society and encourage the work process, keep up the protection of each individual citizen of the
nation, provide legitimate rights to the labors/workers, right to cover intellectual property, open
doors for money related foundations to grow their business, and keep up the information security
and integrity.
FISMA
ISMA (Federal Information Security Management Act) appeared when Congress understood the
significance of Information Security and it included FISMA as a piece of E – Government Act of
2002.
FISMA requires administrative bodies inside the government to:
Plan for security.
Ensure that the fitting and responsible authorities are assigned with the security obligation.
Review security controls measure in a standard interim premise.
Manage and approve the framework preparation before the operations, and intermittently after
deploying.
FISMA is separated into three primary areas:
Annual security reporting prerequisite (Annual Program Review – CIO).
Independent Evaluation – (IG) and
Corrective activity gets ready for recuperation and remediation of security shortcomings.
FISMA requests that organizations submit reports to OMB on the status of their data security
program, quarterly.
Sarbanes–Oxley Act Sarbanes–Oxley Act applies just to organizations whose stock is exchanged on
open trades. Its motivation was to

Regulatory Standards Of The Federal Information Systems...
Within this writing assignment I will discuss the following regulatory requirements comprise of the
Federal Information Systems Management Act (FISMA), Sarbanes–Oxley Act (SOX), Gramm–
Leach–Bliley Act, Payment Card Industry Standards (PCI DSS), Health Insurance Portability and
Accountability Act (HIPAA), and Intellectual Property Law. I will also discuss security methods and
controls which should be applied to ensure compliance with the standards and regulatory
requirements. I will explain the guidelines established by the Department of Health and Human
Services, the National Institute of Standards and Technology (NIST), and other agencies for
ensuring compliance with these standards and regulatory requirements.
During daily operations, ... Show more content on Helpwriting.net ...
Title III of the E–Government Act, entitled the Federal Information Security Management Act
(FISMA) requires each federal agency to develop, document, and implement an agency–wide
program to provide information security for the information and systems that support the operations
and assets of the agency, including those provided or managed by another agency, contractor, or
other sources (Staff, 2016). FISMA was amended by The Federal Information Security
Modernization Act of 2014. The amendment was established to modernize the Federal security
practices to focus on security concerns. The results of these changes will strengthen continuous
monitoring, continue focusing on agency compliance, and report on issues caused by security
incidents. FISMA, Paperwork Reduction Act of 1995 and the Information Technology Management
Reform Act of 1996 (Clinger–Cohen Act), clearly highlights the plans for a cost–effective security
program. In support of and reinforcing this legislation, the Office of Management and Budget
(OMB) through Circular A–130, "Managing Federal Information as a Strategic Resource,"1 requires
executive agencies within the federal government to:
Plan for security
Ensure that appropriate officials are assigned security responsibility
Periodically review the security controls in their systems
Authorize system processing prior to

Personal Statement: Welcome To Healthequity
First off, welcome to HealthEquity!! I am so excited to have you on my team! HealthEquity is an
amazing company and you are just going to love being here! I am so excited to be your new team
leader. We are going to do great thing together. I have worked here at HealthEquity for 3 years. I
started in Member Education as a homie. In November of 2013 I became an ATL (Assistant Team
Leader, now known as SWAT) in January of 2014 I became a Homie Team leader. I have loved
being a Homie Team leader, but recently I have decided to join our in office Team Leaders. I am
excited for this new Journey and excited to get to know all of you. Don't get me wrong being at
home has been so amazing; my kids are now in school full time and I feel being with them

The Federal Trade Commission Act
ALJ On November 13, 2015, A Federal Trade Commission's (FTC) Chief Administrative Law Judge
(ALJ) held that LabMD did not violate Section 5(a)of the Federal Trade Commission Act (FTC Act)
by failing to provide reasonable security for personal information on computer networks. This is the
first decision that limits the authority of FTC to regulate businesses that fail to appropriately
safeguard their consumers' electronic personal information.
FTC first became involved with consumer privacy issues in 1995, when it promoted industry self–
regulation. After determining that self–regulation was not effective, FTC began taking legal action
under Section 5 of the FTC Act. Section 5 limits practices considered to be unfair to instances
where, among other things, 1) the practice causes or is likely to cause substantial injury to
consumers; (2) the substantial injury is not reasonably avoidable by consumers; and (3) the
substantial injury is not outweighed by countervailing benefits to consumers or to competition.
Since 2002, the FTC has brought over 50 cases against companies that have engaged in unfair or
deceptive practices that put consumers' personal data at unreasonable risk. Most of these cases
resulted in settlements and did not provide judicial decisions addressing the FTC's authority to
regulate the data security practices of companies which have suffered a data breach.
The first case to test the authority of FTC was FTC v. Wyndham Worldwide Corp. After a data
breach

Security Risks And Vulnerabilities Of Mobile Payment...
Abstract
Mobile payment apps such as Vemo and PayPal are quickly becoming one of the most popular ways
for peer–to–peer money transfer and other apps allow users to have contactless payment at
checkout. These apps contain very personal and accessible information, yet there is little to no
concern for the security of this valuable information. This paper will access the current security risks
and vulnerabilities of mobile payment applications and what users should be doing to protect
themselves. This is important to the cyber security body of knowledge because thieves will use the
vulnerabilities of the apps to steal personal information. It then falls into the hands of cyber security
specialist to protect and educate users to decrease crime.
Introduction
Payment processes have evolved from the traditional cash or cards to innovative electronic wallets
on smartphones. Consumers are accepting this new form of convenient payment and imputing all of
their personal data including their full name and credit card information onto apps such as Apple
Pay, Samsung Pay, Pay Pal, etc. These apps are available on both the Apple Store and Google Play
and have their own way of using various forms of mobile payment. According to forecasted reports,
mobile payment volume will bring in $503 million by 2020 compared to the current $75 billion this
year (Bakker, 2016). As always, with new technologies come new challenges and risks. Mobile
payment apps are not an exception. Due to the

Consumer Harm : High Bar
Consumer Harm: High Bar in FTC Data Security Claims
ALJ On November 13, 2015, A Federal Trade Commission's (FTC) Chief Administrative Law Judge
(ALJ) held that LabMD did not violate Section 5(a)of the Federal Trade Commission Act (FTC Act)
by failing to provide reasonable security for personal information on computer networks. This is the
first decision that limits the authority of FTC to regulate businesses that fail to appropriately
safeguard their consumers' electronic personal information.
FTC first became involved with consumer privacy issues in 1995, when it promoted industry self–
regulation. After determining that self–regulation was not effective, FTC began taking legal action
under Section 5 of the FTC Act. Section 5 limits practices considered to be unfair to instances
where, among other things, 1) the practice causes or is likely to cause substantial injury to
consumers; (2) the substantial injury is not reasonably avoidable by consumers; and (3) the
substantial injury is not outweighed by countervailing benefits to consumers or to competition.
Since 2002, the FTC has brought over 50 cases against companies that have engaged in unfair or
deceptive practices that put consumers' personal data at unreasonable risk. Most of these cases
resulted in settlements and did not provide judicial decisions addressing the FTC's authority to
regulate the data security practices of companies which have suffered a data breach.
The first case to test the authority of FTC was FTC

Basic Classic Threats For It Systems And Data
1. What are the four basic classic threats to IT systems and data? Give an example of each.
According to Mr Moeller, we can classify IT system threats as four main classes. Interruptions:
interruption refers to the situation where an IT component, typically a hardware or a software, gets
corrupted or is completely lost. The main issue behind this kind of thread consists of the disruption
of service provided by that IT component. An example could be someone performing a denial of
service on an IT system by overwhelming network connections. Interceptions: this class
encompasses all threat related with the stealing of, gaining unauthorized access to, data or service.
For instance, it could be a program or a user trying to illegally access another system or data. One
example that particularly applies to this scenario includes eavesdropping communication between
system to retrieve or capture data. Modification: I believe this one could the most dangerous class as
any threat that fall into this categories not only affects/tampers a system but also removes
tractability. In other words, this kind of threat tends to alter system environment without leaving.
Thinking of hacking tool such as metasploit, that is exactly the definition/description of some
payload such as reverse shell. A user that managed to get a reverse shell from a target machine can
modify environment parameter such as permission, process ID of running program as well as
deleting log files that may hint plausible

Business Continuity Planning And Disaster Recovery
Business continuity Planning and Disaster recovery: For any Organization to survive on log run,
executives must give priority to Disaster recovery (DR) and Business continuity (BC) plan during
budget allocations and never see a payback from those investments. Disasters won 't happen daily,
they rarely occur. But when it happens and if the company doesn 't have a Plan or mechanism to fast
recover, then that company loses its customer to its competitors. Business continuity plan includes
steps company must take to minimize the service outages. Organizations must have a system in
place to minimize the unplanned downtime. After Y2K crisis, companies added Business continuity
plan part of corporate IT planning. In most cases, idle solution is ... Show more content on
Helpwriting.net ...
Incident response occurs during the incident, however, disaster recover occurs after the incident has
taken place (Whitman & Mattord, 2012). Adequately preparing for disasters would help in fast
recovery. For example, fire is a catastrophic disaster, so backups should be at off–site location to
minimize the damage caused to clients, employees, stakeholders and investors. Disaster recovery
plan must be developed and implemented with top down support across all departments in an
organization. Every department in an organization must contribute to the disaster plan. IT team
should write the disaster plan because they have a deep insight into the company wide business
process. IT department is in the unique position of understanding of the daily operations of each
department, as well as constant communication with leads within those each department. Without a
cross departmental participation it is impossible to put out a proper plan. The disaster plan should
include more possible scenarios because the cause of disaster is more. The following are considered
as disasters in the typical organization: 1) Employee fraud 2) Stolen laptop 3) Fire 4) Terrorist
attacks To effectively face the disaster the disaster plan should be distributed across an organization
because everyone knows their role within the plan. Roles must be revised and Plans should be
rehearsed periodically. Network Security

Privacy, Laws, and Security Measures Essay
Today, there are many threats to information systems and the information contain contained on the
servers by customers and employees. There are major privacies issues facing organizations from
hackers, employees, natural disasters, and other threats. Some of the privacies issues can be risk to
the sporting goods store and justify the concerns of the CEO. There are security risks and
application laws which governs the privacy risks. Security measures can be implement by
organizations which can mitigate the risk to private information. Organizations face major privacy
issues when it comes to working with employee and customers' information. Customers often buy
items online from stores and the store gives the option to store payment ... Show more content on
Helpwriting.net ...
Accidental disclosure could be by word of mouth, lost papers or throwing paper away without
destroying it, or an employee losing a laptop, jump drive, or other mobile media. The sporting goods
store could potentially have privacy risks based on the major privacy issues discussed above. Since
the store accept credit card sales in the store and over the web via e–Commerce transactions, the
store needs to protect credit card information. The internal network is more secure because of the
DMZ, which has at least two firewalls in between the internet and the internal network. According
to Easttom (2006), the DMZ is a demilitarized zone in which gives an additional layer of protection
between the internet services and the backend of the corporation resources, (Easttom, 2006). An
attacker may get into the DMZ, could cause problems with the web server and by then should be
detected, disconnected, or trap the attacker in the DMZ to prevent the attacker from getting into the
internal network. The email server is used for email communication with business partners and
customers, a man in the middle attack could intercept emails and forward the emails to their
destination while copying the message to the attacker. Another risk to privacy is the wireless
network, it needs to be locked down to prevent unauthorized access and use of the wireless to get
into the internal network. Facebook does leave the company open to viruses which can be planted
on the page to infect customers who

Target: The Largest Data Breach/Attack Essay
In December 2013, Target was attacked by a cyber–attack due to a data breach. Target is a widely
known retailer that has millions of consumers flocking every day to the retailer to partake in the
stores wonders. The Target Data Breach is now known as the largest data breach/attack surpassing
the TJX data breach in 2007. "The second–biggest attack struck TJX Companies, the parent
company of TJMaxx and Marshall's, which said in 2007 that about 45 million credit cards and debit
cards had been compromised." (Timberg, Yang, & Tsukayama, 2013) The data breach occurred to
Target was a strong swift kick to the guts to not only the retailer/corporation, but to employees and
consumers. The December 2013 data breach, exposed Target in a way that many ... Show more
content on Helpwriting.net ...
According to Krebs (2014), "credentials were stolen in an email malware attack at Fazio that began
at least two months before thieves started stealing card data from thousands of Target cash registers.
Investigators who examined the malware quickly noticed that it was designed to move data stolen
from Target's (then malware–infected) cash registers to a central collection point on Target's
network, a Windows domain called "TTCOPSCLI3ACS".
Regulatory and Industry Standards
Target, as a whole, is huge corporation/business. As a business, in order to stay open and run
functionally, Target has to abide by regulatory and/or industry standards. The two regulatory and
industry standards that are required for any financial, retailer, and/or business is Payment Card
Industry Data Security Standard (PCI DSS) and Gramm–Leach–Bliley Act (GLBA). PCI DSS is a
global industry standard while GLBA is a government regulatory standard. Target has to abide by
PCI DSS and GLBA.
According to Kim & Solomon (2014), PCI DSS affects any organization that processes or stores
credit card information. The PCI DSS is a comprehensive security standard that includes
requirements for security management, policies, procedures, network architecture, software design,
and other critical protective measures. GLBA requires that financial institutions provide their clients
a privacy notice that explains what information the company gathers about the client, where the
information is

The Payment Card Industry For My Organization
I have chosen the Payment Card Industry for my organization to write about. Mainly because I work
in the industry and know it fits the criteria for security. So I will get down to the name three major
information threats to the Card Service Industries. I got my three major information security threats
form PC World (Bradley, 2015). For the Payment Card Industry I have chosen Social Engineering,
Sophisticated DDoS Attacks, and The Insecurity of Things (Bradley, 2015). due to the access of the
ATMs and Credit Card Readers. The first threat is Social Engineering. The Payment Card Industry is
a prime target for Social Engineers because they can gain larger profits off of the information. With
this information a theft can steal larger amounts of money in a short period. They best defense
against Social Engineering is training. On eSecurity Planet's website by Thor Olavsrud they list "9
Best Defenses Against Social Engineering Attacks" are the following: 1. First Education is the best
way to defend against a social attack (Olavsrud, 2016). is to be aware of how it happens. Training on
how to recognize the Social Engineer exploits the situation . Jamey Heary on the website acritical
"Top 5 Social Engineering Exploit Techniques", (Heary, 2016) for PCWorld, states that the top 5
techniques are familiarity exploited (Heary, 2016) , this is where the Social Engineer gets to know
you so you are comfortable so you will talk to you about sensitive information; Creating a Hostile

PCI Compliance Analysis
There are some people who still insist on paying the old fashioned way, with cash. If you purchase
anything using a credit card, you are most likely aware that thousands of cardholders have had their
data stolen by unethical hackers.
For this reason, there are standards, which businesses that offer credit card payment as an option
must follow. Consumers have the assurance that a business is working to protect their valuable
information by adhering to Payment Card Industry, PCI compliance mandates.
All major credit card issuers must adhere to the Payment Card Industry Data Security Standard
(PCI–DSS). This is a mandated compliance standard established by the Payment Card Industry
Security Council. This standard ... Show more content on Helpwriting.net ...
A class 1 PCI compliance rating designates the largest entities, which process over 6 million Visa or
MasterCard transactions over a twelve–month period. The classifications and steps required for PCI
compliance drops, as the number of transactions becomes less.
The lowest class level is 4 and is for e–commerce businesses with less than 20,000 online purchases
registered and other businesses with less than a million accepted card payments. Small businesses
may be able to satisfy compliance requirements once per year, but most companies benefit from
applying these steps as warranted, part of an ongoing process.
· Assess the Data System – Businesses need to exercise caution will all credit card data. Nothing can
cost a business more profoundly than a breach of consumer financial security. Your business needs
to implement this step in a timely fashion when there is any indication of a potential vulnerability.
· Remediation – Your business needs to either employ an IT professional, or hire the services of one
to fix any vulnerability uncovered by the assessment step. An excellent preventive measure to help
ensure customer card security is erase cardholder information unless that data absolutely needed.
Do not keep consumer cardholder data out of convenience for your business operations; the practice
carries too many consequences if your system is unfortunately compromised. By implementing a
good PCI compliant remediation plan, you can remove a great

It Security Compliance Policy Is The Legal Aspects Of The...
Introduction
The purpose of this IT Security Compliance Policy is to recognize the legal aspects of the
information security triad: availability, integrity, and confidentiality as it applies to the Department
of State at U.S. Diplomatic Embassies across the globe. This document also covers the concept of
privacy and its legal protections for privately–owned information by the U.S. government and
government employee's use of network resources. A detailed risk analysis and response procedures
may also be found at the end of this policy.
LAW Overview
The following is a brief overview of compliance with each law related and in use by our
organization.
"The Gramm–Leach–Bliley Act (GLBA) requires financial institutions – companies that offer ...
Show more content on Helpwriting.net ...
"The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to
ensure that ALL companies that process, store or transmit credit card information maintain a secure
environment. Essentially any merchant that has a Merchant ID (MID)." (PCI Compliance Guide).
We have three steps for compliance to PCI standards. Step 1 "ASSESS" The purpose of the
assessment step is to study all possible process and technology vulnerabilities that may pose a threat
to consumer credit card data processed by our company. Step 2 "REMIDIATE" Remediation is how
we begin fixing vulnerabilities – these vulnerabilities include technology flaws like outdated
software or hardware that is easily bypassed by an exploit, even unsafe practices performed by the
organization that potentially exposes the card data to someone other than the card holder.
Some steps we use in the remediation process are network port and vulnerability scanners.
Complete self–evaluation questionnaires and network scenario questionnaires.
Sort and prioritize any vulnerability found in tests and assessments.
Apply fixes, patches, updates, and possible work around for vulnerabilities recognized.
Rescan everything again to ensure the vulnerabilities have been mitigated.
"The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy
of student education records. The law

Essay on Security Regulation Compliance
ORGANIZATIONAL CHANGE: PEOPLE CHANGE
Percy A. Grisby II
Computer Ethics
March 13, 2015
Professor Sonya M. Dennis
1. Overview
Below we are going to discuss 6 Acts/Laws which are meant for the betterment for society and
facilitate the workflow, maintain the privacy of every individual citizen of the country, provide legal
rights to the workers/labors, owner of an intellectual property, opportunities for financial institutions
to expand their business, maintain the data security and integrity.
1.1 FISMA [1]
FISMA (Federal Information Security Management Act) came into existence when Congress
realized the importance of Information Security and it included FISMA as a part of E – Government
Act of 2002.
FISMA requires regulatory ... Show more content on Helpwriting.net ...
It's also known as a Financial Modernization act of 1999. This act allowed banks to engage in a
wide array of financial services like merging with stock brokerage and insurance companies, which
also gave them way to possess a large amount of public and private client information. The
information is usually considered private and risk of misuse is high, therefore Title 5 of the GLBA
specially addresses protecting both the privacy and security of information.
1.4 PCI DSS
Payment Card Industry Data Security Standards must be followed by any merchant who handles
payment card details. The merchant must comply with the PCI DSS rules in order to be approved
and continue to accept online card payments. Failure to do so will place the merchant at risk of
having its license to take card payment revoked and will also be regarded as a disciplinary offense.
Noncompliance is not an option!
The Payment Card Industry Security Standards Council (PCI SSC) releases the documents stating
the standards to be maintained by different merchants and issuing bodies.
The basic requirement to comply with PCI SSC are :
1) Build a secure network.
2) Protect the private data of the card holder.
3) Maintain highly secure management programs.
4) Maintain strict access control measures.
5) Testing of network should be done regularly.

6) Maintain every Information Security Policy and guidelines.
1.5 HIPAA
HIPPA act 1996 is imposed on all

Dell Level 5/Level 4 Manufacturing
Dell Inc.: Case questions
In the Level 5 manufacturing, the motherboard is not installed into the chassis before the shipment
to the US. This means that at L5 has a longer list of cost:
(1) motherboard packaging cost to protect the motherboard from damage
(2) air–freight cost, these are separate transportation cost
(3) US transportation cost are cost required to transport the motherboard from the U.S. to the SLC
and to the 3rd–party integrator
(4) inventory holding cost at SLC
(5) Local integration cost to integrate two separate components.
After this it is needed that after the motherboard within the chassis after integration returns to the
3rd–party. Since the 3rd–party does not have effective equipment to perform tests, the ... Show more
content on Helpwriting.net ...
This shows that the members were not totally objective. Above mentioned arguments show that the
scoring process can be subjective or biased. Next to that there was no weight placed to differentiate
more critical processes from other processes. This means all departments had an equal weight.
Concluding it would be better to implement another decision making model that would give a more
clear solution.
The relationship is characterized by a shallow relationship which is not very in depth in order to be
manageable and sustainable. Investing too deeply in a relationship will result in high cost and
energy. The limited production capacity allows to dedicate its production to chipsets, which provide
a higher margin for Dell and Intell (chipset supplier).
Dell uses a push–pull strategy. It produces computers by using components after a customer order.
Dell's model is called a Direct model where suppliers deliver to Dell and Dell is directly in
relationship with the customer without distributors and/or retailers. The customer is in the beginning
(specific order) and at the end of the process. Suppliers are situated very close to the plant which
results in a easy coordination. There are few suppliers and it saves money through shipping directly
to customers. Next to specific components, Dell also uses some components through all orders.
Each order consists of a motherboard for example.
This strategy has great benefits.

Role Of Auditing And Regulatory Compliance
ROLE OF AUDITING IN REGULATORY COMPLIANCE BY: SHEFALI VERMA (A–20325809)
ILLINOIS INSTITUTE OF TECHNOLOGY, CHICAGO
ABSTRACT
Risk, compliance and governance activities are by nature interconnected and rely on common sets of
information, processes, technology and methodology. The traditional approach to governance, risk
and compliance relies on working in silos and using separate point solutions to address each
assurance group's requirements. This creates a fragmented approach ... Show more content on
Helpwriting.net ...
This research paper focuses on how IT audits are done and how they can help in assisting an
organization in its regulatory compliance effort by identifying information security weaknesses prior
to an external audit. The key players and their roles are defined, as well as organizational, results–
based, point–in–time systems and extended–period audits. This leads to a natural question. In this
new world of connected GRC, what is the role of internal audit compared to compliance? Where do
these roles remain separate and where do they share responsibilities? How can these professionals
work together to drive business value?
This paper can help in understanding how the board, management, and internal audit each have a
significant role in ensuring information security is effective. We can learn that internal auditing can
also help prepare the organization for an external regulatory audit (SOX or HIPAA, for example) by
evaluating management 's efforts and providing recommendations for improvement prior to the
external audit. This can help in understanding that IT security audits contribute to an organization 's
regulatory compliance efforts by confirming to senior management and

Home Depot Case Study
Cybersecurity overview of Home Depot (background summary)
Home Depot is a major retailer of household hardware and building materials that started in 1978 by
Bernie Marcus and Arthur Blank with the first two Home Depot stores in Atlanta (Weinberger, &
Miller, 2002). Home Depot has grown to more than 2,200 stores in three countries with a large
network of stores all over the US, Mexico, and Canada (Weinberger, & LaPadula,2001). With its
network of stores in three countries, it has a Wide Area Network (WAN), Local Area Network
(LAN) that transfer files and information from one store to another going through different servers
by cable and wireless connections (Manning,2009).
It also does business online that allows customers to shop online either with a Home Depot credit
card or any regular credit card that requires Amazon Web Security(AWS), Identity Access
Management(IAM) (Stewart, Chapple & Gibson, 2015). The company has a strong and large
database of customers and customers' personal information that need to be protected to prevent any
security breach that will compromise customers' personal information (Weinberger, & Miller, 2002)
Therefore, it is highly required to implement enterprise Cybersecurity at Home Depot to secure the
organization's sensitive information and prevent any potential malicious attack that will compromise
the enterprise data and client's information (Stewart et al., 2015). When cybersecurity is not taken
seriously, there is always a

TJX the largest-ever consumer data breach Essay
TJX– SECURITY BREACH MGSC 6201–02
INDUSTRY/COMPANY CONTEXT:
TJX Companies, based in Framingham, MA, was a major participant in the discount fashion and
retail industry. The TJX brand had presence in the United States as well as in Canada and Europe. In
mid–2005, investigators were made aware of serious security breaches experienced in TJX's credit
card system. These breaches were first found at a Marshall's located in St Paul, MN in which the
hackers implemented a "war driving" tactic to steal customer credit card information. This incident
resulted in over 46 million debt and credit card numbers being compromised and is considered to be
the largest security breach in US history. The security breach at TJX resulted in major members ...
Also, in 2007 it was revealed that TJX stored both credit card numbers and expiration date
information together in its system.
ISSUES
Non–Compliance: WPA was required by PCI DSS, storing credit card numbers and expiration date
information violated standards as well
Reporting: Never acknowledged any of this in financial statements/reports
RESPONSE
CIO decided to run risk of being compromised by sticking with outdated technology (WEP)
LIABILITY/RESPONSIBILITY: One of the key issues is who should be held liable for the
breaches? With so many parties involved in the credit card payment process, it's difficult to define a
certain group solely responsible.
ISSUE
Lack of Legal Standards: no existing laws stating who should bear burden
RESPONSE
Issues were to be handled legislatively, but process is long and drawn out
Technology evolving faster than legislation
INCENTIVES/CONSUMER BEHAVIOR: Consumers were seemingly unaware of data breaching
technology being implemented.
ISSUE
Lack of awareness: difficult for stores to charge higher prices in order to provide better security
(customers showed no change in preferences)
SOLUTION
Played a role in TJX opting not to abide by certain PCI DSS standards as sales continued to grow
despite these breaches.
Looking at recommendations I would make, it's important that management first recognize the

function of cybersecurity in their overall business structure. They must maintain ongoing
interactions

Regulations And Standards Of The Sarbanes Oxley Act
Applicable Regulations and Standards
Financial Institutions like Bank Solutions Inc. are required to meet the standards regulated by the
government to avoid mismanagement of sensitive information. These regulations are solely
purposed to mandate financial institutions to protect confidentiality, availability and integrity of
individuals, information systems and processes. Some of the applicable regulations and standards
are elaborated below:
1. The Sarbanes–Oxley Act
"The Sarbanes–Oxley Act of 2002 is legislation passed by the U.S. Congress to protect shareholders
and the general public from accounting errors and fraudulent practices in the enterprise, as well as
improve the accuracy of corporate disclosures"(Rouse, n.d.). This act was implemented by the
government to avoid financial disgraces which occurred due to lack of proper storage of business
records including electronic records and electronic messages. This act requires financial institutions
to store audit trail of log files and other financial documentation either paper or electronic versions
for five years. It is very important the IT department of any organization to securely store data for
audit purpose to avoid huge penalties and even imprisonment. Backup is also an important aspect as
this act requires financial institution to have data available for past five years.
2. The Gramm–Leach–Bliley Act
"The Financial Services Modernization Act of 1999, better known as the Gramm–Leach–Bliley Act
(GLBA), protects the

Health Information Compliance Report
Today, the Health Information Technology for Economic and Clinical Health (HITECH's) main
focus is to transfer healthcare records from a paper format to a digital format known as Electronic
Health Records (EHR). Due to the sensitivity of the transferal of this data; the possibility of hackers
and breaches, the Health Information Portability and Accountability Act (HIPAA) alongside
HITECH recommend that health care entities employ multiple approved governing standards to aid
in the facility remaining compliant with current local and federal regulations for safety and privacy
of said data (Oracle.com, 2011). These regulations govern both the local and federal
hardware/software vendors and users now known as business associates under the Mega ... Show
more content on Helpwriting.net ...
Software/hardware vendors must provide covered entities with audit reports unique to each
compering provider. Vendors are required to present proof of their HIPAA compliance in the form of
a Statement on Standards for Attestation Engagement No. 16 (SSAE 16) as it replaced SSA 70
(Barrett, Lucero, and Williams, 2013). Three service control documents must accompany a business
associate when desiring to employ its services to a covered entity, as well as a contract will which
will include effective dates of return, termination, and or destruction of all data, if deemed
necessary. The three controls are: (1) a Service Organization Control Financial Report, (2) Service
Organization Control on Technical Ability (detailing controls), and (3) Service Organization Control
(an auditors opinion), which adds strength to the business associates reputation to remain compliant
with all HIPAA guidelines and standards (Barrett, Lucero, and Williams, 2013). Lastly, business
associates must hold a Payment Card Industry Data Security Standards (PCI DSS). For a business
associate to have this card in their possession, they will need to have undergone a PCI audit. It is the
covered entity responsibility to determine the compliance of the business associate. As for the
contract, if the business associate does not provide such a document the covered entity can consider
the business associate in HIPAA violation

Evaluation Of A New Business Manager
If you're a new business owner and have just begun accepting credit cards for payments, you don't
want to be caught unaware of the regulations involved in handling sensitive personal data. The
consequences of improper procedures could be penalties, fees and even termination of your card
processing account. Read on to learn about PCI regulations and what you need to do to remain
compliant.
What is PCI?
PCI stands for Payment Card Industry. When referring to the subject of PCI compliance, you are
actually talking about a set of industry standards known as PCI DSS, where the "DSS" stands for
Data Security Standards. These standards were designed to ensure that businesses handle credit card
information in a secure manner.
The first version of data security standards was released in December 2004 to combat the increasing
rate at which cardholder information was being stolen online. The PCI DSS was established in 2006
with the formation of the Payment Card Industry Security Standards Council (PCI SSC). The
council focuses on improving security of credit card transactions as technology and market trends
change the security concerns in the industry.
The PCI SSC was created by the major credit card brands, including MasterCard, Visa, American
Express and Discover; however, the council is not responsible for PCI compliance. It's the payment
brands that actually enforce the standards.
Who needs to comply with PCI security standards?
In short, any organization or business that

Essay on Components of PCI Standards
I. Components of PCI standards
PCI Data Security Standard (PCI DSS)
(PCI DSS) is the base standard for merchants and card processors. It addresses security technology
controls and processes for protecting cardholder data. Attaining compliance with PCI DSS can be
tough, and can drastically impact your organization's business processes, service, and technology
architecture (Microsoft, 2009). PCI DSS version 1.2 is the most recent version of the standard, and
takes the place of all previous versions of PCI DSS. The DSS standard is structured into the group
of six principles and 12 requirements.
Payment Application Data Security Standard (PA DSS) (PA DSS) is the baseline for the software
developers who commercially develop software for ... Show more content on Helpwriting.net ...
I. Build and maintain a secure network
Requirement 1: Install and maintain a firewall for the protection of card holder data
Firewall controls the data traffic between internal and external non trusted networks. All systems
must be protected from unauthorized access from non trusted networks.
Requirement 2: Do not use default security configurations like logins, passwords
Default settings and configurations are the easiest way to approach any network. These default
settings are well known in hacker communities.
II. Protect card holder data
Requirement 1: Protect stored cardholder data
Encryption, masking and hashing are the critical aspects of data security. It is not easy to read the
encrypted information without cryptographic keys. Time based storage and disposal policies play an
important role. Try to store as minimum amount of cardholder data like there is no need to store
verification code, pin number and expiration dates.
Requirement 2: Encrypt transmission of cardholder data across a public networks
Always use encryption before the passing sensitive information to a public networks. Secure socket
layer (SSL) is an industry wide protocol for secure communication between client and server.
Organizations should avoid using instant messaging applications for the transmission of sensitive
data.
III. Maintain a vulnerability management program
Requirement 1: Use up–to–date

Lakewood Case Summary
Lakewood's Security Requirement: Inprov's Policy/Procedure: Does Inprov Comply? Things
Missing from Inprov's Policy: Extra Things Inprov is Doing:
Comply with all applicable laws, regulations, and industry standards. Assume? Assume? Secure
Credit Card data per standards of the Payment Card Industry Data Security Standards (PCI DSS).
(1) Does not store any personally identifiable financial information. YES NONE NONE
Provide periodic demonstrations of compliance with PCI DSS. ? NO Does not state any
requirements of periodic demonstrations. NONE Limit access to personal information and secure
facilities with information storage or transmission capabilities. (1) Due care that transmission is
appropriate.
(2) Access ... Show more content on Helpwriting.net ...
YES NONE (1) Access restricted at file level.
(2) Security exceeds requirements of many federal laws.
Implement IT security and authentication methods covering networks, applications, database, and
platform security. (1) Access restricted on both service and file level with Access Control List.
(2) Uses state of the art firewall and FortiGuard Labs full suite of "Integrated Security Services.
(3) Secure servers which exceed requirements of HIPAA, Sarbanes–Oxley, etc. YES NONE (1)
Access restricted at file level.
Security exceeds requirements of many federal laws.
Encrypt any highly–sensitive personal information transmitted or stored on mobile media. (1) Due
care that transmission is appropriate. NO No encryption is required. NONE
Strictly segregate personal information from all other information. ? NO No segregation is required.
NONE
Lakewood's Security Requirement: Inprov's Policy/Procedure: Does Inprov Comply? Things
Missing from Inprov's Policy: Extra Things Inprov is Doing:
Implement personnel security and integrity procedures, specifically background checks. ? NO
Policy does not state requirements for screening employees or background checks.

Security Breach at Tjx Essay
HBR Case Study
Security Breach at TJX
1. What are the (a) people, (b) work process and (c) technology failure points in TJX's security that
require attention?
While it is known that all retailers, large and small, are vulnerable to attacks, several factors
including people, work process, and technology require attention so as to prevent another major
attack from hitting TJX.
The people associated with the attack who need attention are the top–level executives and, more
importantly, the Payment Card Industry Data Security Standard
(PCI DSS) auditors. Top–level executives need to understand that IT security is a business issue and
not just a technology issue. As seen by the attack, an IT security breach can mean hundreds of ...
2. How should the company's IT security be improved and strengthened? What should its short–term
priorities and long–term plans be?
Hiring Richel as the Chief Security Officer was one big step towards a better IT security program at
TJX; he's an executive who understands the harsh and costly consequences of a weak IT security
system and has plans to implement the strongest system possible.
Short term priorities include 1) addressing Mary Smith's letter and taking care of the $5,000 theft, 2)
implement network monitoring, 3) implement logs, 4) encrypt ALL data and minimize the time
where data goes from 'scrambled' to 'unscrambled', and 5) update all components of the system, both
hardware and software, to the most modern and secure in the industry.
Long–term priorities should include minimizing risk by making everyone in the company, not just
top–level executives, aware of the potential of another massive attack on their system. The reason
why I think store clerks and managers should be made aware of their respective branch's IT system
(wireless, kiosks, card swipers, etc) is so that they know what an attack looks like when it is
happening. More times than not, the invasion is happening right in front of the cashier's face yet
they have absolutely no idea.

Tft2 Task 1
TFT2 Task 1
Western Governors University
TFT2 Task 1
Introduction:
Due to policy changes, personnel changes, systems changes, and audits it is often necessary to
review and revise information security policies. Information security professionals are responsible
for ensuring that policies are in line with current industry standards.
Task:
A. Develop new policy statements with two modifications for each of the following sections of the
attached "Heart–Healthy Insurance Information Security Policy":
1. New Users
2. Password Requirements B. Justify each of your modifications in parts A1 and A2 based on
specific current industry standards that are applicable to the case study. C. When you use sources,
include all ... Show more content on Helpwriting.net ...
The new user policy section has been modified to require manager approval and validation of the
user's access request based upon the user's role. Previously the policy only required manager
approval for user's requiring administrator privileges. In accordance with Health Insurance
Portability and Accountability Act (HIPAA) standards on access controls, users will have the
minimum access required to perform the functions of their job in order to protect against
unnecessary access to electronic protected health information (ePHI).
The new user policy has also been modified to include security and awareness training
requirements. HIPAA includes addressable administrative standards for security and awareness
training of all members of the workforce to include periodic security reminders, protection from
malware, log–in monitoring and password management (HHS, 2007).
The password policy has been modified to increase length and complexity requirements from eight
character passwords made up of only upper and lowercase characters to twelve character passwords
including numbers and special characters. Even complex eight character passwords can be cracked
using modern tools (Murphy, 2015). To most effectively protect and safeguard data as required by
HIPAA, the Gramm–Leach–Bliley Act (GLBA) and the Payment Card Industry Data Security
Standard (PCI DSS), passwords must be long.

Security Policies And Control And Password Management...
Security policies are rules and guidelines formulated by an organization to manage access to
information systems and/or computer networks. Simply put, these policies exist to govern
employees, business partners, and third–party contractors with access to company assets.
Furthermore, some policies exist to comply with laws and regulatory requirements. These policies
are part of the company information security management system (ISMS), and are usually
administered to employees by Human Resources or distributed to business partners and contractors
via the Technology department. In sum, security policies protect assets from illegal or damaging
actions of individuals. Of course, many security policies exist, but this review will focus on the ...
These standards appear in the ISO/IEC 27000 series, the industry recognized best practices for
development and management of an ISMS (pg. 68 of CISSP). To clarify, ISO 27002 Information
Technology Security Techniques Code of Practice for Information Security Management module
falls within the ISO 27000 Framework. Ultimately, HHI's objective will be to comply with industry
standards and governmental regulations by designing sound security policies using ISO 27000
standards.
As has been mentioned in the previous section, the ISO/IEC developed the ISO 27000 framework,
which includes the ISO 27002 standards (page 37). Furthermore, the ISO 27002 standards contain
12 domains; nevertheless, this review will focus on the Access Control domain to rewrite the new
user and password requirement policies. Moreover, the Access Control domain has seven
subdomains:
Business Requirements for Access Control;
User Access Management;
User Responsibilities;
Network Access Control;
Operating System Access Control;
Application and Information Access Control;
Mobile Computing and Teleworking.
Specifically, the Network Access Control subdomain delves into user access management and user
responsibilities. In summary, the ISO 27002 standards encompasses 12 domains to "establish
guidelines and principles for initiating, implementing, maintaining, and improving information
security management within and organization

Cloud Computing Is An Altering Technology Essay

Recommended

Recommended

More Related Content

Similar to Cloud Computing Is An Altering Technology Essay

Similar to Cloud Computing Is An Altering Technology Essay (10)

More from Ashley Davis

More from Ashley Davis (20)

Recently uploaded

Recently uploaded (20)

Cloud Computing Is An Altering Technology Essay