The document discusses a final project for a security course focused on transforming a business to an e-business model. It outlines the learning objectives, which include gaining an understanding of an e-business transformation capitalizing on internet technologies and web applications. The project has two parts - the first is to identify e-business and e-commerce applications to support the planned transformation, and the second is to identify social networking applications.
1. Essay on Final Project
Security for Web Applications and Social Networking
Graded Assignments: Project
Project
Project Title
Transforming to an E–Business Model
Purpose
This project provides you an opportunity to assume a specific role in a business situation. You then
apply the competencies gained in this course to develop a solution for a business problem related to
an organization's transformation to an e–business model.
Learning Objectives and Outcomes
You will be able to:
Gain an overall understanding of an e–business transformation capitalizing on the advent of the
Internet technologies and Web applications in a specific business situation.
Summarize your understanding of implementing social networking applications into an e–business
... Show more content on Helpwriting.net ...
The senior management is committed to and supportive of this e–business transformation because of
the potential of the e–business model to recognize additional revenue streams, reduce costs, and
improve customer service.
Project Part 1: Identify E–Business and E–Commerce Web Apps for Planned Transformation
Tasks
You have been assigned to identify e–business and e–commerce Web applications to support the
proposed implementation. To do so, you must:
Research and analyze recent and emerging technologies that may assist in the transformation.
Recognize specific benefits and value to be realized through e–business Web applications.
Select e–business and e–commerce strategies to achieve the identified benefits and value.
Assess risks, threats, and vulnerabilities specific to the strategies chosen.
Explain the business impacts of the risks assessed.
Summarize the importance of security and privacy in relation to the impacts explained.
Develop a report detailing your findings and recommending specific strategies and applications for
implementation.
Deliverables and format:
2. Submit your answer in a Microsoft Word document in not more than two pages.
Font: Arial 10 point size
Line Spacing: Double
–11–
Change Date: 01/09/2012
Security for Web Applications and Social Networking
Graded Assignments: Project
Project Part 2: Identify Social Networking Apps for Planned Transformation
Introduction
As covered throughout the unit, social
... Get more on HelpWriting.net ...
3. Customer Privacy Of The Hospitality Service Industry Essay
The evolving technology that helps provide services efficiently, assists in workload and support
employee function can also aid in customer privacy issues and company espionage. With businesses
moving from paper to digital, the risk of data breaches increases. Advancement in technology opens
the possibility of greater issues in privacy. In the hospitality industry where privacy is one of the top
priorities, customers expect the utmost confidentiality from this type of companies. The hospitality
service industry is an easy target for data security infiltration. Hotel payment card data are stored
longer with the practice of booking rooms in advance. Moreover, credit card data are stored during
the duration of the stay and even longer to cover payments of restaurant bills and other services.
Multiple hotel chains like Hyatt, Sheraton, Trump, Hilton and Mandarin Orinetal have admitted to
having their POS or point–of–sale systems hacked in 2015. POS systems are both the physical
technology and software used in financial transactions between the merchant and its customer. In
situations where there is a breach in a hotel information system, hotels have their standard
procedures on how to handle these situations. Organisations involved also implement guidelines and
requirements that are needed to ensure that data breach does not happen or happen again.
Starwood Hotels and Resorts Worldwide, a hotel and leisure company with around 1,275 properties
under multiple brands posted on its
... Get more on HelpWriting.net ...
4. Sarbanes-Oxley Act Section 404 Analysis
The main idea behind the PCI–DSS is that a standard is made to help the controls of the card holder
data and it is primarily done to divert the credit card blunder by introduction. The primary thought
behind the Payment Card Industry Data Secured Standard commonly called as PCI–DSS is that the
standard is made to help the controls of the card holder information also, its chiefly done to the turn
away the credit card misinterpretation by exposure. The PCI–DSS was introduced by four prime
credit card organizations in particular Visa, Master Card, Discover and American Express. Financial
Sector: Summarize the main idea of Sarbanes–Oxley Act Section 404 The essential thought behind
the Sarbanes–Oxley Act Section 404 is that an interior control
... Get more on HelpWriting.net ...
5. Case Study Of PCI DSS Compliance
PCI DSS Compliance and How to Become PCI DSS Compliant.
What is PCI Compliance?
PCI compliance is officially known as Payment Card Industry Data Security Standard (PCI DSS).
It's a proprietary information security standard for all organizations that store, process or transmit
branded credit cards from the major card schemes including Visa, MasterCard, American Express,
Discover.
It's a universal security standard that was first set up in December 2004 when the credit card
companies came together to form Payment Card Industry Security Standards Council (PCI SSC) the
organization behind PCI DSS. The most current PCI DSS (version 3.2) came out in April 2016.
Before the formal security standard was established, the different credit card companies had their
own set of rules and ... Show more content on Helpwriting.net ...
An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools
(ASV scan solutions) that conduct external vulnerability scanning services to validate with the
external scanning requirements.
As for if you need it, it depends.
If you're applying for an SAQ A–EP, you need it. It's one of the questions in the form and while
AOC A it doesn't necessarily mean that you need to be performing scans by approved ASVs.
So, from the point of view of SAQ/AOC A, an ASV scan is not needed. At the same time, some
acquirers (payment providers) have it as one of the requirements to use their services. Again, it's
important to your providers directly even if you are applying for SAQ A. The scanning vendors ASV
scan solution is tested and approved by PCI SSC before an ASV added to list.
Compliance Process Summary
1. Determine your compliance level with your bank and different credit card companies. Remember,
each has their own slightly different rules.
2. Complete the relevant Self–Assessment Questionnaire according to its instructions.
3. Complete the relevant Attestation of Compliance form (contained in your SAQ
... Get more on HelpWriting.net ...
6. Essay about PCI Compliance
What is PCI Compliance?
PCI Compliance is maintaining adherence to the PCI DSS standard that was developed by major
credit card companies as a "guideline to help prevent credit card fraud" ("PCI DSS"). Credit card
fraud has taken the spotlight in the past several years due to the massive growth of e–commerce and
online transaction processing. With the proliferation of e–businesses, it has become easier than ever
to commit fraud over the internet.
Major credit card issuers such as MasterCard, Visa, American Express, Discover, and JCB
International joined together to create a standard known as PCI DSS or Payment Card Industry Data
Security Standard. In order to process credit card payments merchants and vendors are required to
be ... Show more content on Helpwriting.net ...
In September of 2006 the PCI Data Security Standard was updated to version 1.1 which is currently
in–use today. The PCI Security Council works to promote the broad industry adoption of this
standard, and also generates tools to assist companies in complying with these standards. Some of
the tools are guidelines, scanning requirements, and even a self–assessment questionnaire.
Before the PCI Security Council and Data Security Standard existed, each of the five credit card
issuers had their own internal extensive compliance policies. But vendors or merchants who wanted
to process more than one type of credit card would have to comply with requirements defined by
each card issuer. By coming together under the umbrella of the PCI Security Council these major
brands were able to codify their corporate standards into a public standard, and place pressure on
organizations that process credit transactions to protect cardholder data against fraud and theft.
The founding organizations not only developed this standard, but also incorporated these standards
into their own data security compliance programs. All five organizations share equally in governing
the council; have equal input regarding issues; and all the organizations share responsibility for
maintaining the PCI Data Security Standard.
Case Study: TJX Companies
In March of 2007, just last year, TJX Companies, owner of TJ Maxx and Marshall's revealed the
extent of damage of a number of
... Get more on HelpWriting.net ...
7. A Plan For Physical And Digital Security Protocols
7. PCI DSS Validation
The Payment Card industry Data Security Standard applies to companies that use, store and transmit
protected financial information. Companies bear responsibility for compliance, but many of the
company 's payment processors offer compliance tools for businesses they serve. It 's essential that
companies implement PCI standards. Developing a plan for physical and digital security protocols is
essential if companies want to avoid fines, penalties, customer lawsuits and even cancellations of
their payment processing privileges due to security breaches caused by noncompliance.
8. PCI Compliance Guide
The compliance required for B2B companies includes implementing training programs for
employees to educate them about security risks. B2B companies can develop stricter digital and
physical safeguard that fall outside of the practices that credit card companies recommend because
developers can build and integrate various compliance tools for the eCommerce platform to fulfill
baseline requirements or higher standards. The PCI DSS website explains the requirements of
getting PCI–certified, which is an essential starting point for defining what's needed on the platform
and for in–house training and security practices.
9. Automated Auditing
An automated auditing tool for B2B eCommerce platforms offers many advantages, but each
eCommerce operation is different and requires custom integrations and features to enable auditing
applications to manage and audit the
... Get more on HelpWriting.net ...
8. Swot Analysis Of Graco Inc, A Minneapolis Based Company Essay
I work as a Credit Representative for Graco Inc, a Minneapolis based company. Graco Inc is a
manufacturing company provider of premium pumps and spray equipment for fluid handling in
construction, manufacturing, processing and maintenance industries. As a Credit Representative, we
handle both the Credit and Collection functions. In Credit, customers are evaluated on their credit
history based on financial statements, credit reports and trade references to determine the financial
risk. Our goal is to support sales by extending credit and terms to customers. On the other hand, as
Collectors, we perform collection efforts to ensure accounts are paid on time and resolve any
outstanding balances. Customers whom tends to struggle on payments and pay late on their bills, our
leverage is to hold orders to collect debt.
As technology advances over the years, we have experienced and noticed that the trend in how
payment are received have shift tremendously. Twenty years ago, check was the preferred way of
payment. In today's world, more and more payments are done by credit cards. Credit card
transactions are instance that provides a faster payment method.
At Graco Inc, we have put controls and processes in place over the years to ensure that the credit
card process is secured. Although we have put in many hours to close the gaps between the credit
card processes, we are still exposed to many credit card risks. We receive credit card information via
email, fax and/or over the phone.
... Get more on HelpWriting.net ...
9. It Security Compliance Policy Is The Legal Aspects Of The...
Introduction
The purpose of this IT Security Compliance Policy is to recognize the legal aspects of the
information security triad: availability, integrity, and confidentiality as it applies to the Department
of State at U.S. Diplomatic Embassies across the globe. This document also covers the concept of
privacy and its legal protections for privately–owned information by the U.S. government and
government employee's use of network resources. A detailed risk analysis and response procedures
may also be found at the end of this policy.
LAW Overview
The following is a brief overview of compliance with each law related and in use by our
organization.
"The Gramm–Leach–Bliley Act (GLBA) requires financial institutions – companies that offer ...
Show more content on Helpwriting.net ...
"The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to
ensure that ALL companies that process, store or transmit credit card information maintain a secure
environment. Essentially any merchant that has a Merchant ID (MID)." (PCI Compliance Guide).
We have three steps for compliance to PCI standards. Step 1 "ASSESS" The purpose of the
assessment step is to study all possible process and technology vulnerabilities that may pose a threat
to consumer credit card data processed by our company. Step 2 "REMIDIATE" Remediation is how
we begin fixing vulnerabilities – these vulnerabilities include technology flaws like outdated
software or hardware that is easily bypassed by an exploit, even unsafe practices performed by the
organization that potentially exposes the card data to someone other than the card holder.
Some steps we use in the remediation process are network port and vulnerability scanners.
Complete self–evaluation questionnaires and network scenario questionnaires.
Sort and prioritize any vulnerability found in tests and assessments.
Apply fixes, patches, updates, and possible work around for vulnerabilities recognized.
Rescan everything again to ensure the vulnerabilities have been mitigated.
"The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy
of student education records. The law
... Get more on HelpWriting.net ...
10. Security Breach at Tjx Essay
HBR Case Study
Security Breach at TJX
1. What are the (a) people, (b) work process and (c) technology failure points in TJX's security that
require attention?
While it is known that all retailers, large and small, are vulnerable to attacks, several factors
including people, work process, and technology require attention so as to prevent another major
attack from hitting TJX.
The people associated with the attack who need attention are the top–level executives and, more
importantly, the Payment Card Industry Data Security Standard
(PCI DSS) auditors. Top–level executives need to understand that IT security is a business issue and
not just a technology issue. As seen by the attack, an IT security breach can mean hundreds of ...
Show more content on Helpwriting.net ...
2. How should the company's IT security be improved and strengthened? What should its short–term
priorities and long–term plans be?
Hiring Richel as the Chief Security Officer was one big step towards a better IT security program at
TJX; he's an executive who understands the harsh and costly consequences of a weak IT security
system and has plans to implement the strongest system possible.
Short term priorities include 1) addressing Mary Smith's letter and taking care of the $5,000 theft, 2)
implement network monitoring, 3) implement logs, 4) encrypt ALL data and minimize the time
where data goes from 'scrambled' to 'unscrambled', and 5) update all components of the system, both
hardware and software, to the most modern and secure in the industry.
Long–term priorities should include minimizing risk by making everyone in the company, not just
top–level executives, aware of the potential of another massive attack on their system. The reason
why I think store clerks and managers should be made aware of their respective branch's IT system
(wireless, kiosks, card swipers, etc) is so that they know what an attack looks like when it is
happening. More times than not, the invasion is happening right in front of the cashier's face yet
they have absolutely no idea.
... Get more on HelpWriting.net ...
11. Evaluation Of Pci Dss Compliance Requirements
PCI DSS compliance requirements, imposes in a number of areas segregation of duties aiming to
protect card holder data. The idea behind this requirement is that, if more people are involved, the
less likely that human error will occur and there is less chance to commit fraud or unintentional
damage from one person, therefore security will be maintained.
PCI DSS requires to have segregation of duties and separation of development and production
environment, aiming to put limitations on accessing card holder data and restrictions on moving data
from one environment to other because of risk of exposing card holder data.
PCI DSS provide guidance on creating clear separation of data within the network, cardholder data
should be isolated from the rest of the network, which contains less sensitive information. To audit
the PCI DSS compliance the following documents can be helpful: network policies and procedures,
documentation about network configuration, network devices, and network flow diagrams. There is
no complete solution on how organization should configure network and devices to ensure PCI DSS
compliance, because every organization has its own business specifics and its own technology, so
we say that also segregation of duties is unique for every organization. But we also may conclude
that segregation of duties depends heavily on the network configuration and network devices and
because of that one of areas of auditing for PCI DSS compliance is also documentation and
... Get more on HelpWriting.net ...
12. NCDOT DMV Case Study
Description: NCDOT DMV has a business and regulatory requirement to protect cardholder data.
This mandatory requirement is stipulated within the published Policy of the State of North Carolina,
Department of Transportation, and the Payment Card Industry Security Standard Council and
supporting governance. Due to the volume of transactions achieved by NCDOT in processing
payment cards for purchases, this requirement must be validated annually through External Onsite
Inspection. NCDOT's Official Kickoff was Monday, August 31, 2015. To date a tremendous amount
of preparatory work has been executed by the ISO with the assistance of teams spanning the entire
NCDOT DMV. This year we must validate compliance with approximately 300 requirements
... Get more on HelpWriting.net ...
13. What Are The Disadvantages Of E-Commerce
1.1 Introduction The payment systems and protocols have been developed with the development of
the electronic commerce. The current system of payment is consisting of the merchant, customer,
and the payment gateways, the procedure is that the merchant receives the information of the
customer's payment and forward this information to a payment gateway in order to process the
payment. This procedure holds several risks to the customer's information because of the ability of
the merchant to save the information related to the customer and may misuse this information later.
The other possibility is that the information is compromised and the merchant is unaware when the
information of the customer payment is forwarded to a payment gateway. The ... Show more content
on Helpwriting.net ...
The Non–Technical Disadvantages The non–technical disadvantages of the application of E–
commerce can be summarized by the following aspects: The security and privacy issue, where it is
hard to ensure the privacy or security over the online payments. The lack of feel or touch of products
during the online purchasing process. The initial cost of E–commerce, where the cost of creating and
building of the E–commerce application in–house could be a very high cost which could lead to a
delay in the establishment and launching of E–commerce application because of mistakes, or lack of
experience. The resistance of users, where users might not trust the unknown faceless seller websites
which will drive them to mistrust the seller and make it difficult to switch from the physical stores to
the virtual online stores. The access to the internet is still not cheap for some customers and still
inconvenient for many potential customers such as those customers living in the remote villages.
The rapid changing and evolvement of the E–commerce applications. 2.3 The E–commerce
Business
... Get more on HelpWriting.net ...
14. Essay on Components of PCI Standards
I. Components of PCI standards
PCI Data Security Standard (PCI DSS)
(PCI DSS) is the base standard for merchants and card processors. It addresses security technology
controls and processes for protecting cardholder data. Attaining compliance with PCI DSS can be
tough, and can drastically impact your organization's business processes, service, and technology
architecture (Microsoft, 2009). PCI DSS version 1.2 is the most recent version of the standard, and
takes the place of all previous versions of PCI DSS. The DSS standard is structured into the group
of six principles and 12 requirements.
Payment Application Data Security Standard (PA DSS) (PA DSS) is the baseline for the software
developers who commercially develop software for ... Show more content on Helpwriting.net ...
I. Build and maintain a secure network
Requirement 1: Install and maintain a firewall for the protection of card holder data
Firewall controls the data traffic between internal and external non trusted networks. All systems
must be protected from unauthorized access from non trusted networks.
Requirement 2: Do not use default security configurations like logins, passwords
Default settings and configurations are the easiest way to approach any network. These default
settings are well known in hacker communities.
II. Protect card holder data
Requirement 1: Protect stored cardholder data
Encryption, masking and hashing are the critical aspects of data security. It is not easy to read the
encrypted information without cryptographic keys. Time based storage and disposal policies play an
important role. Try to store as minimum amount of cardholder data like there is no need to store
verification code, pin number and expiration dates.
Requirement 2: Encrypt transmission of cardholder data across a public networks
Always use encryption before the passing sensitive information to a public networks. Secure socket
layer (SSL) is an industry wide protocol for secure communication between client and server.
Organizations should avoid using instant messaging applications for the transmission of sensitive
data.
III. Maintain a vulnerability management program
Requirement 1: Use up–to–date
... Get more on HelpWriting.net ...
15. PCI Compliance Report
As an information security analyst, I have been tasked with identifying the need for compliance with
Payment Card Industry Data Security Standards (PCI DSS). A business accepting any amount of
payment from credit cards is required to be in compliance. This report will provide a high–level
explanation of PCI compliance, how to move through the process, and consequences of
noncompliance.
The PCI DSS is a set of policies and standards that was developed by major credit–card companies.
These companies include Visa, Master Card, Discover and American Express. These standards are
not law, but are required in order to accept payments from clients that are holders of these types of
cards. The standards are aimed at providing security to the clients'
... Get more on HelpWriting.net ...
16. Benefits Of Debit And Credit Card Payment
Debit and Credit card payments facility
Accepting card payments can have a tremendous positive effect on cash flow. Even if sales are not
increasing, the business will still benefit from the convenience of having the profits instantly
delivered to a bank account. Furthermore, customers now expect to have the option to pay by card.
BHSF have periodically considered implementing a debit and credit card payment facility in order
to accept payments from corporate clients and policyholders, this topic was last reviewed by Ian
Galer in 2015.
Ian's review identified WorldPay as a possible payment provider who can offer various payment
collection methods. However, agent processing would require the need for our call recording system
to ... Show more content on Helpwriting.net ...
Facilitate retrieving incorrect claims payments or when a policyholder has received a refund and
returns the payment. These issues can be resolved much swifter by card
DST Policyholders who may otherwise miss out on an incentive such as continuation of cover
through the lapse process could pay back–payments via card. This is an area of huge potential which
is currently handled by a manual application and results in a poor return. Policyholders could make
advance payments for a new health cash plan (or any product), enabling them to secure cover for a
set period of time which could be incentivised by immediate benefit. Policyholders who leave their
company could be given the option to pay their corporate rate in advance for a set period of time
(i.e. 12 months). Using the payment by link service, lapse emails could be sent rather than a lapse
letter which would result in a substantial postal and stationary saving.
2. WorldPay
WorldPay are the UK's leading payments provider and can provide a variety of payment services
either directly to BHSF or in partnership with an automated payments provider.
Services available:
Virtual terminal – credit and debit payments taken over the telephone using a secure web browser
Online payments gateway – taking online card payments through a secure online payments gateway
Pay by link – sending a payment link directly via email
Fee's for the above services are
18. Notes On Computer Network Security
INTRO TO COMPUTER NETWORK SECURITY
TJX SECURITY BREACH
Harjot Kaur
ID 1705173
MADS 6697 V1
Mohamed Sheriff
July 10, 2016
Fairleigh Dickinson University, Vancouver
Table of contents
Introduction
TJX, the largest off‐price clothing retailer in the United States still suffers from the biggest credit‐
card theft in history. The company lost 94 million credit and debit card numbers resulting in a huge
amount of fraudulent transactions due to weak security systems in at least one store. In addition, the
customers lost believe in TJX‐ which led to a huge cut of sales.
Company overview
The TJX Companies, Inc. (NYSE: TJX), is an American clothing and home merchandise company
situated in Framingham, Massachusetts. TJX was established in 1976 and worked for eight free
organizations in the off–price segment – T.J. Maxx, Marshalls, Homegoods, A.J. Wright and Bob 's
Stores in the United States, Winners and HomeSense in Canada and T.K. Maxx in Europe. it is the
main off–value retailer of clothing and home styles in the U.S. around the world, positioning No. 89
in the 2016 Fortune 500 postings, with $30.9 billion in revenues in 2015*, more than 3,600 stores in
9 nations, 3 e–commerce sites, and approximately 216,000 Associates.
Case background
TJX faced the largest online hack with about 94 million records lost in 2006. The company found in
December 2006 about the breach and they were under the belief that they had been losing data from
past six to seven
... Get more on HelpWriting.net ...
19. Tjx Security Breach Essay
The TJX companies breach has been labeled the largest data breach in the history of security breach
and the ultimate wake up call for corporations (Dash, 2007). TJX is the parent company of chains
such as TJ Maxx, Marshalls, Homegoods, and a host of retail stores across the US and Canada. In
January 2007, it was discovered that hackers stole as many as 200 million customer records due to a
failed security system by TJX which resulted in a $4.8 billion dollars' worth of damages (Swann,
2007). It is said that the breach occurred because they did not have any security measures in place to
protect consumer's data such as their debit cards, credit cards, checking account information, and
driver's license numbers. Reports identified three major ... Show more content on Helpwriting.net ...
In fact, researchers at Darmstadt Technical University in Germany have demonstrated that a WEP
key can be broken in less than a minute (Berg, Freeman, & Schneider, 2008). More important, WEP
does not satisfy industry standards that require the use of the much stronger WPA (Wi–Fi Protected
Access) protocol (Berg, Freeman, & Schneider, 2008). First, they broke into the store's network and
stole employees' usernames and password, which they were able to gained access to the TJX main
database at the corporate headquarters and use those credentials to create their own accounts within
the employee database. Once they gain entry into the corporate network, they were able to breach
security and gather credit card numbers, and any customer information they wanted. The consumer
information was compromised for approximately 18 before TJX became aware of what had been
happening. The TJX data storage practices also appear to have violated industry standards. Reports
indicate that the company was storing the full–track contents scanned from each customer's card
(Swann, 2007). Additionally, customer records seem to have contained the card–validation code
(CVC) number and the personal identification numbers (PIN) associated with the customer cards.
PCI Data Security Standard 3.2 clearly states that after payment authorization is received, a
merchant is not to store sensitive data, such as the CVC, PIN, or full–track information (Berg,
Freeman, & Schneider,
... Get more on HelpWriting.net ...
20. Regulatory Standards Of The Federal Information Systems...
Within this writing assignment I will discuss the following regulatory requirements comprise of the
Federal Information Systems Management Act (FISMA), Sarbanes–Oxley Act (SOX), Gramm–
Leach–Bliley Act, Payment Card Industry Standards (PCI DSS), Health Insurance Portability and
Accountability Act (HIPAA), and Intellectual Property Law. I will also discuss security methods and
controls which should be applied to ensure compliance with the standards and regulatory
requirements. I will explain the guidelines established by the Department of Health and Human
Services, the National Institute of Standards and Technology (NIST), and other agencies for
ensuring compliance with these standards and regulatory requirements.
During daily operations, ... Show more content on Helpwriting.net ...
Title III of the E–Government Act, entitled the Federal Information Security Management Act
(FISMA) requires each federal agency to develop, document, and implement an agency–wide
program to provide information security for the information and systems that support the operations
and assets of the agency, including those provided or managed by another agency, contractor, or
other sources (Staff, 2016). FISMA was amended by The Federal Information Security
Modernization Act of 2014. The amendment was established to modernize the Federal security
practices to focus on security concerns. The results of these changes will strengthen continuous
monitoring, continue focusing on agency compliance, and report on issues caused by security
incidents. FISMA, Paperwork Reduction Act of 1995 and the Information Technology Management
Reform Act of 1996 (Clinger–Cohen Act), clearly highlights the plans for a cost–effective security
program. In support of and reinforcing this legislation, the Office of Management and Budget
(OMB) through Circular A–130, "Managing Federal Information as a Strategic Resource,"1 requires
executive agencies within the federal government to:
Plan for security
Ensure that appropriate officials are assigned security responsibility
Periodically review the security controls in their systems
Authorize system processing prior to
... Get more on HelpWriting.net ...
21. Relate A Real-World Case Study On The Payment Card System
1. Relate a real–world case study on the Payment Card Industry Data Security Standard (PCI DSS)
standard noncompliance and its implications. Failure to protect sensitive customer data can result in
serious Business losses and other major negative impacts in business operations. Card Systems
Solutions and its successor has been known for the world's largest client data comprise ever since.
This was due to failure to properly protect sensitive card information of millions of customers' cards
it processed during its operation. The company kept sensitive personal information for its clients of
which it had no useful reason to store it. The said information was stored in the company's network
which proved insecure following a SQL injection attack that saw millions of card information
compromised thus leading to a huge loss due to fraudulent purchases using the stolen information
from the company's system.
This incident saw the FTC identify several practices that could have possibly led to the breach.
These included failure to use strong passwords, failure to employ sufficient measure to restrict
system access to computers and the internet, some of which were low–cost and easy to establish
measures nevertheless, the company did not carry out regular tests to assess the vulnerability of their
system to the outside world, a situation that made them vulnerable to even the simplest attacked.
Data breaches like these have serious implications for the business operations and could even lead to
the collapse of the whole system, where the law is applicable the Company's systems are put under
supervision to make sure they meet the newest regulation for financial data protection and regular
auditing to make sure the system is stable and secure.
2. Distinguish how the Payment Card Industry Data Security Standard (PCI DSS) is a standard and
not a law, and how it defines requirements for information systems security controls and
countermeasures.
PCI DSS is a fundamental standard established by major credit companies to create a baseline on
how personal information on cardholders, their transactions, and other sensitive information is
collected, transferred to requesting parties and most importantly how the above data
... Get more on HelpWriting.net ...
22. Case Study Of Bharti Airte1
Chapter – 1
COMPANY PROFILE
Bharti Airte1, incorporated on Ju1y 7, 1995 is the f1agship company of Bharti Enterprises. The
Bharti group has a diverse business portfo1io and has created g1oba1 brands in the
te1ecommunication sector. Bharti Airte1, is Asia's 1eading integrated te1ecom services provider
with operations in India and Sri Lanka. Bharti Airte1 has been the forefront of the te1ecom
revo1ution and has transformed the sector with its wor1d–c1ass services bui1t on 1eading edge
techno1ogies.
Bharti Airte1 is India's 1argest integrated and the first private te1ecom service provider with a
footprint in a11 the 23 te1ecom circ1es. Bharti Airte1 since its inception has been at the forefront of
techno1ogy and has steered the course of the ... Show more content on Helpwriting.net ...
Anti–virus software must be used on a11 systems common1y affected by ma1ware to protect
systems from current and evo1ving ma1icious software threats. Additiona1 anti–ma1ware so1utions
may supp1ement (but not rep1ace) anti–virus software.
5.1 Dep1oy anti–virus software on a11 systems common1y affected by ma1icious software
(particu1ar1y persona1 computers and servers). For systems not affected common1y by ma1icious
software, perform periodic eva1uations to eva1uate evo1ving ma1ware threats and confirm whether
such systems continue to not require anti–virus software.
5.2 Ensure that a11 anti–virus mechanisms are kept current, perform periodic scans generate audit
1ogs, which are retained per PCI DSS Requirement 10.7.
5.3 Ensure that anti–virus mechanisms are active1y running and cannot be disab1ed or a1tered by
users, un1ess specifica11y authorized by management on a case–by–case basis for a 1imited time
period.
5.4 Ensure that re1ated security po1icies and operationa1 procedures are documented, in use, and
known to a11 affected parties.
Requirement 6: Deve1op and maintain secure systems and
... Get more on HelpWriting.net ...
23. Nt1310 Project Design
Project Design Specifically, the AAE Secure Network project plan consists of the following phases:
Phase 1 – use the PCI security controls and processes to find the best network design for AAE's PCI
compliance; Phase 2 – utilize the Cisco Enterprise Campus Model to redesign the network topology;
Phase 3 – secure the PCI networks at the core switch and firewall using NIST SP 800–41:
Guidelines on Firewalls and Firewall Policy; Phase 4 – make recommendations to secure the PCI
devices using NIST SP 800–123: Guide to General Server Security; Phase 5 – complete an internal
PCI Self–Assessment Questionnaire (SAQ); Phase 6 – conduct a vulnerability assessment according
to NIST SP 800–115: Technical Guide to Information Security Testing; Phase 7 – train the IT staff to
be security conscious according to NIST SP 800–14: Generally Accepted Principles and Practices
for Securing Information Technology Systems. In sum, these are the criteria that must be met to
successfully complete the project. Next, the ... Show more content on Helpwriting.net ...
Undoubtedly, this paper will generate network information, diagrams, and/or tables; accordingly,
these are all included in the Appendix section of the paper. Moreover, the training, vulnerability
assessment, and SAQ results are also included as an Appendix in the final paper. Finally, fearing
disclosure of proprietary information that could compromise network security, all project data are
scrubbed and sanitized to remove sensitive information.
http://blog.securitymetrics.com/2015/03/network–segmentation–pci–scope.html
... Get more on HelpWriting.net ...
24. Heartland Payment Systems : Transaction Fee
Heartland Payment Systems
Transaction Fee: Undisclosed – interchange plus pricing
E–Commerce/Online Payments: Yes, Undisclosed – interchange plus pricing
POS Payments: Yes, Undisclosed – interchange plus pricing
Mobile/Wireless Payments: Yes, Undisclosed – interchange plus pricing
Mobile App Ratings:
Google Play Store: 4.1
Apple App Store: 4+
Time in Business: 1997
BBB: Accredited, A+, http://www.bbb.org/new–jersey/business–reviews/credit–card–processing–
service/heartland–payment–systems–inc–in–princeton–nj–9002353
Introduction
Heartland Payment Systems, Inc. was founded in 1997 by Robert O. Carr. They are a Fortune 1000
company with headquarters in Princeton, New Jersey who offers debit and credit cards, prepaid
cards, credit card processing, mobile commerce, eCommerce, check processing, payroll services,
billing services, marketing services, lending services and state–of–the–art security technology.
Additionally, they have a growing line of industry–specific business facilitation options for small
and mid–sized merchants.
Heartland is a NYSE–listed company (HPY) and they employ approximately 4,000 people around
the country. Heartland is also the founder of the Merchant Bill of Rights proposed by Senator
Richard Durbin (D–IL) as part of the Dodd–Frank Wall Street Reform and Consumer Protection Act
of 2010 that places a cap on interchange or transaction fees.
Heartland is one of the largest credit card processors in the country and the ninth
... Get more on HelpWriting.net ...
25. A Brief Note On Federal Information Security Management...
Introduction This paper will talk about six Acts/Laws which are implied for the advancement of
society and encourage the work process, keep up the protection of each individual citizen of the
nation, provide legitimate rights to the labors/workers, right to cover intellectual property, open
doors for money related foundations to grow their business, and keep up the information security
and integrity.
FISMA
ISMA (Federal Information Security Management Act) appeared when Congress understood the
significance of Information Security and it included FISMA as a piece of E – Government Act of
2002.
FISMA requires administrative bodies inside the government to:
Plan for security.
Ensure that the fitting and responsible authorities are assigned with the security obligation.
Review security controls measure in a standard interim premise.
Manage and approve the framework preparation before the operations, and intermittently after
deploying.
FISMA is separated into three primary areas:
Annual security reporting prerequisite (Annual Program Review – CIO).
Independent Evaluation – (IG) and
Corrective activity gets ready for recuperation and remediation of security shortcomings.
FISMA requests that organizations submit reports to OMB on the status of their data security
program, quarterly.
Sarbanes–Oxley Act Sarbanes–Oxley Act applies just to organizations whose stock is exchanged on
open trades. Its motivation was to
... Get more on HelpWriting.net ...
26. Lakewood Case Summary
Lakewood's Security Requirement: Inprov's Policy/Procedure: Does Inprov Comply? Things
Missing from Inprov's Policy: Extra Things Inprov is Doing:
Comply with all applicable laws, regulations, and industry standards. Assume? Assume? Secure
Credit Card data per standards of the Payment Card Industry Data Security Standards (PCI DSS).
(1) Does not store any personally identifiable financial information. YES NONE NONE
Provide periodic demonstrations of compliance with PCI DSS. ? NO Does not state any
requirements of periodic demonstrations. NONE Limit access to personal information and secure
facilities with information storage or transmission capabilities. (1) Due care that transmission is
appropriate.
(2) Access ... Show more content on Helpwriting.net ...
YES NONE (1) Access restricted at file level.
(2) Security exceeds requirements of many federal laws.
Implement IT security and authentication methods covering networks, applications, database, and
platform security. (1) Access restricted on both service and file level with Access Control List.
(2) Uses state of the art firewall and FortiGuard Labs full suite of "Integrated Security Services.
(3) Secure servers which exceed requirements of HIPAA, Sarbanes–Oxley, etc. YES NONE (1)
Access restricted at file level.
Security exceeds requirements of many federal laws.
Encrypt any highly–sensitive personal information transmitted or stored on mobile media. (1) Due
care that transmission is appropriate. NO No encryption is required. NONE
Strictly segregate personal information from all other information. ? NO No segregation is required.
NONE
Lakewood's Security Requirement: Inprov's Policy/Procedure: Does Inprov Comply? Things
Missing from Inprov's Policy: Extra Things Inprov is Doing:
Implement personnel security and integrity procedures, specifically background checks. ? NO
Policy does not state requirements for screening employees or background checks.
... Get more on HelpWriting.net ...
27. Tjx It Security Breach
Part I: Description
In January of 2007 the parent company of TJMaxx and Marshalls known as TJX reported an IT
security breach. The intrusion involved the portion of its network that handles credit card, debit
card, check, and merchandise return functions. Facts slowly began to emerge that roughly 94 million
customers' credit card numbers were stolen from TJMaxx and Marshalls throughout 2006. It was
believed that hackers sat in the parking lots and infiltrated TJX using their wireless network.
Most retailers use wireless networks to transmit data throughout the stores main computers and for
credit card approval. The wireless data is in the air and leaks out beyond the store's walls. TJX used
an encryption code that was developed ... Show more content on Helpwriting.net ...
However, having the proper controls in place will mitigate the probability and impact. The cost to
implement is insignificant compared to the potential loss. This risk event was a wake–up call to
many retailers, not just TJX.
Part IV: Controls
The control that failed to mitigate the risk event was using WEP encryption technology. It was
sufficient when it was developed, but approximately 2 years later the code was cracked. TJX knew
and failed to address the obsolete technology. As a retailer that accepts credit cards, it was later
proved that TJX was not compliant with PCI Security standards. PCI stands for payment card
industry and credit card companies have developed this list of security measures to help protect
against theft.
TJX collected too much personal information, kept it too long and relied on weak security
encryption. At the time of the breach, few retailers had converted to WPA and didn't want t to spend
the money to implement new security measures. As a preventative control TJX should have
implement WPA encryption technology. As a detective control, TJX should actively monitor and test
their WLAN security. As a corrective control, TJX should actively implement the following PCI
standards:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor–supplied defaults for system passwords and other security
parameters
Requirement 3: Protect stored
... Get more on HelpWriting.net ...
30. The Payment Card Industry For My Organization
I have chosen the Payment Card Industry for my organization to write about. Mainly because I work
in the industry and know it fits the criteria for security. So I will get down to the name three major
information threats to the Card Service Industries. I got my three major information security threats
form PC World (Bradley, 2015). For the Payment Card Industry I have chosen Social Engineering,
Sophisticated DDoS Attacks, and The Insecurity of Things (Bradley, 2015). due to the access of the
ATMs and Credit Card Readers. The first threat is Social Engineering. The Payment Card Industry is
a prime target for Social Engineers because they can gain larger profits off of the information. With
this information a theft can steal larger amounts of money in a short period. They best defense
against Social Engineering is training. On eSecurity Planet's website by Thor Olavsrud they list "9
Best Defenses Against Social Engineering Attacks" are the following: 1. First Education is the best
way to defend against a social attack (Olavsrud, 2016). is to be aware of how it happens. Training on
how to recognize the Social Engineer exploits the situation . Jamey Heary on the website acritical
"Top 5 Social Engineering Exploit Techniques", (Heary, 2016) for PCWorld, states that the top 5
techniques are familiarity exploited (Heary, 2016) , this is where the Social Engineer gets to know
you so you are comfortable so you will talk to you about sensitive information; Creating a Hostile
... Get more on HelpWriting.net ...
31. Nessus Research Paper
Nessus is a top–notch vulnerability scanner produced by Tenable and is used by home and corporate
users. Basically, it looks for bugs in your software. It sets the standard for accuracy and scanning
speed for vulnerability assessment. Nessus will test for security problems that a hacker may use to
get into your system. The Tenable research staff constantly designs programs to detect new
vulnerabilities called plugins. Plugins use a set of generic remediation actions and algorithms to test
for vulnerabilities. (Tenable) It is written using Tenable's own NASL, Nessus Attack Scripting
Language. (TechTarget Network) The NASL language lets individual attacks be described simply by
security professionals. Nessus administrators use the NASL to customize their own scans with the
descriptions of the vulnerabilities. (TechTarget Network) It will ensure compliance and help reduce
an organization's attack surface. (Tenable) Nessus constantly ... Show more content on
Helpwriting.net ...
Your activation code will look similar to this: AB–CDE–1111–F222–3E4D–55E5–CD6F. The code
can only be used once and can't be shared between scanners. It is also case sensitive and must be
used within 24 hours of the Nessus installation. Second, you need to download the Nessus program
for your computer system. Ensure you use Google chrome, Apple Safari, Firefox, or Internet
Explorer, these browsers are supported by Nessus. Third, you need to setup Nessus. Please note,
when you deploy Nessus behind a NAT device or application proxy perform a credentialed scan.
This scan will help reduce getting false negative and positive results. You only deploy Nessus
behind a NAT if you are scanning the internal network. As an example, the installation instructions
for Windows are listed below. (Tenable) You can also get installation instructions from the tenable
website for your particular
... Get more on HelpWriting.net ...
32. Customer Information For A Hacker Group
One of the largest family oriented chain superstores in the United States gave upwards of 40 million
credit and debit card numbers and up to 70 million pieces of personal customer information to a
hacker group. On November 27th 2013 the household name of Target, the local one–stop shop
superstore, was hacked. A hacker group from outside of the United States used third party
credentials from a HVAC company used by Target to gain access to the company's network. After
gaining unauthorized access to Target's network, the hackers installed a malware on the system to
capture all credit card data and customer information given at the registers located in the company's
1,797 U.S. stores. Once the information was captured by the hackers, the data was then sent to
several off–site server locations around the U.S. to cover their tracks. From there, the hackers
devised an escape route for the data to reach their servers located in an undisclosed location in
Russia. The hacker group will most likely sell the customer data on the deep web to other criminals
for just a few dollars per credit card number (Riley). Target could have stopped the hacker group in
their tracks foiling their plan of escape with millions of pieces of customer data.
Avoidance and Compliance
Many questions have been raised about this massive security breach and how it could have been
avoided. The bottom line is Target could have easily stopped this attack from happening if the
correct procedures and steps were
... Get more on HelpWriting.net ...
33. Explaining PCI DSS Compliance
The senior management has placed me, the information security analyst for UNFO, in charge of
ensuring that our company will become PCI DSS compliant before using any online applications
that accept credit cards and personal information. I will also be in charge of training the
management team and others involved in the switch to PCI DSS compliance, so they have requested
that I prepare a recommendation for explaining PCI DSS compliance, how we can move through the
compliance process and what will happen if we are not able to become compliant.
The major credit card companies formed the Payment Card Industry Security Standards Council.
This council was created to combat lack of security, hackers, and misuse of cardholder information.
The council
... Get more on HelpWriting.net ...
34. PCI DSS/3.1 Audit Request
External Audit Request = Turquoise
Internal ISO Guidance = Green
PCI DSS 3.1 Audit Requirement Request:
1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
Audit Testing Procedures:
1.3.8.a Examine firewall and router configurations to verify that methods are in place to prevent the
disclosure of private IP addresses and routing information from internal networks to the Internet.
PCI Security Standards Council Guidance:
Restricting the disclosure of internal or private IP addresses is essential to prevent a hacker
"learning" the IP addresses of the internal network, and using that information to access the network.
Methods used to meet the intent of this requirement may vary depending on the specific
... Get more on HelpWriting.net ...
35. Health Information Compliance Report
Today, the Health Information Technology for Economic and Clinical Health (HITECH's) main
focus is to transfer healthcare records from a paper format to a digital format known as Electronic
Health Records (EHR). Due to the sensitivity of the transferal of this data; the possibility of hackers
and breaches, the Health Information Portability and Accountability Act (HIPAA) alongside
HITECH recommend that health care entities employ multiple approved governing standards to aid
in the facility remaining compliant with current local and federal regulations for safety and privacy
of said data (Oracle.com, 2011). These regulations govern both the local and federal
hardware/software vendors and users now known as business associates under the Mega ... Show
more content on Helpwriting.net ...
Software/hardware vendors must provide covered entities with audit reports unique to each
compering provider. Vendors are required to present proof of their HIPAA compliance in the form of
a Statement on Standards for Attestation Engagement No. 16 (SSAE 16) as it replaced SSA 70
(Barrett, Lucero, and Williams, 2013). Three service control documents must accompany a business
associate when desiring to employ its services to a covered entity, as well as a contract will which
will include effective dates of return, termination, and or destruction of all data, if deemed
necessary. The three controls are: (1) a Service Organization Control Financial Report, (2) Service
Organization Control on Technical Ability (detailing controls), and (3) Service Organization Control
(an auditors opinion), which adds strength to the business associates reputation to remain compliant
with all HIPAA guidelines and standards (Barrett, Lucero, and Williams, 2013). Lastly, business
associates must hold a Payment Card Industry Data Security Standards (PCI DSS). For a business
associate to have this card in their possession, they will need to have undergone a PCI audit. It is the
covered entity responsibility to determine the compliance of the business associate. As for the
contract, if the business associate does not provide such a document the covered entity can consider
the business associate in HIPAA violation
... Get more on HelpWriting.net ...
36. Essay on Security Regulation Compliance
ORGANIZATIONAL CHANGE: PEOPLE CHANGE
Percy A. Grisby II
Computer Ethics
March 13, 2015
Professor Sonya M. Dennis
1. Overview
Below we are going to discuss 6 Acts/Laws which are meant for the betterment for society and
facilitate the workflow, maintain the privacy of every individual citizen of the country, provide legal
rights to the workers/labors, owner of an intellectual property, opportunities for financial institutions
to expand their business, maintain the data security and integrity.
1.1 FISMA [1]
FISMA (Federal Information Security Management Act) came into existence when Congress
realized the importance of Information Security and it included FISMA as a part of E – Government
Act of 2002.
FISMA requires regulatory ... Show more content on Helpwriting.net ...
It's also known as a Financial Modernization act of 1999. This act allowed banks to engage in a
wide array of financial services like merging with stock brokerage and insurance companies, which
also gave them way to possess a large amount of public and private client information. The
information is usually considered private and risk of misuse is high, therefore Title 5 of the GLBA
specially addresses protecting both the privacy and security of information.
1.4 PCI DSS
Payment Card Industry Data Security Standards must be followed by any merchant who handles
payment card details. The merchant must comply with the PCI DSS rules in order to be approved
and continue to accept online card payments. Failure to do so will place the merchant at risk of
having its license to take card payment revoked and will also be regarded as a disciplinary offense.
Noncompliance is not an option!
The Payment Card Industry Security Standards Council (PCI SSC) releases the documents stating
the standards to be maintained by different merchants and issuing bodies.
The basic requirement to comply with PCI SSC are :
1) Build a secure network.
2) Protect the private data of the card holder.
3) Maintain highly secure management programs.
4) Maintain strict access control measures.
5) Testing of network should be done regularly.
37. 6) Maintain every Information Security Policy and guidelines.
1.5 HIPAA
HIPPA act 1996 is imposed on all
... Get more on HelpWriting.net ...
38. Data Security Policy For Ecommerce Payment Card Applications
Data Security Policy for ecommerce Payment Card Applications
This record depicts the IT Security and IT Services strategies and practices for overseeing IT
Services ' stage for University–facilitated ecommerce, particularly installment card transactions, and
the information identified with ecommerce. This arrangement is proposed to consent to the
necessities of the Payment Card Industry Data Security Standard ("PCI DSS"). The PCI DSS is
incorporated by reference in this; be that as it may, IT Security will be the sole determinant of how
PCI DSS ' necessities will be connected inside IT Services ' operations. This report will be yearly
evaluated and upgraded as proper to keep up agreeability with the PCI DSS.
For the reasons of this report, the ecommerce base comprises of the processing assets (i.e., servers,
stockpiling, system and capacity switches, firewalls, physical racks containing these, and related
programming) that process, transmit, or store installment card information, or can straightforwardly
get to such assets. Servers that are a piece of the ecommerce foundation and any frameworks that
can generally specifically get to processing assets that contain installment cardholder information
must be enlisted as directed machines.
ROLES AND RESPONSIBILITIES
College faculty who access data assets that transmit, process, or store installment card information
are in charge of the application of this and related approaches. On account of foremen who oblige
such get
... Get more on HelpWriting.net ...
39. Tft2 Task 1
The current new user security policy for Heart–Healthy Insurance states the following:
"New users are assigned access based on the content of an access request. The submitter must sign
the request and indicate which systems the new user will need access to and what level of access
will be needed. A manager's approval is required to grant administrator level access."
The following changes are based upon the PCI–DSS Compliace:
1. Usage policies must be developed for critical technologies and defined for proper use of these
technologies (PCI DSS 12.3).
With this first policy an organization with prohibit or allow the usage of equipment and/or accounts
depending on the individual's permitted access.
2. Explicit approval by authorized ... Show more content on Helpwriting.net ...
Guide to Enterprise Password Management National Institute of Standards and Technology (NIST)
Special Publication 800–118. Retrieved from: http://csrc.nist.gov/publications/drafts/800–118/draft–
sp800–118.pdf
PCI Security Standards Council. (2013). Payment Card Industry Data Security
... Get more on HelpWriting.net ...
40. Evaluation Of A New Business Manager
If you're a new business owner and have just begun accepting credit cards for payments, you don't
want to be caught unaware of the regulations involved in handling sensitive personal data. The
consequences of improper procedures could be penalties, fees and even termination of your card
processing account. Read on to learn about PCI regulations and what you need to do to remain
compliant.
What is PCI?
PCI stands for Payment Card Industry. When referring to the subject of PCI compliance, you are
actually talking about a set of industry standards known as PCI DSS, where the "DSS" stands for
Data Security Standards. These standards were designed to ensure that businesses handle credit card
information in a secure manner.
The first version of data security standards was released in December 2004 to combat the increasing
rate at which cardholder information was being stolen online. The PCI DSS was established in 2006
with the formation of the Payment Card Industry Security Standards Council (PCI SSC). The
council focuses on improving security of credit card transactions as technology and market trends
change the security concerns in the industry.
The PCI SSC was created by the major credit card brands, including MasterCard, Visa, American
Express and Discover; however, the council is not responsible for PCI compliance. It's the payment
brands that actually enforce the standards.
Who needs to comply with PCI security standards?
In short, any organization or business that
... Get more on HelpWriting.net ...
41. Credit Debit Card And Debit Cards
Before credit and debit cards were developed, merchants would issue a line of credit to customers
who did not have the funds to purchase their items. This credit processed involved using a ledger to
record the amount owed for the items purchased. In today's vastly growing economy, credit and
debit card use plays an ever–present role in society. "Credit and debit card acceptance enables
merchants to sell goods and services to customers who increasingly choose electronic forms of
payment over other payment types" ("Payments 101", 2010). Everything from purchasing house
hold items such as grocery's and furniture, to minimal tasks such as paying for parking for an hour,
credit and debit cards provide people with more freedom when it comes to having access to funds
and making purchases. Along with the rise of credit and debit cards, in a computerized and
technological world where information is valuable, securing credit card information has its
challenges. Validation and encryption are important practices that ensure the security of debit and
credit cards, and they play a key role in providing the customer with assurance that their funds and
bank information is confidential and secure. This paper will begin by explaining how credit and
debit transactions take place and will go into further detail about the security, validation, and
encryption processes that take place throughout the transaction. For the purpose of this paper the
term credit cards will refer to both credit and
... Get more on HelpWriting.net ...
42. TJX Security Paper
TJX was the largest retailer of apparel and fashion in the United States, with over 2400 stores and
125000 associates. It functions on the basis of an internal information system, which is essential for
connecting people, places and information and; accessing data that enables quick and timely
decisions. The presence of an IT network is imperative to the productivity of any retailer. But this IT
network if not secured properly is the most sensitive to a cyber attack, thus making any retailer very
vulnerable to attacks. Apart from the internal networks, the CRM technologies and in–store
technologies (like bar–code scanners, kiosks, etc.) are also vulnerable to attacks.
On analyzing the TJX security intrusion, the following require immediate ... Show more content on
Helpwriting.net ...
The company should periodically delete the data pertaining to previous years.
TECHNOLOGY FAILURE POINTS:
The company was not only using encryption tools but also was failing at meeting the compliance
standards. PCI DSS was a security standard mandatory for all the retailers and TJX being the biggest
retailer managed to meet only 9 out of the 12 requirements of the standards. The company failed at
meeting the technology areas including encryption, access controls and firewalls. The company
needs to pay immediate attention to the encryption tools and endeavor to meet all the security
guidelines of the PCI DSS.
Apart from that, the TJX system was so weak that anyone could easily eavesdrop on the employees
and access information like user ID and passwords. The intruders had then easily created their own
accounts and gained remote access from anywhere in the TJX system.
Not only was the TJX system weak and lacked in system security, but also TJX was unable to
determine the contents of the files stolen. Also, the intruders had managed to successfully get hold
of the decryption key of their weak encryption
... Get more on HelpWriting.net ...
43. Standards rely heavily on the network effect, which is the...
Standards rely heavily on the network effect, which is the idea that the effectiveness of a standard is
based on the number of people who use it. As a result, standards that are complicated to implement,
especially ones dealing with technology, are heavily dependent on incentives in order to get a
sufficient amount of people to use it. Looking at PICS and PCI DSS, two Internet standards, where
one succeeded and the other failed, we can see what makes standards effective online.
Platform for Internet Control Selection (PICS) was an Internet standard formed by W3C in 1996 to
allow parents to filter content, primarily nudity. It was completely voluntary and up to the website
owners themselves to label their own site. This is because the ... Show more content on
Helpwriting.net ...
Payment card industries must follow step–by–step instructions in order to have transactions
accepted. So why do these demanding standards work?
As Larry Lessig mentions in Code is Law, there are four areas that influence policy: law, economy,
architecture, and social norms. Working on a sole standard together for security benefits everyone
and is thus economical because the cost of losing customer data is enormous. On the other hand,
competition for filtering software can at worst lead some to filter less porn than others. After the
Communications Decency Act, which tried to limit obscenity and indecency on the web, was ruled
unconstitutional, it removed all legal ramifications for not using PICS software. There is no reason
to limit information. On the flip side ignoring PCI could land a company in court for negligence. A
strong and commonly used standard works well as a legal benchmark for liability in protecting data.
The burden on the user also differs. Individuals are not expected to make sure their cards are PCI
certified; the vetting process is done at a higher level and simply offers the user a binary choice of
using a protected card or not. PICS not only requires owners to rate their sites, but also requires each
user to choose what they find acceptable or not, placing much more burden on the individual.
Based on comparing where PCI succeeded and PICS failed, it appears that the core motivator is the
law. The consequences of disobeying PCI
... Get more on HelpWriting.net ...