Find AN EXAMPLE of an ORGANIZATION that faced an information systems security issue or crisis.
1) How did the organization identify that there was a security problem?
2) What, if any, security infrastructure and policies were in place when the problem occurred?
3) What initial actions were taken to deal with the situation?
4) From a management perspective, what, if any, new organizational policies and procedures did they institute?
5) Were any new security tools and technologies eventually implemented to further safeguard their systems?
6) What was the business impact? How did they recover? Were there any legal ramifications, loss of customers, or damage of reputation?
7) Generally speaking, how can a business determine the value of investing in security and control?
Target's data breach-
Target is a well known example an organisation facing crisis in
information system security, with its IT systems being hacked and
exposing personal data of approximately 110 million customers. The
company apologized explaining the hacking that took place, through
issuing of a statement and posting video with details. They also
offered a free checking of credit for the customers that were
affected.
At the time Target had firewalls in place and you trying to divide their network through VLAN. They had also expanded the security through collaborating with Fire-Eye that allows to security to detect any malware and NIDS (network intrusion detection system). However, they could not prevent the system from hacking and also could not detect the breach as they did not look into the warnings that were given by the Fire-Eye, the auto-removal function of few of the malware was also turned off, the segmentation of their systems was weak, etc, the name a few.
The initial actions that were taken to deal with the situation
had a few problems, namely
The response given by target was given before the officials were
completely aware of the cause of the problem and to what extent it
had taken place.
This led Target to constantly contradict their statements that were
issued.
They did not know the exact number of customers that had their
information hacked into before releasing a statement.
Also, the message that was posted to the website of Target from its
CEO that was not accumulating a lot of views as the customers were
using social media and not the website to interact and present
their complaints to the company. After this breach, the CEO at the
time resigned from his post.
Target also appointed a new CIO (chief Information Officer) that had a plan to improve the security system by upgrading the insecure of sale machines effective segmentation of the networks all inclusive log analysis setting up of chip and PIN authorized technology for the payment, and a rigid and authoritarian access. Target also stated that they would be spending $100 million to implement a new systems to install new payment methods, setting up of advanced technology such as white-listing, and other security measures secure it's payment system and customer data.
The changing of two statements and not knowing completely about the situation made target look unprofessional and a little suspicious to the customers. Eventually comic the federal judge presented a preliminary show me to $10 million settlement with the shopping that was affected could be each awarded with up to $10,000 in damages.
A business can determine the value of investing in security and control, learning from the mistakes that were made by target in this incident, that include neglecting of the important security alerts that were given to them prior to the breach, weak segmentation of their network, and or not well secured point of sale data handling. The businesses should use superior quality design and better actions should be taken to develop and set up security solutions.
P.S. - leave a comment below is any explanation is needed.
Get Answers For Free
Most questions answered within 1 hours.