Final Project

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

549

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

45

Uploaded by CountWildcatMaster7

Report
HANAH DEERING IT 549 Foundation in Information Assurance 9-2 FINAL PROJECT SUBMISSION I NFORMATION A SSURANCE P LAN
Introduction The Target data breach has gone down in history as one of the largest, most impacting security breaches. During the holiday season of 2013, cybercriminals were able to steal 40 million credit/debit card records along with 70 million customer records that included Personal Identifying Information (PII) by accessing Targets point of sale (POS) systems. This resulted in a $18 million dollar settlement for Target. “The ordeal cost credit card unions over two hundred million dollars just for reissuing cards.” (Shu, 2017) Access was first gained to Fazio Mechanical Services, a small HVAC company in Pennsylvania that Target had hired as a refrigeration contractor, through a phishing attack that a Fazio Mechanical Services employee fell victim to. Fazio Mechanical Services was given remote access to Target’s network for business purposes. Once hackers were able to gain access to the third-party vendors network, they were able to access Target’s network with stolen Fazio Mechanical credentials. “ After getting access, the attackers used an administrative application BMC account with its default username and password to move within the network. It is believed that NetCat.exe raw commands were used to load hacking-related commands to compromised systems. Target’s network was accessed by the attackers for the first time, on Nov 12th, 2013. It is believed by security researchers that a vulnerability in a Windows Domain Controller was found by the attackers, that was used to gain access to the POS systems.” (Gopal, 2022) Overview of the Goals and Objectives Information assurance plans are “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” (Baker, 2003) Organizations have data flow throughout their network on a continuous basis, every single day. And with undetected loopholes, this valuable data can fall into the wrong hands. When an unauthorized entity gains access to confidential data, the ability to alter, steal, transmit, and view the data poses a huge threat to not only organizations but also individuals. Information assurance plans provide guidelines and frameworks to ensure data is secure, regardless if the data is on a physical device, or digitally in the cloud. The goals and objectives of an information assurance plan can be explained through the three pillars of information assurance (Confidentiality, Integrity, and Availability) that represent the fundamentals of data security. Ensuring the confidentiality of data ensures that confidential data is not disclosed to the people who are not authorized to access or view the data. Safeguarding data confidentiality can be accomplished in many ways, using administrative, physical, and technical controls. Having the proper access controls in place plays a large part in assuring the confidentiality of data. This means controlling who has access to the data, and access is granted on a need to know or least privilege basis. This limits any unnecessary exposure. Implementing multifactor authentication with strong passwords also helps to limit the unauthorized exposure of data. “Encryption   is a process that renders data unreadable to anyone except those who have the appropriate password or key. By encrypting sensitive files (by using file passwords, for example), you can protect them from being read or used by those who are not entitled to do either.” (UDel, 2020) Ensuring the confidentiality of data is not limited to digital controls (as mentioned above) that should be put into place, but also extends to the physical safeguards that an organization should have in place to accomplish the privacy of data. Locations that store sensitive data should be protected with
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
physical controls such as badge readers, turnstiles, and/or fences to ensure that unauthorized personal do not encounter the data to potentially exploit it. Ensuring the integrity involves ensuring that data goes unchanged and unaltered both at rest and in transit. This maintains the consistency and accuracy of the data, ensuring the data is trustworthy. To accomplish this, an organization must take the proper steps to ensure that data cannot be altered in any kind of way by an unauthorized entity. Version control helps to ensure the integrity of data by providing a sort of change log to prevent against any erroneous changes or accidental deletions of data. Version control also keeps an audit trail. Consistently creating data backups helps to maintain data integrity by allowing for recovery of the data in the event of loss or corruption. “ Some data might include checksums, even cryptographic checksums, for verification of integrity.” (Kehal, 2023) The wholeness and accuracy of the data can be protected by data encryption, which protects against unauthorized modification and data quality. Ensuring the integrity of data is essential for any organization, as it ensures the accuracy and completeness of the data. Ensuring the availability of information is critical component of an information assurance plan. This ensures that the services and data remain accessible to end users whenever it is required, preferably always to perform business functions. Organizations must rigorously maintain their network infrastructure to ensure the correct functioning of all hardware and operating system environment to prevent any conflicts that would prevent the availability of information. Performing regular system/software upgrades (patches) keep systems working seamlessly together without errors. To mitigate serious consequences when any issues within the network do occur, it is important to include redundancy and failover to ensure the availability of data.
Disaster Recovery Plans (DRP) must be designed for worst case scenarios so that business can still operate in the event of a disaster striking an organization. Data loss and downtime that can hinder that availability to organizations and customers can be mitigated through regular backups. The benefits of creating and maintaining an information assurance plan around these key concepts creates a framework for organizations to ensure the protection of information and systems against any security threats. The confidentiality, integrity, and availability of information (data) is protected by information assurance. An information assurance plan is an essential part of information security. Planning an organizations assurance plan around these key concepts assures that information is protected, and risks are managed when using, storing, and transmitting information. The main goal of an information assurance plan is to establish a framework to protect against the confidentiality, integrity, and availability of information. Confidentiality, Integrity, and Availability of Information The initial breach of Target did not occur internally to Target, but rather using compromised credentials from Fazio Mechanical which in turn allowed the attackers to move to Targets network. The confidentiality, integrity, and availability of information within Target was challenged due to the lack of maintaining an information assurance plan built on the mentioned three key concepts. Should Target have been patching sensitive vulnerabilities within their system and mitigated weak segmentation between internal networks that contain non-sensitive and sensitive information, the attackers would not have been able to access Target’s point of sale networks. The benefits of creating and maintaining an information assurance plan around the key concepts mentioned above ensures the confidentiality, integrity, and availability of information within the organization. Target is one of the largest retailers in North America and encounters a
great deal of sensitive data every single day. The Point-of-Sale (POS) systems run all the transactions between Target and paying customers. After the attackers were able to successfully a third-party vendor (Fazio Mechanical) that Target used, then the attack would have never happened. For both impacted parties, a successful information assurance plan would have mitigated the risk of a breach like this happening, ensuring that the proper frameworks were being followed. Through implementing an information assurance plan, data confidentiality, integrity, and availability is enhanced, responsiveness to any future breaches is improved, cybersecurity posture is increased, and the systems, processed and procedures within the organization are enhanced. Current Protocols and Policies Target did have protocols and policies in place at the time of the breach, however deficiencies did exist within the organization’s current information assurance policies. With a dedicated security staff implementing safeguards through Targets network to protect the sensitive data, running teams of security personal out of Minneapolis (MN) and Bangalore (India). There were two alerts that failed to be acknowledged by the security team. The first alert was sent by the security system (Fire Eye) that caught the hack itself, however given that the security team was still trying to set up baselines to reduce the likeliness of false positives, the alert feature was turned off. Next, the Symantec Endpoint Protection program that was in use by Target threw another alert for detecting malware around Thanksgiving, however the alert went ignored. At the time of the breach, the current protocols, and policies that Target had in place were far less secure than what they have in place now, after taking many lessons learned away from the breach. Prior to, there many deficiencies within the information assurance plan such as:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
1. Target did not investigate the alerts that the security systems were being generated from, in which would have given them an indication that there was an intruder on their network, and there was a detection of malware. 2. Targets network was not properly segmented, as the sensitive information was easily accessed. 3. The point of sale (POS) systems was not hardened, which allowed for the attackers to install malware. 4. Access control was not properly set up for accounts, as a third-party vendor account should not have had the access it did. Certain policies exist within Target’s Information Assurance Plans to address the availability, integrity, and confidentiality of data. These policies include (to name a few): Acceptable Use Policy – This policy outlines the specific practices that employees must agree to be allowed to use Targets network and assets (such as workstations). Encryption and Key Management Policy – This policy outlines the procedures that Target shall follow to protect, store, and distribute encryption keys. Incident Response Policy – This policy outlines the procedures that will be followed in the event of a confirmed incident. Information Security Policy – This policy is a high-level overview of what data Target is to be protected from threats and how that protection shall be obtained.
Disaster Recovery and Business Continuity Policy – This policy is created to provide Target with detailed instructions on response efforts in the event of any unplanned incidents. Included in Target’s Information Assurance Plan is the need to address security measures for all workstations, servers, applications, and operating systems. This can include measures such as encrypted emails, file protection, secure web browsing, and endpoint virus detection software. To implement a new information assurance plan, some potential barriers may exist. Sure, there is no such thing as absolute security, however a good information assurance plan can help to mitigate the risk of a breach like this from ever happening again. The biggest barrier that Target faces to creating a new IA plan, is the lack of resources, such as employees, teams, and money. Revamping a network and the procedures/policies in place will take a lot of time, commitment, and change. However, the tradeoff is that it is far greater than the risk of not doing so. Some employees may be resistant to the change and the workload may be burdensome at first, however it needs to be done to drastically improve the security posture of Target. Responsibilities of Key Leaders Key leaders within Target play a huge role in ensuring that the security policies are followed correctly (punishments per policy if not adhered to) and ensure that the proper security practices are followed to mitigate the likeliness of a security breach. The responsibilities of key leaders are also extended to developing systems around data classification and manage/determine the permission and access privileges based off the data classification type. Certain policies must exist within an organization to ensure the mentioned objectives are accomplished organization
wide. Key leaders ensure the C.I.A (Confidentiality, Integrity, and Availability) Triad of all data, networks, and systems through enforcing adequate security plans. It is a key leader’s role to ensure that security policies and plans exist within the organization to ensure that a security breach is not the result of ineffective enforcement or implementation of the policies and plans. Since a key leader’s role within an organization is to ensure that the proper security policies and plans are adhered to organization wide. In the event of a security breach, it is important for a key leader to address what went wrong and where the organizations information security system is lacking in one of the three aspects of the C.I.A Triad. Take for example, if a successful malware attack (such as the Target breach), where the confidentiality of information was compromised; yet the systems in place were still able to maintain the availability of Targets systems and data so that business was able to continue, even during a malware attack. A key leader can address the weak points and replicate the successful policies and implementations. The security of information is one of the biggest obstacles that Target is faced with in this digital age, and clearly identified roles and responsibilities give the key leaders in Target a vision on how to protect information through the organization’s information assurance plans. Cybersecurity posture starts from the top down and starts with performing the identified responsibilities. The key leaders of the C-Level Suite of Target play a huge part in not only developing by also carrying out an Information Assurance Plan. Overseeing the day-to-day operations of Target falls in the hands of Chief Executive Officer (CEO) Brian Cornell. The day-to-day operations includes the implementation of Targets Information Assurance Plan. This can mean the proper security policies in place, to the correct
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
allocation of resources dedicated to carrying out the plan. Another important key leader is the Chief Information Officer (CIO) Mike McNamara who is responsible for the technology systems not only for Target customers, but also the team members. This is accomplished through the strategic direction and management outlined in the Information Assurance Policy to ensure the security of Target’s information. The Chief Legal Risk Officer (CLRO) Don Liu ensures all governance, risk, and compliance (GRC) components of Targets Information Assurance Plan, ensuring compliance with laws and regulations that govern the organizations Information Security Plan. Lastly, the Chief Financial Officer (CFO) Michael Fiddelke oversees the financial planning/analysis and financial operations. This ensures a cost-effective implementation of, and resources correctly allocated for Targets Information Assurance Plan. Key Ethical and Legal Considerations Ethical considerations within Target outline a set of principles that are set forth to guide the cybersecurity posture within the organization, defining right and wrong actions that is fundamental to ensuring the confidentiality, integrity, and availability of information. These ethical considerations aim to ensure the security of internal Target networks and computer systems and guide the security rules (such as password rules, email use, and access control).Best practices to ensure the proper ethical considerations. Internal Target policies outline the best practices. A Password Policy enforces a set of rules that a Target user must follow to enhance the security through employing a strong password, that cannot be easily guessed. An Acceptable Use Policy enforce a set of rules around how Targets internal assets (such as computers and Wi-Fi services) will be used. This includes what an end user is allowed to access (restricted information); changing data; what site/information is accessed while utilizing company
resources; and only using organization approved authentication procedures. An Access Control Policy outline how access to information is granted and defines who can access the information and under what circumstances they may access it. Target grants access based off Role Based Access (RBAC), in which users are only able to access information at a least-privilege access to complete their daily job functions, and nothing more. Implementing an effective cyber security awareness program and training for all employees is detrimental to improving security posture within Target. Humans will forever be the weakest element in cybersecurity and ensuring that employees are aware of the tactics and techniques that hackers deploy to try to steal credentials and information will strengthen the organizations first line of defense. Not only do key leaders ensure compliance with governing laws and regulations, but they also provide enforcement in the event of violations against Targets policies (password misuse, access control violates, etc.). Enforcement and punishment like ethical workplace standards, and non-binding professional code of ethics are left up to the identified key leaders. In addition to rules that must be followed within Target that are outline clearly by internal policies, best practices regarding ethical considerations also extend to the adequate use of tools for cybersecurity. No doubt, Target having an internal system of these adequate tools to guard against data breaches, such as the one that happened in 2013, is paramount to ethical considerations. The proper deployment of firewalls acts as a shield to Targets network, that includes a lot of sensitive information. Firewalls are designed to prevent any unauthorized access either in or out of Targets internal network. Ensuring the proper patch management and configuration process is being followed ensures that critical vulnerabilities are being patched in a timely manner, protecting the sensitive information within (monitoring vulnerabilities). Technical
controls are also extended to intrusion detection systems (IDS), encryption, cryptography, and identification/authentication controls. Consequently, it is important for Target to consider the legal considerations to abide by and be aware of the myriad of laws set forth in the enforcement of the ethical considerations. Laws are set forth to ensure the proper protection and sharing of all information. The legal considerations that apply to Target are (but not limited to) both federal and state laws, such as The Federal Trade Commission Act, the Sarbanes-Oxley Act (SOX), and the Gramm-Leach-Bliley Act (GLBA). Combined, these laws include breach notifications laws, consumer data protection laws, Personal Identifiable Information (PII) disposal and retention laws, and safeguard laws. All these laws are entrenching and working in Target. “In an effort to police the threat to consumer safety and data privacy, the Federal Trade Commission (FTC or Commission) has become the nation’s primary enforcement agency.” (Moncada, 2015) Jurisdiction has been granted to the FTC to investigate Targets information security policies, procedures, and best practices if Target fails to adequately and appropriately protect customer information. Law within the Federal Trade Commission Act is also extended to breach laws, requiring Target to properly notify exposed customers in the event of a data breach. The Sarbanes-Oxley Act (SOX) is also entrenched into Target, as it “establishes financial reporting standards, including safeguarding data, tracking attempted breaches, logging electronic records for auditing, and proving compliance.” (Magnusson, 2023) The internal controls that are outlined in SOX that Target must adhere to through proper ethical considerations are: 1. Access Controls 2. Backup of Systems
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
3. Change Management and Patch Management Processes 4. Segregation of Duties Lastly, the Gramm-Leach-Bliley Act (GLBA) outlines the primary best practices that Target needs to implement internally. Some of the notable requirements set forth by the GLBA ensure the proper cyber security awareness training for employees, and the proper monitoring and patching of vulnerabilities. Target must employee administrative, technical, and physical safeguards to ensure compliance with the GLBA, as the FTC enforces compliance with the GLBA. The best practices that were identified under ethical considerations are being followed because of the identified laws. The ramifications of the key leaders of Target not properly account for ethical and legal considerations can have a large negative impact on information assurance and the organizations reputation. We can see the impact extend to exactly what happened during the Target breach in 2013, “Between November 27 and December 18, 2013, the Target Corporation’s network was breached, which became the second largest credit and debit card breach after the TJX breach in 2007. In the Target incident, 40 million credit and debit card numbers and 70 million records of personal information were stolen. The ordeal cost credit card unions over two hundred million dollars for just reissuing cards.” (Shu, 2017) As one of the largest retailers in the United States, it is Targets job to protect information, whether it be the collection, use, or storage of information, in the appropriate manner in accordance with the regulations, laws, and policies set forth. key leaders, this can sometimes result in termination. Key Components of Information Assurance
The CIA Triad as we know it was one of the first outlines of information assurance that was introduced that outlined effective practices for organizations to ensure information security. “Information Assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. This includes the protection of the integrity, availability, authenticity, non-repudiation, and confidentiality of user data.” (Marget, 2022) The following key components relate to the following practices organizations should have included in their information assurance plans to ensure information security: 1. Integrity – Information should not be tampered with or modified by an unauthorized individual (hacker/threat actor), ensuring that the information being sent is in its original state. Safeguards should be put in place throughout the organization to deter threats, such as the used of encryption od data at-rest and in-transit to secure and protect sensitive information. 2. Availability – Access to information is critical to perform daily business functions. Ensuring systems always remain fully functional and secure not only means that employees within the organization have access to important information but remain available to customers as well. Policies should outline the use of backups, disaster recovery and continuity efforts, and network redundancy to ensure availability. 3. Authenticity – Confirming the identify of users and/or devices before allowing access to important information prevents identity theft and confirms that users who have access or information are who they claim that they are. Policies must address incorporating password management, two-factor authentication, and (possibly) biometrics to grantee authenticity.
4. Confidentiality – The exposure of private information getting exposed by unauthorized users/systems/networks can be damaging to not only the organization, but an individual (customer) as well. This means that information is only accessed by individuals who have the proper authority to do so. Policies must address the safeguards put in place to avoid the exposure of any sensitive data to unauthorized individuals, implementing Role-Based Access Control (RBAC) and the organizations use of Data Encryption. 5. Non-repudiation – Through the flow of data, it is important for systems to be able to verify that data was properly transmitted from start to beginning, in its original form. “Non-repudiation means someone with access to your organization’s information system cannot deny having completed an action within the system, as there should be methods in place to prove that they did make said action. The primary goal of this pillar is to guarantee that the digital signature is that of the intended party, thereby granting authorization to the protected information. ” (Marget, 2022) Target can implement a new effective Information Assurance plan to ensure the confidentiality, integrity, and availability of information. These policies must include best practices such as annual security training; address email use/acceptable use of company assets; infrastructure setup and maintenance; and address the availability, confidentially, and management requirements of large networks which should include the use of cryptographic equipment and Intrusion Detection Systems (IDS). Policies must also address the “security measures in place for workstations, servers, applications, and operating systems. These measures would include encrypted email, file protection, secure web browsing, virus detection for workstations, Public Key enabling of applications, and other system-specific security
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
measures for key business systems.” (Haase, 2002) Access controls will be established through the security policies included in the Information Assurance Plan to secure access to the information/data and systems within Targets network to ensure the confidentiality of information. Analysis of Environment A risk assessment of Target’s current operating procedures, including the current protocols and policies in place related to information assurance, will identify the threats of the environment that pose a risk to the information within the organization. Before understanding the threats that exist to the organization, it is important to perform an analysis of the current environment. Analysis “provides organizations with actionable insights into their network infrastructure, optimizes performance, and ensures compliance with regulatory requirements.” (LiveAction, 2023) This practice will allow Target to improve their cybersecurity posture through proactively minimizing risks and managing their networks. Current policies and protocols included in the Information Assurance Plan outline the proper use of how the systems that provide the services to all identified users include how the activity of all systems may be used and maintained/monitored. Having extensive policies in place provides “clarity for your employees, direction for proper security procedures, and proof that you’re doing your due diligence to protect your organization against security threats.” (Harvey, 2020) The current policies that Target has in place (but is not limited to) related to Information Assurance are:
Acceptable Use Policy – Target outlines what is considered an acceptable way to use company assets for end users. This policy essentially includes the dos and do not’s of how users are able to use company assets. This can include the outline of what programs (non-approved and approved) are allowed to be ran. Encryption and Key Management Policy – In order for Target to send sensitive data and protect their assets, this policy outlines the organization wide encryption standard of data both at-rest and in-transit. Target currently uses Advances Encryption Standard (AES) to encrypt highly sensitive data, and also Triple DES for all transactions done on the Point of Sale (POS) systems. Target does not obtain access nor store the encryption keys within their internal systems to the POS encryption. However, the keys used for internal highly sensitive data is store in a secure location. Password Policy – Target sets rules for passwords for employees that guides the use of a strong password. Each password much be 12 characters long, and use a special character, letter (both upper case and lower case), and a number. Passwords are set to expire every ninety days, and account lockout is enforced after five unsuccessful login attempts. Information Security Policy Access Control Policy – Target has deployed Role-Based Access (RBAC) to grant permissions. This ensures that access is granted on a least privilege basis, and no employee has more access than they should to conduct daily business functions. Authentication methods to main, critical business systems is done on a Two-Factor Authentication (2FA) basis to ensure the proper authentication of end users is conducted to confirm identification.
Data breaches are generally caused by inadequate Information Assurance plans in place due to lack of the correct policies in place, or a failure to properly implement the policies. These policies govern how Target operates and sets guidelines for network policies. To conduct daily business operations, Target heavily relies on the use of the internet. The environment is filled with transactions that transmit data over the internet. Not only do internal employees rely on the internet, but so do the Point-of-Sale (POS) systems, vendor services (such as the HVAC system management), online shopping, and multi-network exchanges. Authorized users of Target’s website, products, and services includes customers, internal employees, and third-party vendors. Target currently processes millions of transactions every single day, which includes financial transactions (customers checking out via online or POS systems) inventory of products, financial reporting, and daily operational functions conducted by employees to keep the organization growing and running. This means that ensuring the security of the network and practices is vitally important to the organization and information. Data is constantly moving throughout the network, however with the proper protocols and policies in place this risk can be mitigated. In addition to the mentioned policies, Target uses Transport Layer Security (TLS), which is “ used by endpoint devices and applications to authenticate and encrypt data securely when transferred over a network.” (Accuenergy, 2023) This ensures secure communications over a computer network. Threat Environment As part of a thorough risk assessment of Targets current environment, the threat environment of the organization must be correctly addressed to accurately address the threats that exist within.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The understanding of the threat environment allows key leaders and administrators to correctly configure and address the threats to mitigate the risks and vulnerabilities that exist to ensure the confidentiality, availability, and integrity of information. As previously identified, Target relies heavily on the internet to complete daily business functions. The internet itself (not just for business functions) presents a huge threat, as the internet environment can leave Target open to exploitable vulnerabilities. As technology has evolved and more daily functions are being performed solely online, significant security problems have arisen that are associated with the web. Some of the most known web threats are (but not limited to): 1. Phishing – This is a common tactic of bad actors that involve targeting end users through some form of communications, most commonly email, text messages, or social media sites. The bad actor poses as a legitimate site/business to gain the end users trust to enter sensitive information, in which ends up in the bad actor’s hands (credential and/information stealing). 2. Ransomware – This type of threat is generally initiated through phishing emails. Ransomware is a form of malware, in which an end user clicks a link or downloads an attachment that downloads malware onto the endpoint or into a file. The bad actor then remands a fee for either the sensitive information back or to gain the use of your very own computer back. 3. Structured Query Language (SQL) Injection – This is where hackers can exploit vulnerabilities within a websites application code. This is accomplished by inserting an SQL query into very standard online form fields (like a login box). The SQL Query is
then passed from the login field (for example) into the SQL database. This allows for sensitive data to be exploited and stolen. 4. Cross-site Scripting (XSS) – This is where hackers run malicious scripts on trusted websites, that in turn compromises the end user’s interactions. This allows for information to be disclosed and potentially stolen. 5. Denial-of-Service (DoS) Attack – This is where hackers flood servers with a high volume of requests, that will in turn disrupt the service for legitimate users because the website will eventually become offline. Not only are the current threats to Target external, internal threats in the environment such as misuse of employee credentials, lack of security awareness, unsecure networks, unpatched vulnerabilities, and non-compliance with policies and protocols also pose a threat. Lack of security awareness training is generally the start for data breaches, and this is exactly what we saw in the Target 2013 data breach. Due to the lack of proper security awareness training on phishing emails, a third-party vendor fell victim to a phishing email, that in turn played a part in the data breach. Username and passwords are used to authenticate user’s identity; however Target does not deploy the use of Two-Factor Authentication (2FA) to ensure proper authentication in the event that a username and password combination is compromised. Target employs Role-Based Access (RBAC), which only grants users the least privileges needed to do their job. However, if the wrong credentials fall into the wrong hands (such as those of escalated privileges) and hacker has access to much more than just basic access.
Unsecured networks leave internal networks and servers vulnerable to outside intruders. This can allow for hackers to move throughout a network, going undetected before causing serious damage (installing malware) and exploiting sensitive data. Networks can be secured simply by Intrusion Detection Systems (IDS) that notify security personal when unauthorized activity triggers an alarm and with network-based firewalls, to block all untrusted sources from entering the network. Target does use IDS’s, however does not have a standard set for responding to alarms. The hackers were setting off alarms as they moved through Targets network, however the security staff did not follow a procedure in responding to and reporting the alarms. Network segmentation is vitally important for Target, as it breaks an entire network up into smaller segments or subnets, drastically improving the cybersecurity posture of the company. This allows for an attack to be isolated before it is able to spread across an entire network. Although Target has adopted the use of network segmentation, improve incident response to alarms made its use redundant because the attackers were able to move through the subnets until they were eventually able to install malware on the Point of Sale (POS) systems. Unpatched vulnerabilities on endpoints, whether it be computers or servers (for example), allow for an easy way for hackers to be able to gain access and exploit the vulnerabilities unless proper security updates and patches are performed on a routine basis. Target encrypts data both at-rest and in-transit. Target currently uses Advances Encryption Standard (AES) to encrypt highly sensitive data, and also Triple DES for all transactions done on the Point of Sale (POS) systems. Triple DES encryption is an older method that was first introduced in 1998. Due to the lack of updates, more secure encryption algorithms (such as AES-
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
256) on POS systems, the hackers were able to easily exploit customer data. Although Target does encrypt data, Target does not obtain access nor store the encryption keys within their internal systems to the POS encryption. However, the keys used for internal highly sensitive data is store in a secure location. Any of the identified threats in the environment can leave Target, Target’s network/information, and customer information susceptible to irreputable damage if not mitigated through the proper implementation of an Information Assurance Plan. Due to the lack of updated security controls and procedures, these identified possible threats could compromise situations, leaving these threats exploitable by hackers (as we saw in this breach). Since the Target 2013 breach, Target has drastically improved their cybersecurity posture by updating their policies around incident response and encryption standards. Humans will always be the weakest element in cybersecurity, so phishing will forever continue to be a challenge for any company. Best Approaches Information assurance principles, including areas of improvement to the current protocols and policies. Through the above-mentioned threats that exist within Targets current environment, current situations must change through the implementation of a strong, more robust Information Assurance plan. Each identified threat will need mitigation strategy.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Deploying a top-down approach puts the decision-marking at the executive level of Target, in which the determined directives cascade down the determined hierarchy. Using this approach, allows for comprehensive governance that is deployed organization wide. This approach allows for decisions to be made from an executive level with a holistic viewpoint of the cybersecurity posture of Target as a whole. Strategic priorities are set by the executive level, ensuring focused resource allocation and efficient resource utilization. A top-down approach within Target also ensures that the proper cybersecurity policies and protocols are followed to be consistent with and align with the overall objective of Target. It is critically important for Target to deploy a top- down approach to mitigate the factors that need to be included in the organizations new Information Assurance Plan. As we previously identified, the Target 2013 breach started with a successful phishing attempt. An improved security awareness training program for Target employees is much needed. Adapting to this best practice creates a people-centric culture at Target. Successful phishing attacks account for 70% of data breaches. Monthly phishing simulations being sent out from Targets security department will ensure that employees stay on their toes and are aware of what a successful phishing attempt looks like. This will ensure that credentials are kept secure on the front line, fighting off attackers before they can even access. A strong, consistent cybersecurity awareness training educates employees on how to identify and avoid cybersecurity threats. Not only did the Target data breach start with a successful phishing attempt, it also was caused from a third-party vendors improper security controls. Vendor risk assessment is a critical part of cybersecurity posture, as Target outsources some of its daily business functions. Target is not the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
only organization that does this, it is very common in today’s world. Vetting a third-party vendor’s implemented security controls (which does include the implemented security awareness training), is vital. Any relationship, especially when it comes to third parties having access to an internal network, needs to be vetted before the access is granted. This can entail reviewing a third-parties security controls, certifications, and security policies in place to decide if it is a good business decision for Target to be in relation with a third-party, and if that third-party takes security posture as important as Target does. Target does have Intrusion Detection Systems (IDS) in place throughout their segmented network. However, the IDS’s can be present and in use, but if there is not acknowledgement of alarms, the systems become redundant. When the Target 2013 was taking place, there was a total of three alarms that went un-responded to. Included in Targets best practices to mitigate the identified threats, a proper incident response plan/policy needs to be included in the Information Assurance Plan to outline how to properly respond if an alarm is triggered. False positives do happen; however these three alarms were looked over by cybersecurity employees with evaluating their accuracy. Determining how security alarms are responded to will mitigate this from happening in the future. Lastly, although the data breach was caused by a successful phishing attempt, should Target have effective authentication systems in place, the hackers would have never been able to move throughout Targets internal network to reach sensitive areas. Target needs to implement either Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA). This method will mitigate the gaps in access control to critical systems that Target has. Not only would a username
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
and password be sufficient, but one would need another form of authentication for access to systems/applications. Risk Matrix To comprehensively and accurately assess the threats and vulnerabilities of Target, a risk assessment of the identified risks needs to be understood. In the previous section, we identified the threats within Target, that also constitute as risks to the organization’s security and assets. Understanding the risk assessment principles reduces the likelihood of data breaches and disruptions to systems/applications by providing strategic guidance on how Target can mitigate the risks associated with their organization. To understand how well Target can protect information and systems, we must first understand the following risk assessment principles: 1. Risk Identification – Evaluating the organizations digital landscape (which includes information, systems, policies/procedures, and internal IT infrastructure) to see where there are potential threat sectors. 2. Risk Assessment – Once the risk has been identified, an organization must understand the risk itself, such as the likelihood and potential impact that it would have in the event of a cybersecurity incident happening. An organization would ask themselves such things as What are the potential consequences to the organization and customers in the event of this risk is exploited? This also allows organizations to prioritize risks to better allocate resources and funds to effectively mitigate the risks.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
3. Risk Mitigation – Once a risk is assessed, an organization must focus on developing strategies and implementing measures to reduce the likelihood and impact of the identified risk. This can be the implementation and restructuring of an Information Assurance Plan, robust security controls (firewalls, access controls, Intrusion Detection Systems, etc.), a required security awareness program for employees, patch management policy (for patching and updating systems), and incident response planning. 4. Risk Monitoring and Review – After a risk is able to be mitigated, it is important for ongoing efforts and processes to stay in place by Target to proactively monitor and review their threat landscape. This entails staying up to date with emerging cybersecurity threats and regular review of risk management. Following these principles, Target is able to establish a structured and systematic approach to mitigating and managing the risks within their organization. Target’s Risk Matrix: Risk = Impact x Probability Risk Assessment Matrix IMPACT High (Level 3) Moderate (3) High (6) Critical (9) Medium (Level 2) Low (2) Moderate (4) High (6) Low (Level 1) Very Low (1) Low (2) Moderate (3)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Incident Response Protocols Targets incident response protocols are critically important in the event of any type of cybercrime, data loss, and loss of availability that threatens daily business functions. These protocols identify a structured process that Target follows to identify and respond to already identified vulnerabilities or security emergencies. Essentially, how does Target handle identified vulnerabilities that exist within the organization, and what is the process that is followed in the event of a data breach? Following sufficient incident response protocols provides Target with a course of action in the event of significant incidents. Incidents can lead to massive data breaches, as Target has already experienced, that not only affect the organization directly, but also its customers. These impacts can be felt for days or even months. This is why thorough, detailed incident response protocols need to be followed to help Target stop, contain, and control the incident at hand. Some of the vulnerabilities and threats of Target that has been affecting information assurance and best practices are: Unsegmented Network – Network segmentation is when an organization breaks a larger network, into smaller parts to improve network performance and the security of the overall network. Target’s use of an unsegmented network presents attackers with a greater attack surface. This allows attackers to move laterally through a network, and potentially accessing critical information easily. After an attacker can gain access to Targets internal network, attackers are able to easily install malware/ransomware due to the lack of separation throughout the internal network, maximizing the number of hosts that the attacker can exploit. Creating segmented networks makes the overall
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
management of the network easier and ensures critical parts of the network are isolated in the event of a security breach. Social Engineering Un awareness of Employees/Phishing Emails – Social Engineering attacks rely on the weaknesses within humans (employees) for attackers to gain unauthorized access to internal Target systems. Attackers will use manipulation methods such as phishing emails to get credentials (username and password) that will allow attackers to exploit data. It is important that Target employees and vendors know their importance of protecting the front line against attackers and are aware of how to properly identify phishing attempts and the repercussions that come from falling for social engineering. Improper configuration of Intrusion Detection Systems – Intrusion Detection System’s (IDSs) “ use heuristics and complex machine learning algorithms based on behavioral modelling to make intelligent guesses. ” (Proud, 2018) Target had a deployed IDS Fire Eye that was improperly acknowledged when throwing alarms to let the security department know that there was an attacker within the network. Had the security staff followed the proper incident response protocols, the attacker would have never made it to the Point-of-Sale (POS) systems to install malware. It is important that baselines of behavior be created on all alarm systems, and security personal are properly training on how to handle incident response. Third-Party Vendor Assessments – Target works with third party vendors daily, and some of these third-party vendors have access to Targets internal systems. We saw this in the 2013 Target data breach when a HVAC company was remotely accessing Targets HVAC systems. Granting third party vendors access to internal networks can affect the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
security of the organization without proper vendor management. Properly evaluating the security posture of third-party vendors mitigates this persistent threat to Target. Ensuring that third parties have strong security practices and are compliant with appropriate compliance certifications, addresses the security posture of who Target allows to access their system. As these are just some of the threats and vulnerabilities that are present to Target, it is important that the company responses to any incident that may occur because of the security threats. Following incident response protocols guides the entire organization through an incident to ensure that the business can return to normal operations in a timely manner and reduce the risk of data exploitation. Incident response protocols are often initiated as soon as an IDS alarms, in which at that point the incident response team oversees following incident response protocols to resolve the incident. These guides against the different type of threats/vulnerabilities are usually outlined in organization playbooks. Referring to the identified threats/vulnerabilities above, lets identify the incident response protocols: Unsegmented Network – After an attacker can breach the perimeter of a network, it is critical to isolate any devices or systems that have been identified. This can mean closing any identified asset (whether it’s an account, device, or system) to prevent attackers from exposing anything further. After the effected asset is isolated, incident response protocols must be extended to examining the damage. This involved assessing what systems/data has been access so then the organization is better equipped to deal with the breach. Social Engineering – It is important for Target to bring social engineering awareness to its employees. Employees are the first line of defense against attackers, and being aware of what phishing attempts look like are critical in the success of the organization’s
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
security posture. Incident response protocols against this threat include raising social engineering awareness measures by annual phishing trainings and monthly phishing simulations for employees. If an attacker is successful at a phishing attempt, it is vitally important that the employee knows how to properly report the successful attempt. Once management is notified of compromise credentials, the employees compromised account needs to be shut down to mitigate the exposure of information through their access. New firewall rules will also be a part of Targets incident response protocol, given that these firewall rules will control who can access what, from where. Intrusion Detection System – One of the reasons that the 2013 Target breach was successful was because the alarms that the IDS went unnoticed and not responded to. If an IDS triggers an alarm, it indicates that there is or has been an attack. The Incident Response team first needs to acknowledgement of the alarms, even if it was a false- positive. Once the team can determine if the attack was legitimate or not, the attack needs to be investigated, this also entails gathering indicators on compromise. At this point, Target personal will determine the extent of exposure (what data was exploited). Following the correct incident response protocols will ensure that alarms by security tools are taken seriously before they seriously affect the data/information within Targets systems. Third-Party Vendor Assessment – It is unavoidable that organizations like Target will engage in multiple third-party vendor relationships. This is why it is vitally important for Target to have a solid vendor management program to properly address and vet vendors cybersecurity posture and security practices to ensure that the vendor themselves are not risks to the organization. If a third-party vendor experiences a breach, it is important for
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Target to ensure that their information/access has not been compromised as well. Incident response protocols that need to be followed in the event of a third-party vendor experiencing a data breach is firstly, consider the relationship between the two organizations and what the business use case is for the relationship. This gives Target insight as to what information or level of access the vendor would have had to Target sensitive information. If remote access has been granted to a vendor, this access needs to be stopped immediately. Target then must contact the vendor directly to properly address the potential of exposure. Justification of Incident Response Protocols Incidents can lead to massive data breaches, as Target has already experienced, that not only affect the organization directly, but also its customers. These impacts can be felt for days or even months. This is why thorough, detailed incident response protocols need to be followed to help Target stop, contain, and control the incident at hand. Putting these incident response protocols in place will mitigate the identified threats and vulnerabilities. Attackers can move laterally through an unsegmented network, therefor following the proper incident response protocols in the event of a breach when the network is unsegmented will shut down the attacker’s access and isolate the effect host. This ensures that the attack stays isolated from critical parts of the network. Phishing emails are sent with the intent to gain access to internal systems using employee credentials, to following the correct protocols in the event of a successful phishing attempt will mitigate the access of the compromised account (attackers) to sensitive
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
business information. Also, bringing social engineering awareness to Target reduces the risk of successful social engineering overall. Intrusion Detection Systems (IDSs) help to identify breaches quickly and following incident response protocols helps to mitigate the spread of the breach to other parts of the network and areas that hold sensitive information. Proper response to IDS alarms can help Target from letting a small breach attempt turn into a 2013 breach. Through proper vendor management, it is a proper incident response protocol to also consider the security posture of vendors that the organization has relations with. If a vendor is breached, following proper protocol can stop the threat of exposure of Targets internal systems if a third-party was breached. It is also important to understand what information/data the vendor may have that would impact Target to understand what protocols needs to be followed to mitigate exposure. Disaster Response Protocols Following disaster response protocols prepares not only the network, but also employees for crises and can mitigate the damage caused by a disaster. These protocols provide Target with a documented, structure approach that describe how the organization responds to any unplanned incidents. Disaster Recovery and Business Continuity Policies govern the response protocols to the various threats and vulnerabilities. Some of the disasters that Target plans for in their policies are systems/application/communication failure, power outage, natural disaster, and cyber-attacks. The main objectives of disaster response protocols are to minimalize the negative effect on Targets business operations if any of the said should occur. The disaster recovery protocols include the following:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The identification of the critical systems The key leaders and staff members that are responsible for the identified critical systems The RTO and RPO Outlined steps of how to restart, reconfigure, and recover the identified systems Disaster recovery protocols also establish communication plans, on how crisis communication will be handled throughout Target. “ Examples of internal communication include instructions to evacuate the building and meet at designated places, updates on the progress of the situation and notices when it's safe to return to the building.” (Brush, 2022) Disasters such a Denial of Service (DoS) and SQL Injection attacks have various disaster response protocols. Target follows internal protocols in the event of disasters like such. Disaster recovery protocols ensure proper response to the identified threats. Some of these outlined protocols are: Systems/application/communication failure – In the event of a system/application/communication failure, Target has set up redundancy for business to become functional again. This consist of redundant circuits and servers to bring services back up. In the event of data loss, Target completes backups (file copies) to be able to reestablish business critical information. In the event of data loss, backups ensure that data can be restored. Power outage – In the event of a power outage, Target has multiple generators that can handle the power load of their data center and headquarters. This allows for business to continue even in the event of the area not having power. Natural disasters – In the event of an unforeseen natural disaster striking, Target has established both hot and warm sites that allow for business to be transferred to a different
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
location. Hot sites are fully functioning sites that allow for Target to essentially pick up where they left off at while at headquarters. Backups allow for there to be no data loss. Targets establishment of having disaster recovery protocols in place is just the first step, however they are meaningless if they go untested. Testing of these protocols identifies any deficiencies and gaps within the protocols, giving Target the opportunity to improve their disaster recovery protocols before an emergency happens. In the ever-changing world of technology, testing also gives Target to ensure that their disaster recovery protocols stay up to date with real-world security trends. Tabletop exercises help demonstrate to team members what their duties are in the event of an emergency. Justification of Disaster Response Protocols These disaster response protocols are ensured to be effective through consistent testing. Managements support ensures the proper support of security policies and incident handling by ensuring the proper allocation of resources in the event of an emergency. Regularly assessing the threats and vulnerabilities within Target ensure that disaster recovery protocols stay up to date. Patch management policies and configuration management help to mitigate the likeliness of vulnerabilities in Targets environment, ensuring the enforcement of correct configuration. Regular testing of disaster recovery protocols ensures that every key player knows their part and that the protocols are effective in mitigating the impact that emergencies have to the organization. Access Control Protocols
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Access control protocols are critical components to the cybersecurity posture of Target. Following these protocols ensures that “ the right users have the right level of access to the right resources.” (Fortinet, 2023) There are several components that manage access control protocols. Authentication verifies the identity of a user’s, essentially is this personal who they claim to really be. This is usually done with authentication methods such as a username and password, and sometimes even Two-Factor Authentication (2FA) such as biometrics. However, authentication alone is not sufficient to properly protect Targets data. Authorization specifies each users’ rights and privilege to resources. After a user’s identity is authenticated, what resources do they have access to? Access control protocols ensure that only the proper individuals have access to only the proper information/data. Access controls protocols can fall into one of the following categories, which implements a way to safeguard data and users: Role-Based Access Control (RBAC) – Permissions and actions are granted by an employee’s role within the company. Mandatory Access Control (MAC) – Permissions are determined by an individual’s request to be able to access the data and resources that they need. This generally entails the Identity Access and Management Department adding users to specific groups to have access. Discretionary Access Control (DAC) – Permissions are determined by if the data owner approves granting access on a per user basis. Target implements Role-Based Access Control to develop appropriate access control throughout the organization. This ensures access is based off least-privilege access to ensure the proper
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
safeguarding of the data/information with Target’s system is not access by an unauthorized individual. Information assurance is heightened by an Access Control Policy and access control protocols to protect the integrity of users and avoid the compromise of any organizational assets. Levels of access is granted by position and rank within Target. This helps to identify the compromised systems quickly in the event of a data breach. For example, a customer service representative would have drastically less access than the CEO of a company. Justification of Access Control Protocols To address the security threats and the integrity of users in Target, it is critically important to have access control protocols in place. Using a Role-Based Access Control (RBAC) approach ensures that users are granted access based off a least privilege access, only granting access to systems and information that is needed to complete daily job functions. Not only is authentication and authorization (as previously identified) important, but the audit of access control protocols is as well. “Organizations can enforce the principle of least privilege through the access control audit process. This enables them to gather data around user activity and analyze that information to discover potential access violations.” (Fortinet, 2023) Access control protocols used within Target also extend to the use of Two-Factor Authentication (2FA) through Microsoft Duo on all business-critical systems and applications. This ensures that even in the event of compromised username and passwords, that the systems have an extra layer of security. Access control protocols are also extended to devices as well through Targets use of Network Access Control (NAC). It is important for Target to address the growth of devices accessing the network. “ A NAC system can deny network access to noncompliant devices, place them in a
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
quarantined area, or give them only restricted access to computing resources, thus keeping insecure nodes from infecting the network.” (Cisco, 2023) This mitigates the risks associated with the devices on Targets network through an access control protocol. Having access control protocols in place ensures that even if credentials are compromised, an attacker would not be able to have full, unrestricted access to everything in Targets internal network. These can also prevent data breaches as they provide a high level of user and data protection against security threats and the integrity of the users in Target. Method of Maintaining the Information Assurance Plan Establishing the Information Assurance Plan is just one step for Target, however maintaining the Information Assurance Plan is just as important. Without the proper maintaining, the Information Assurance Plan is just simply words on a piece of paper. Target must commit to building a conscious cybersecurity culture. According to the PCI Security Standards Council, this effort revolves around: A social engineering awareness program that brings security awareness to all users Guidelines on the proper storage and disposal of data Audits of all systems to ensure compliance with not on governing laws and regulations, but also Targets internal Information Assurance Plan Apply the proper configuration and patch management process to all systems and servers to ensure devices are kept up to date Follow the proper incident response protocols Employ a Security Operations Center (SOC) team to monitor incidents and respond
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Justification of Maintaining the Information Assurance Plan Cybersecurity posture needs to be a top-priority for Target because of the nature of the data/information that is handled. Loopholes for hackers to attack the system are created internally, and sometimes unintentionally. Areas that include the need to establishing and maintaining policies within the Information Assurance Plan are social engineering awareness, asset management, incident response, patch management, disaster recovery/business continuity and password management (just to name a few). Following the best practices outlined in the Information Assurance Plan that relate to these identified topics will ensure that ongoing effectiveness of the overall IA Plan. Summary of Need for an Information Assurance Plan Given the criticality and volume of data that Target encounters, it is vitally important to ensure the protection of the confidentiality, integrity, and availability of this data. Target accomplishes this through the proper implementation and maintenance of an Information Assurance Plan. An Information Assurance Plan ensures that this data is securely and effectively managed, reducing the serious risks on the digital threat landscape and to defend against these threats. Target’s Information Assurance plan uses a broad, strategic focus on the disciplines of protecting sensitive data. By implanting an IA Plan, Target can take an offensive security mindset, ensuring that guidelines and policies are followed to keep data safe. Ethically, it is Target’s responsibility to ensure that all data that flows within the organization is protected, maintaining customer confidence, and avoiding regulatory sanctions. Not only is ensuring the confidentiality, integrity, and availability of sensitive data an important aspect of Target’s Information Assurance Plan, commitment to protection of data also ensures
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
compliance with the regulations and frameworks that govern how Target handles all data. Some of these regulations are: GDPR ISO 27001 PCI DSS NIS Directive Ultimately, the objective of Target’s Information Assurance Plan is to ensure data protection through compliance to the mentioned regulations, correct risk management and mitigation, and implanted organizational policies. Defense of Key Elements of Information Assurance Plan The key elements of Target’s Information Assurance Plan can be referred to as the CIA Triad (Confidentiality, Integrity, and Availability). Each fundamental component represents a different objective of the Information Assurance Plan and is applied in different ways. Confidentiality ensures the privacy of data, therefor Target shall be responsible for the proper cryptography/encryption methods of data in-transit and at-rest. Integrity ensures that data is not tampered with, ensuring that it remains in its original state, making Target responsible for implementing the proper access controls throughout the system. Lastly, availability ensures that data is accessible to authorized users when it is needed to complete daily business functions. Target accomplishes this using proper redundancy and backup efforts. Management within Target is ultimately responsible for ensuring that an effective and updated Information Assurance Plan is implemented. This can entail the proper allocation of money and resources that protect the key elements of the Information Assurance Plan. Also, it is managements responsibility to ensure that the proper repercussions fall upon any employee who poses as an
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
insider threat to the organization’s cybersecurity posture. Not only is management responsible for each element of the Information Assurance Plan, but it is also an end users (employees) job to ensure that they are playing their part in taking their role seriously on the front line against cyber-attacks.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Citations Baker, William C. “Guideline for Identifying an Information System as a National .”  Guideline for Identifying an Information System as a National Security System , National Institute of Standards and Technology, Aug. 2003, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-59.pdf.  Best practices for implementing a security awareness ...  PCI Security Standards. (2014). https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Impl ementing_Security_Awareness_Program.pdf  Brush, K. (2022, May 18).  What is a disaster recovery plan (DRP) and how do you write one? . Disaster Recovery. https://www.techtarget.com/searchdisasterrecovery/definition/disaster- recovery-plan  Cisco. (2023, July 24).  What is Network Access Control (NAC)?  https://www.cisco.com/c/en/us/products/security/what-is-network-access-control- nac.html  Gopal, R. V. (2022, December 12).  Complete case study-target data breach 2 . Medium. https://medium.com/@rithikvgopal/complete-case-study-target-data-breach-2- ba4bb365a82e#:~:text=The%20Target%20data%20breach%20of,of%20sale%20(POS) %20systems
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Haase, J. (2002, April 8).  Global Information Assurance Certification Paper - giac.org . Global Information Assurance Certification Paper. https://www.giac.org/paper/gsec/1839/building-information-assurance-framework-small- defense-agency/103247  Harvey, S. (2020, December 20).  15 information security policies every business should have . KirkpatrickPrice. https://kirkpatrickprice.com/blog/15-must-have-information-security- policies/  Kehal, B. (2023).  Cybersecurity training . https://www.cybertraining365.com/cybertraining. https://www.cybertraining365.com/cybertraining/Topics/Confidentiality,_integrity,_and_a vailability_(CIA_triad)#:~:text=Data%20encryption%20is%20a%20common,key%20fobs %20or%20soft%20tokens.  Magnusson, A. (2023, December 22).  What is Sox Compliance? 2024 complete guide . StrongDM. https://www.strongdm.com/sox-compliance#:~:text=SOX%20compliance %20is%20an%20annual,for%20auditing%2C%20and%20proving%20compliance.  Marget, A. (2022, March 17). Information assurance: Defined, explained and explored. https://www.unitrends.com/blog/information-assurance   Moncada, A. (2015, March 1). When a data breach comes A-Knockin’, the FTC comes A- blockin ... https://via.library.depaul.edu/cgi/viewcontent.cgi?article=3948&context=law- review 
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Proud, J. (2018, March 12).  Simple heuristics that make algorithms smart . Behavioral Scientist. https://behavioralscientist.org/simple-heuristics-that-make-algorithms-smart/  Shu, X., Tian, K., Ciambrone, A., & Yao, D. (2017, January 18). Breaking the target: An analysis of target data breach and lessons learned. https://arxiv.org/abs/1701.04940   TLS 1.2 transport layer security protocol. (2023). Retrieved from https://www.accuenergy.com/support/reference-directory/tls-transport-layer-security- protocol/#:~:text=Transport%20Layer%20Security%20(TLS)%201.2,IoTs%2C%20meters %2C%20and%20sensors.  UDel. (2020).  Managing Data Confidentiality . Managing data confidentiality. https://www1.udel.edu/security/data/confidentiality.html#:~:text=Controlling%20access %20to%20data%20includes,%2C%20devices%2C%20and%20paper%20records.  What is Network Performance Monitoring and why is it important . LiveAction. (2023, December 19). https://www.liveaction.com/resources/blog-post/what-is-network-performance- monitoring-and-why-is-it-important/#:~:text=Overall%2C%20network%20analysis %20provides%20organizations,risks%2C%20and%20improve%20operational %20efficiency.  Xiaokui, S. (2017, January 17).  Breaking the target: An analysis of target data breach and ... - arxiv.org . Breaking the Target: An Analysis of Target Data Breach and Lessons . https://arxiv.org/pdf/1701.04940.pdf 
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

image.jpg
Programming for Analytics 1.docx
Project 2.docx
Reason for BCP.docx
IT 409 Project 1.pptx
Project One.docx
The Evolving Landscape of Artificial Intelligence.docx
8-2 Scenaria Assignment Module 8.docx
7-2 Final Project Milestone.docx
Lab 2.0.1 Establishing Technical Requirements .pdf
Lab 2.0.2 Developing Network Requirements.pdf
Lab - Identifying Business Constraints (1).pdf