Presentation is loading. Please wait.

Presentation is loading. Please wait.

APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.

Published byAmie Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc."— Presentation transcript:

1 APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.

2 Security Incident - Agenda Background Vulnerabilities Recommendations Plan of Action Summary

3 Security Incident - Background 45 million credit and debit card numbers stolen Over an 18-month period Estimated cost = $4.5 billion

4 Security Incident - Vulnerabilities Insecure wireless network Vulnerable POS scanners Inadequate policies and procedures Insufficient security control systems and tools

5 Security Incident: Recommendations COBIT DS5 Objectives Not Met 5.1 Manage Security Measures5.14 Transaction Authorization 5.2 Identification, Authentication and Access 5.16 Trusted Path 5.7 Security Surveillance5.17 Protection of Security Functions 5.8 Data Classification5.18 Cryptographic Key Management 5.10 Violation and Security Activity Report5.19 Malicious Software Prevention, Detection and Correction 5.11 Incident Handling 5.20 Firewall Architectures and Connections with Public Networks 5.12 Reaccreditation 5.21 Protection of Electronic Value

6 Recommendations Improved Policies and Procedures Data ownership/classification Data retention Encryption standards Log management Incident handling Reaccreditation

7 Recommendations Adherence to PCI Standards PCI Requirements 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 11: Regularly test security systems and processes

8 Recommendations Infrastructure Improvements Implement Stateful Packet Inspection (SPI) firewall Utilize Active Directory Improve wireless devices Secure POS credit card scanners

9 Security Incident: Plan of Action

10 Plan of Action Institute a Network Security Team (NST) Team of 3 to 5 full-time employees Estimated total salaries $150K - $500K Develop, implement, and oversee security policies and procedures Implement the layered security approach: physical security technical security administrative security

11 Plan of Action Implement Security Information Event Management (SIEM) software Centralized log system Enable log management for incident identification and tracking FortiAnalyzer 4000B appliance Estimated cost of $40,000

12 Plan of Action Implement Infrastructure Changes Corporate-wide involvement Active Directory: $18-30K for licenses and servers AD administrator: $45-80K annual Implement Stateful Packet Inspection (SPI) firewall: approximately $5,000 Secure the POS credit card scanners: $1,000 each store

13 Costs Security Incident Approximate Cost Estimated $100 per lost record or $4.5 billion $118 million reserved for security breach 2009, $51 million and other undisclosed costs spent Average cost for PCI Security Compliance $568,000 on new technologies to comply with the PCI security standard $51 Million $118 Million $4.5 Billion $568 Thousand

14 Summary Prevention is key PCI and security = the cost of doing business

15 Questions? Project detail and references are contained in the Apolicy wiki Pam Sebesta Anne Drake Tom Schaefer Mike Grambow

Download ppt "APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
BalaBit Shell Control Box

BalaBit Shell Control Box
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.

Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.
ISecurity Compliance with Sarbanes-Oxley & COBIT.

ISecurity Compliance with Sarbanes-Oxley & COBIT.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Security Controls – What Works

Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.

Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Similar presentations

Ads by Google