APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

BalaBit Shell Control Box

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.

Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.

ISecurity Compliance with Sarbanes-Oxley & COBIT.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Jeff Williams Information Security Officer CSU, Sacramento

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Security Controls – What Works

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Why Comply with PCI Security Standards?

Payment Card Industry (PCI) Data Security Standard

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

PCI requirements in business language What can happen with the cardholder data?

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

PREPARED BY: SHOUA VANG ABHINAV JUWA CHASE PAUL EASy Security Project Anonymous vs HBGary Inc.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.

Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH.

NETWORK INFRASTRUCTURE SECURITY Domain 5. Computer Security “in short, the average computer is about as secure as a wet paper bag, and it is one of the.

PCI Training for PointOS Resellers PointOS Updated September 28, 2010.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,

VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

BUSINESS CLARITY ™ PCI – The Pathway to Compliance.

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

IS3220 Information Technology Infrastructure Security

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.

The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.

Payment Card Industry (PCI) Rules and Standards

Payment Card Industry (PCI) Rules and Standards

Performing Risk Analysis and Testing: Outsource or In-house

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Presentation transcript:

APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.

Security Incident - Agenda Background Vulnerabilities Recommendations Plan of Action Summary

Security Incident - Background 45 million credit and debit card numbers stolen Over an 18-month period Estimated cost = $4.5 billion

Security Incident - Vulnerabilities Insecure wireless network Vulnerable POS scanners Inadequate policies and procedures Insufficient security control systems and tools

Security Incident: Recommendations COBIT DS5 Objectives Not Met 5.1 Manage Security Measures5.14 Transaction Authorization 5.2 Identification, Authentication and Access 5.16 Trusted Path 5.7 Security Surveillance5.17 Protection of Security Functions 5.8 Data Classification5.18 Cryptographic Key Management 5.10 Violation and Security Activity Report5.19 Malicious Software Prevention, Detection and Correction 5.11 Incident Handling 5.20 Firewall Architectures and Connections with Public Networks 5.12 Reaccreditation 5.21 Protection of Electronic Value

Recommendations Improved Policies and Procedures Data ownership/classification Data retention Encryption standards Log management Incident handling Reaccreditation

Recommendations Adherence to PCI Standards PCI Requirements 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 11: Regularly test security systems and processes

Recommendations Infrastructure Improvements Implement Stateful Packet Inspection (SPI) firewall Utilize Active Directory Improve wireless devices Secure POS credit card scanners

Security Incident: Plan of Action

Plan of Action Institute a Network Security Team (NST) Team of 3 to 5 full-time employees Estimated total salaries $150K - $500K Develop, implement, and oversee security policies and procedures Implement the layered security approach: physical security technical security administrative security

Plan of Action Implement Security Information Event Management (SIEM) software Centralized log system Enable log management for incident identification and tracking FortiAnalyzer 4000B appliance Estimated cost of $40,000

Plan of Action Implement Infrastructure Changes Corporate-wide involvement Active Directory: $18-30K for licenses and servers AD administrator: $45-80K annual Implement Stateful Packet Inspection (SPI) firewall: approximately $5,000 Secure the POS credit card scanners: $1,000 each store

Costs Security Incident Approximate Cost Estimated $100 per lost record or $4.5 billion $118 million reserved for security breach 2009, $51 million and other undisclosed costs spent Average cost for PCI Security Compliance $568,000 on new technologies to comply with the PCI security standard $51 Million $118 Million $4.5 Billion $568 Thousand

Summary Prevention is key PCI and security = the cost of doing business

Questions? Project detail and references are contained in the Apolicy wiki Pam Sebesta Anne Drake Tom Schaefer Mike Grambow