Download presentation
Presentation is loading. Please wait.
1
Team 4 – Mack, Josh, Felicia, Kevin and Walter
Case Study – Target Team 4 – Mack, Josh, Felicia, Kevin and Walter Senior Testing and Internal Audit team
2
Team 4 – testing and auditing
How would you describe your current testing and auditing to your Senior Leadership? Our current testing and auditing process is comprehensive. We use Payment Card Industry Data Security Standard PCI-DSS We competed baseline testing based on PCI-DSS Passed PCI compliance audits on the POS systems
3
Team 4 – testing and auditing
What would you like to change for testing going forward? A comprehensive approach to testing/auditing will include all assets, not just those that fall under compliance regulations. We need to test ALL the subsystems going forward, not just the credit card systems.
4
Team 4 – testing and auditing
How would you test your interactions with vendors and suppliers? Require vendors to use commercial virus checking software and other security precautions on their interfacing systems. Require commercial virus scanning software that would have prevented malware used in the attack on the vendor machines. Security Skills Assessment and Appropriate Training: Require vendors to go through basic security training or agree to train staff. Can be accomplished by auditing vendor’s security training records. Malware in phishing attack would have failed. Hackers would not have obtained access to vendor portal credentials. Begin testing for two-factor authentication from vendor.
5
Team 4 – testing and auditing
What assurances can your testing provide to your leadership? From lessons learned and using approved comprehensive testing and audit procedures, when the next attack happens, we can assure that the detection and identification of the threat will happen quickly enough, so that we can react and recover in a timely manner.
6
Team 5 – interfaces and trust
Team 5: Senior Corporate Operations Group What is the best way to manage the risk of others interfacing with our network and systems? Focus on being proactive Understand ALL asset vulnerabilities Timely Incident response Implement comprehensive testing and audit procedures How should you control others on your network for access and authorization? Compartmentalize/segregate users based on roles/needs Use 2-factor Authentication Periodic review of authorized users
7
Team 5 – interfaces and trust
Team 5: Senior Corporate Operations Group What should be required of vendors and sub-contractors to work with your systems? Service Level Agreement (SLA) They should meet the PCI compliance requirements How do you ensure proper training and certification of sub-contractors and vendors? Require certification documentation be sent to IA office when updated/annually -or- require their IA office to submit training reports
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.