Requirement: 1. The report must include at least 15 references out of which at least five (5) of them must be peer-reviewed journal articles and at least two (2) books (EXCLUDING Dubé and Bernier...

question 1 on page 4 only


Requirement: 1. The report must include at least 15 references out of which at least five (5) of them must be peer-reviewed journal articles and at least two (2) books (EXCLUDING Dubé and Bernier (2011) AND our textbook (Romney and Steinbart, 2018) and/or previous editions (Romney et al., 2013; Romney and Steinbart, 2015). Additional marks will be given to those groups that go beyond this requirement and include additional references (see marking rubric for more details). 2. You must follow the American Psychological Association (APA) referencing style for citation and referencing (see: http://guides.lib.monash.edu/ld.php?content_id=12586146). 3. The target case: https://hbsp.harvard.edu/tu/7b423b40 Question that I need to do: After reading the Target case study, you need to write a report about cybersecurity and information systems controls. The report should answer the following questions: 1. Dubé and Bernier (2011) developed a Risk Management Approach for IT solutions (see Appendix below) which is comprised of five (5) steps. In steps 1 and 2 of the Risk Management Approach, Dubé and Bernier (2011) discuss the sources of risk that companies should analyse and, if necessary, protect themselves against in order to safeguard their systems and data. Step 1 of the Approach involves identifying potential sources of risk including employees, organisational or business partners, hackers and technology components. 1. a)  Analyse how each source of risk including employees, organisational or business partners, hackers and technology components contributed to the data breach. In other words, what role did each of those actors play in the cyberattack? 2. b)  Taking into account the role of each of the sources of risk that you analysed above (part 1a), explain one control measure for each given source of risk that Target should have implemented to protect itself. Appendix Risk Management Approach for IT solutions (Source: Translated from Dubé and Bernier, 2011, p. 240-241) Each of a company’s critical information systems require a five-step risk management approach allowing for an in-depth analysis of risks: Step 1: Identify potential sources The first step is to establish the most significant and frequent potential sources of risk that could hurt the organisation. They are: · Employees, whether intentionally or unintentionally; · Organisational/business partners, whether intentionally or unintentionally; · Hackers whose deliberate intention is to hurt the organisation; · Technology components (for example, IT components such as software) Step 2: Clarify the nature of the risk Once the different sources of risk have been identified, draw up a list of the events that could harm the company for each of these potential sources of risk. Risks will be related to: · Data, including: o Data theft o Improper use of data o Destruction of data o Breach of data confidentiality o Unauthorised modification of data (for example, by a virus or intruder) · The use of software and hardware, including: o The faulty functioning of an infrastructure component o The abnormal functioning of an application o An unauthorised operation by a user o An error by a user of an application o The shutdown and inaccessibility of a server Step 3: Determine the impact (potential losses) and resulting costs The impact is the consequence of the materialisation of the risk on the IT components and, consequently, on the organisation’s activities. The most significant potential consequences include: · Interruption of the company’s activities · Loss of revenue · Harm to the company’s reputation · Harm to the brand’s prestige · Theft of trade secrets Edward Tello Chief Examiner ACC ACF 2400 s2 2018 6 • Lawsuits Once the company has established the potential risk sources, the nature of the risks and their impact, it must evaluate the potential losses resulting from each of the events identified. This cost assessment is the only way to determine the scale of the impact and the relevance of implementing the appropriate controls. Step 4: Determine control measures (as well as their cost) If, based on the identification of the source and nature of the risk, the company decides that action is needed, it must then decide on the control(s) to be implemented and their cost (as with any assessment, consideration must be given to the total cost of ownership; i.e. not only the initial cost, but also the costs related to management, follow-up and upgrades of each of the controls). Thus, the cost of the control environment must be proportional to the estimated potential losses. Step 5: Proceed with the implementation and ensure follow-up and continuous assessment It is important to regularly assess the effectiveness of the controls in relation to new technological developments and the increased capacity of hackers and other sources (for example, lengthen encryption keys used), to manage updates (for example, updating of antivirus software), to reconfigure firewalls (if attacks on the company increase), etc. Even if the company’s information system are stable, the technological environment and the skills of hackers are constantly evolving. A return to steps 1 and 2 will be necessary to reassess risks. Autopsy of a Data Breach: The Target Case Volume 14 Issue 1 March 2016 Autopsy of a Data Breach: The Target Case Case1, 2 prepared by Line DUBÉ3 On December 19, 2013, Target, the second-largest retailer in the United States, announced a breach involving the theft of data from over 40 million credit and debit cards used to make purchases in its U.S. stores between November 27 and December 18.4 On January 10, 2014, it reported that the cybercriminals had also stolen personal data, including the names, telephone numbers, home addresses and email addresses of up to 70 million additional customers. The Discovery As is often the case in such situations, Target learned of the data breach from law enforcement agencies. Indeed, on December 13, 2013, representatives from the U.S. Department of Justice notified Target’s management of a large number of fraudulent debit and credit card transactions that all seemed to share a link to transactions made at Target. Following this meeting, Target hired a computer forensics firm to investigate the breach. The results confirmed its worst fears: cybercriminals had been hacking into Target’s systems and stealing data from 40 million debit and credit cards used in its U.S. establishments since November 27. Target wasted no time eradicating all the software used by the cybercriminals, but despite the company’s eagerness to stifle the news, word got out and reporters started asking questions. On December 19, under growing pressure, Target announced the breach and theft of the data. Its website and call centre were quickly inundated with calls from worried consumers, creating a nightmare scenario for its customer service department. To make matters even worse, the breach 1 Translation from the French by Andrea Neuhofer of case #9 65 2016 001, “Autopsie d’un vol de données : le cas Target.” 2 This case was written using public information sources and therefore reflects the facts, opinions and analyses published in the media. The blog by the investigative reporter Brian Krebs (krebsonsecurity.com), an expert in the field of computer security, was also a valuable source of information. See the list of publications used at the end of the case. 3 Line Dubé is a full professor in HEC Montréal’s Department of Information Technologies. 4 This date varies between December 15 and 18, depending on the source. December 18 is used here because it is the date given by John Mulligan, Target’s Executive Vice-President and Chief Financial Officer, in testimony before the U.S. Senate Committee on the Judiciary on February 4, 2014 (see http://www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-data- breaches-and-combating-cybercrime). © HEC Montréal 2016 All rights reserved for all countries. Any translation or alteration in any form whatsoever is prohibited. The International Journal of Case Studies in Management is published on-line (http://www.hec.ca/en/case_centre/ijcsm/), ISSN 1911-2599. This case is intended to be used as the framework for an educational discussion and does not imply any judgement on the administrative situation presented. Deposited under number 9 65 2016 001T with the HEC Montréal Case Centre, 3000, chemin de la Côte-Sainte-Catherine, Montréal (Québec) H3T 2A7 Canada. HEC130 This document is authorized for use only in Dr Edward Tello's ACC/ACF2400 S2 2018 ACCOUNTING INFORMATION SYSTEMS at Monash University from Jul 2018 to Jan 2019. http://www.hec.ca/en/case_centre/ijcsm/ http://www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-data-breaches-and-combating-cybercrime http://www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-data-breaches-and-combating-cybercrime Autopsy of a Data Breach: The Target Case occurred during the pre-Christmas shopping season, which included Black Friday, one of the busiest days of the year for “brick-and-mortar” retailers. The data breach affected approximately 10% of all debit and credit cards in circulation in the United States. The financial institutions that had issued the cards from which data had been stolen reacted swiftly to Target’s announcement. Normally, in order to minimize losses, the banks would simply cancel the cards and issue new ones. However, because of the sheer number of cards affected and the massive costs involved, and because the holiday season is a very bad time to leave consumers unable to pay for purchases (without the possibility of paying by credit card or withdrawing cash from an ATM using a debit card), the banks sought alternative solutions. JP Morgan Chase, for example, which had at least two million affected customers, quickly placed strict limits on withdrawals ($100 in cash per day; $300 limit on card purchases) by its potentially affected customers until new cards could be issued. The banks, left alone to manage the breach, faced extraordinary financial and logistical challenges. At the same time, Target launched a major public relations operation. It assured its customers that the technological component responsible for the breach had been found and destroyed and that they could continue to confidently shop in its stores. It also pledged that no one would be held liable for fraudulent transactions and offered a free subscription to a credit monitoring service. With the assistance of a specialized firm, Target continued its investigation of this major breach in an effort to get to the bottom of what had gone wrong. The U.S. Justice Department and Secret Service did the same. So, What Did Happen? Experts agree that the attack was perpetrated by cybercriminals who used a well-known strategy and what are in fact fairly conventional technological tools. Between November 15 and 27, the hackers managed to penetrate Target’s point-of-sale network (most cash registers today are actually computers) and to install malware on the terminals. The malware resembled a widely known program called