Running head: BUSINESS IS RISK ASSESSMENT

Business IS Risk Assessment

Ray Ruiz, Mark Robey, Christiaan Jansen
CMGT/442
March, 25, 2015
Rassoul Alizadeh

BUSINESS IS RISK ASSESSMENT

Business IS Risk Assessment

When developing a businesss information system architecture some requirements are
clear to see. Information Technology and business professionals usually want the same thing,
performance. They want to ensure that they have the most up-to-date equipment with the fastest
processors and largest storage size. What most individuals fail to identify in their requirements is
the elements needed to maintain the availability, integrity, and confidentiality of the system. The
availability of the systems includes ensuring that the high performing equipment and applications
remain up and running for the business while integrity includes ensuring that the information
residing on the system is authentic and trustworthy. Lastly, all of this information must be
protected so that only the required individuals with need to know access can view the data on the
information system.
There are many risks involved with planning, installing, and maintaining information
system architecture. Businesses need to work along side IT professionals and more importantly,
Information System Security professionals in order to maximize the security of their systems by
identifying risks and ways to mitigate those risks. Team A has been contracted to identify,
evaluate, and advise Target, an American retail company, on its information systems
availability, integrity, and confidentiality. In order to accomplish this review, Team A will
examine 10 different Information Security areas. These areas include physical security, legal
regulations, investigations, and compliance, security operations, security architecture and design,
access control, telecommunications and network security, information security governance and
risk management, and lastly business continuity and disaster recovery. These ten domains are
critical in ensuring that Targets information system will be confidential, available, and also
maintain its integrity.

BUSINESS IS RISK ASSESSMENT

Physical Security
Target has many locations across the nation that needs to be secured from physical
threats. While each retail store may be located in a different area, they all need to provide the
same level of security for its information system and data. The purpose of physical security
mechanisms is to protect people, data, equipment and facilities (Harris, 2013). During our review
of Targets physical security, Team A found that, like most other major retailers Targets physical
security provided the means of deterring criminal activity. This included 8ft. fences around the
rear of the building near the loading dock in order to deter highly determined criminals. Also, the
use of security guards provides the human factor that helps dissuade potential criminals. These
guards are located at the front entrance of the store and in a security area away from customer
view in order to monitor activity via Closed circuit Television (CCTV) cameras. In addition to
deterring threats Target has also incorporated mechanisms intended to delay criminals. These
include the use of locks on their doors, and ID cards with swipe access for employee areas. The
front access to the store is a combination of sliding glass doors and regular open/lock doors. The
sliding doors are intended to fail closed. This means that if power is lost to trigger the sensor, the
door will shutdown in the closed and locked position. In order to ensure customer/employee
safety, each door has a built in push handle that can unlock the door from the inside in order to
let personnel out. As mentioned before, Target has installed a CCTV system in order to detect
internal and external intruders. The CCTV monitors the inside areas of the store and works in
conjunction with an alarm system in order to detect threats from the outside. Targets alarm
system also provide a notification service to local police and fire personnel should the fire alarm
and secure area alarms be triggered. This gives Target the ability to focus on the issue on hand
while the authorities are on their way.

BUSINESS IS RISK ASSESSMENT

Overall, Target has taken the necessary steps to ensure a quality physical security system. With
each store being in different locations across the county, each store will have to take preventative
measures for environmental threats for its specific area.
Legal, Regulations, Investigations, and Compliance
Todays marketplace incorporates many regulations and standards in the business and IT
environment in order to protect both business and consumer data. With the increase in
technology used organizations, it is imperative that companies like Target follow these
regulations and practice to provide data integrity as well as compliance. Harris (2013), stated
Personally identifiable information (PII) is data that be used to uniquely identify, contact, or
locate a single person or can be used with other sources to uniquely identify a single individual
(p.1007). It is the responsibility of companies like Target to protect their customers information
and who has access to it. The United States Federal Privacy Act of 1974 and Gramm-LeachBliley Act of 1999 are a few of the laws put in place to ensure that companies are complying. As
mentioned in Privacy Act of 1974 (2015), The Privacy Act of 1974, 5 U.S.C. 552a,
establishes a code of fair information practices that governs the collection, maintenance, use, and
dissemination of information about individuals (para. 1). Target recently failed to uphold the
standards and regulations of these laws when its point-of-sale (POS) system was hacked during
November of 2013. It total 40 million credit card numbers were stolen and left Target with a
violation of the Payment Card Industry-Data Security Standard (PCI-DSS), which provides a
framework for credit card payment security process (PCI Security Standards Council, 2015).
Ways to resolve this issue will be discussed in a different section of our review of the company.
For now, it is important to realize that while Target was in compliance with the PSCI-DSS, they
were still susceptible to an attack.

BUSINESS IS RISK ASSESSMENT

Security Operations
The objective of security operations at Target is to ensure that networks, computer
systems, applications, and the environments continue to stay up and running in a secure manner.
Team A has recommended the following action take place in order to provide Target with a
quality security operations department. Our recommendation is that Target identifies key
organization roles and their responsibilities. By clearly identifying the Information System roles,
the company can be sure that they are assigning the right duties to individuals with the
appropriate skills. The Team A suggested roles include Control Group-obtains information from
analysts, administrators, and users, Systems Analysts- design data systems based user
requirements, Security Administrator- defines, configures, and maintains security mechanisms
for the organization, Network and Database Administrators- create new databases and
install/maintain LAN/WAN environments, and Quality Assurance- ensure that activities
throughout the organization are in compliance with standards and regulations. With clearly
identified roles Team A suggests that Target implement security operations procedures such as
Separation of duties in order to minimize mistakes and help protect against internal threats. By
separating duties, Target can develop a checks and balances approach to its information system.
One such example is when Target requires that a Database Administrators develop a new
database with customer information. Once complete, someone from the Security Quality
Assurance section should evaluate the database for both security and functionality. If the
Database Administrator is left to inspect his own work, he or she could potentially focus solely
on the functionality and approve an insecure database. Additionally, Team A suggests job
rotation be implemented at Target. According to Harris (2013), Job rotation means that, over
time, more than one person fulfills the tasks of one position within the company (p. 1236). By

BUSINESS IS RISK ASSESSMENT

rotating individuals through different job functions, Target can identify any foul play or mistakes.
This helps ensure that the integrity of one area is not dependent on one person and more
importantly, that one person is not allowed total control over a specific area. By implementing
Team As suggestions for Security operations, Target can improve upon its current security
posture.
Security Architecture and Design
Team A has also reviewed the security architecture and design of Target. The overall goal
of the security design is to ensure that systems architecture remains confidential, available, and
that the information/data never loses its integrity. We recommend that Target follow the
ISO/IEC/IEEE 42010, Systems and software engineering-Architecture description specifications.
This will allow for a more approach to their architecture that will increase quality,
interoperability, and security (Harris, 2013). The ISO/IEC/IEEE 42010 addresses the creation,
analysis and sustainment of architectures of systems through the use of architecture descriptions.
This allows for the creation of a secure environment from the ground up. This means purchasing
and employing products that have been certified and accredited through the International
Organization for Standards (ISO) Common Criteria. The Common Criteria is a globally
recognized and accepted model that validates the assurance of products. Products are then
assigned Evaluation Assurance Level ratings based off testing. The levels range from EAL1
through EAL7 with EAL 7 being the highest rating describing that products have formally
verified designs. We recommend that Target acquire and employ products that have a minimum
EAL rating of EAL6 semi formally verified and design and tested. This will provide quality
products while not requiring the spending on costly products that have attained an EAL7 rating.
Access Control

BUSINESS IS RISK ASSESSMENT

Implementing access control methodologies will allow Target to control how users and
systems interact with other systems. Access control relies on four key components, identification,
authentication, authorization, and accountability. Identification is the process of ensuring that a
subject (a user or program) is who they claim to be. This process will be accomplished at target
by the use of usernames and employee numbers and target. In order to authenticate subjects the
use of passwords for employees and cryptographic keys for systems/applications are
recommended by Team A. Authorization will be granted by various services such as Directory
Access Protocol, Web access management, and password management services. One
recommendation that Team A suggests for immediate implementation is the use of SecureID
from RSA Security Inc. This system uses time-based tokens to generate one-time passwords for
users that are then matched to the RSA Authentication manager when attempting to log on to a
machine. Once authenticated, the user can then log on and the password used is gone and cannot
be used again. This ensures that an external threat cannot crack a users password since it is
generated and used once. For physical access to areas of the store we recommend that Target
continue using its smart card system that requires each employee to swipe their card in a card
reader for access to secure areas.
Once users are logged on to Targets information system, Team A recommends the use of a single
sign-on technology such as Kerberos. As mentioned in Harris (2013), Kerberos is an
authentication protocol and was designed in the mid-1980s as part of MITs project Athena. It
works in a client/server model and is based on symmetric key cryptography (p. 209). Kerberos
works off of a Key distribution Center (KDC) that holds user and services keys. This allows for
authentication and key distribution functionalities. Users and services do not trust each other but
trust the Kerberos system which in turn, allows for authentication of each principal (users and

BUSINESS IS RISK ASSESSMENT

services). This allows a user to log on to one system and traverse the architecture without having
to log on each system in the IS architecture. The Kerberos system provides the authentication for
the users and services.
Telecommunications and Network Security
Having the greatest security controls on the local network and system is useless if target
is vulnerable over telecommunications and data network links. After careful evaluation of
Targets IS architecture, we recommend the following. Beginning at Layer 1 of the OSI model,
the Physical Layer, we recommend that Target revisit its current cabling and change it from
unshielded twisted pair (UTP) to shielded twisted pair (STP) copper. This will protect the
internal cabling at each location from radio frequency interference, electromagnetic interference,
as well as from external threats that are trying to tap (or listen) in on any data being passed.
Protecting the physical aspect of the infrastructure is critical in establishment of secure
communications and data handling. Additionally, ensuring the use of the correct cabling types
and lengths will aid in the prevention of signal loss and reduced transmission capabilities. Layer
2 securities should be implemented as well. The use of IEEE MAC security standard 802.1AE
will help Target define data confidentiality, integrity, and authentication (Harris, 2013). This is
commonly referred to as MACSec. This accomplished by integrating security protection at the
MAC layer. This works by only allowing authenticated and trusted devices to communicate on
the network. When a frame is sent to a device on the network, the MACSec Entity decrypts it.
The original integrity check value is compared with the freshly decrypted integrity check value
and verified. This will prevent hackers from placing an unauthorized device on Targets network
and receiving data traffic. The security at this layer aids in preventing unauthorized access.
Moving up the OSI layers to Layer 3 and 4 we recommend that Target implement virtual local

BUSINESS IS RISK ASSESSMENT

area networks (VLANs) in order to segregate data traffic. By breaking up the network logically,
Target can ensure that its users workstations are allowed access to only their required resources.
Additionally, any compromise of a system can be restricted to that VLAN only. Internet Protocol
Security (IPSec) should also be implemented. IPSec uses the following protocols to provide a
scure tunnel through the network; authentication header, encapsulating security payload,
Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key
Exchange (IKE). These protocols combined provide data authentication and prevent
unauthorized modification. The use of Encapsulating Security payload is what provides
confidentiality of the traffic. By implementing our recommendations in the telecommunications
and network systems, we are confident Target will deploy a more secure system.
Information Security Governance and Risk Management
Along with our assessment of Targets current information security posture, we
recommend the implementation of a new security framework and awareness training. One
framework that we recommend to Target is the ISO/IEC 27000 series. This framework covers the
development of an Information Security Management System (ISMS). This framework will
guide target in the requirements, implementation, auditing, and certification. ISO/IEC 27000 will
help Target follow the Plan-Do-Check-Act (PDCA) cycle. This cycle will enable Target to plan
information security objectives, implement those plan, measuring the results of those plans, and
provide direction on correcting any shortfalls (Harris, 2013). Target will have the opportunity to
seek accreditation from a third party in order to provide proof that they have done their due
diligence in securing their information systems.
Business Continuity and Disaster Recovery

BUSINESS IS RISK ASSESSMENT

10

With all business operations comes the uncertainty about what happens if a disaster or
incident brings down the business. Target has already experienced a major IT security incident
with the compromise in it POS system. It us important to implement and execute proper recovery
plans. Business continuity management deals with the availability, reliability, and recoverability
of the business and its information systems. While business continuity focuses mainly on the
continuance of businesses operations, disaster recovery operations focus more on the information
systems recovery for a business. The following are the key steps Target must take in order to
develop a quality Disaster Recovery Plan. 1. Develop a planning policy statement in order to
provide guidance necessary to develop the plan. 2. Conduct business impact analysis (BIA) to
identify critical functions of the business IT systems and prioritize them. 3. Identify preventive
controls in order to counteract any threats and vulnerabilities. 4. Develop recover strategies in
order to identify processes of how systems will be recovered. 5. Identify contingency plans so
that business functions can still go on. 6. Test the plans so that any flaws can be identified and
employees can gain familiarity with their roles within the plan. 7. Maintain the plan so that
changes are made when system changes, employee terminations, or business changes occur. This
also includes training of the plan. Maintaining a quality Disaster Recovery plan will ensure that
target can continue its operations in the event of a disaster.
By following Team As recommendations, Target can set itself up for success in the
Information Security realm. There are many risks involved with planning, installing, and
maintaining information system architectures but with the right preventative measures Target can
mitigate many of them. Team A examined 8 different Information Security areas. These areas
included physical security, legal regulations, investigations, and compliance, security operations,
security architecture and design, access control, telecommunications and network security,

BUSINESS IS RISK ASSESSMENT

information security governance and risk management, and lastly business continuity and
disaster recovery.

11

BUSINESS IS RISK ASSESSMENT

12
References

Harris, S. (2013). All In One CISSP (6th ed.). New York, NY: McGraw Hill.
ISO. (2011). ISO/IEC/IEEE 42010, Systems and software engineering-Architecture design.
Retrieved from http://www.iso.org/iso/catalogue_detail.htm?csnumber=50508
PCI Security Standards Council. (2015). PCI-SSC Data Security Standards Overview. Retrieved
from https://www.pcisecuritystandards.org/security_standards/index.php
Target. (2015). About Target. Retrieved from https://corporate.target.com/about