Highlight the most significant IT control deficiencies that you noted from your discussions with the key leaders.
Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys, and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online store. Due to the recent credit card data breaches of various prominent national retail companies (e.g., Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information security, especially as it pertains to the protection of credit cardholder data within the Bullzeye environment. The Board has asked executive management to evaluate and strengthen the enterprise’s information security infrastructure, where needed.
In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and recommend control remediation strategies to prevent or to detect and appropriately respond to data breaches. Your firm has been requested to liaison with the Internal Audit Department during the engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO). The following key information was obtained.
Background
IT Security Framework/Policy – Bullzeye has an information security policy, which was developed by the CISO. The policy was developed in response to an internal audit conducted by an external firm hired by the CAE. The policy is not based on one specific IT control framework but considers elements contained within several frameworks. An information security committee has been recently formed to discuss new security risks and to develop mitigation strategies. The meeting will be held monthly and include the CISO and other key IT Directors reporting to the CIO. In addition, a training program was implemented last year in order to provide education on various information security topics (e.g., social engineering, malware, etc.). The program requires that all staff within the IT department complete an annual information security training webinar and corresponding quiz. The training program is complemented by a monthly e-mail sent to IT staff, which highlights relevant information security topics.
General IT Environment – Most employees in the corporate office are assigned a standard desktop computer, although certain management personnel in the corporate and retail locations are issued a laptop if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows operating system image, which includes anti-malware/anti-virus software and patch update software among others. In addition, new laptops are now encrypted; however, desktops and existing laptops are not currently encrypted due to budget concerns. The user provisioning procedures require that the access level assigned by the IT administrator be approved by the user’s supervisor. The IT administrator generally determines the access level based on the access level of the former employee or other staff in the department. User accounts are configured to require strong, complex passwords that must be changed every 12 months. Procedures are established to periodically confirm that the user is still employed and thereby continues to require their assigned access level and to disable user access upon employment termination.
Servers and Network – Procedures are established topatch servers; however, certain servers are not being patched on the frequency interval recommended by the operating system vendor. In addition, the servers responsible for processing or storing credit card data are not segmented from the rest of the network. These servers store the following cardholder data in plain-text: card numbers (referred to as “primary account numbers”), cardholder names, and expiration dates. CVV2 codes (the three- or four-digit number printed on the back/front of a card) used for verifying online purchases are not stored on the servers. User access to the servers is role-based and limited to members of the “administrator” role, which also provides the ability to add and remove users to/from the network.
Bullzeye contracts with several vendors to maintain key portions of the IT environment, including the Point of Sale (POS) application that processes credit card transactions. In accordance with the responsibilities outlined in the contract, the vendors are responsible for managing their administrator access to the Bullzeye’s systems and data, which includes new user provisioning and disabling access for former employees. The contract also requires that the vendors implement strong information security control requirements in maintaining the Bullzeye IT environment.
The Bullzeye network is protected from external attacks via both firewalls and an intrusion detection system (IDS), which identifies unusual and potentially malicious activity. The IDS relies on its database of previously identified attacks to detect potentially malicious activity. It is configured to notify IT Infrastructure staff in the event that malicious activity was detected. The notification is via email to a designated account which is reviewed weekly by IT staff.
Point-of-Sale (POS) Devices – The POS terminals (cash register computers with credit card readers) used in-store were last patched 12 months ago. Additionally, the operating system image installed on the POS terminals was a default image that did not include anti-malware/anti-virus software. The POS terminals, which are connected to the Bullzeye network, are configured to load the cash register software upon startup, which prevents the user (who is generally a cashier) from entering the operating system environment. Because the organization has not adopted Endpoint Encryption for the credit card transaction lifecycle, card data scanned at the card reader is stored in unencrypted plain text.
Information Security Improvement Project – A capital project has been approved for the current fiscal year to strengthen information security. It is expected that the project will be executed in phases over the next three years. A project budget for year 1 has been established and a project charter is under development. It is expected that the project will include internal IT staff as well as external consulting resources plus hardware and software costs. The CIO expressed some concern regarding Bullzeye’s bandwidth to support this initiative as well as to perform ongoing IT operational support for the enterprise, including other project work. The CFO expressed some concern regarding the source of funding to support both the operational and capital costs for years 2 and 3 of the project. The CFO and CIO agreed to provide you with the latest update of the project management implementation guide and the associated capitalization policy.
Insurance – The CFO plans to investigate the purchase ofcybersecurity insurance in order to limit the financial exposure to the costs associated with the forensic investigation that is typically required after a data breach, as well as credit monitoring and legal fees associated with any lawsuits filed against the company as a result of a breach.
Bullzeye Data Breach Readiness Assessment |
IIA – Case Study |
Questions |
Your firm has been requested to present their assessment findings and recommendations at an upcoming meeting attended by key executives in preparation for the next scheduled Board of Directors meeting. Please respond to the following information requests and questions in your presentation remarks.
- IT Control Environment – Describe the associated risk implication for each deficiency.
- IT Control Environment – What best practice control techniques would you recommend to correct the control deficiencies identified?
- IT Control Environment – Are there any established or planned IT controls that appear to be well designed?
- Data Breach Prevention – What technology options being considered by other retailers to reduce the likelihood of credit card information being stolen should Bullzeye consider implementing?
- Data Breach Response – What protocols should Bullzeye implement in order to enhance their response in the event of a data breach? Be sure to consider the lessons learned from data breaches at the national retailers regarding the effectiveness of their response plans.
- Capital Project – Identify the key financial (e.g., budgeting, cost capitalization) and operational (e.g., system development life cycle) project risks and recommend how these risks should be addressed. Be sure to reference applicable accounting standards and relevant project governance best practices.
- Capital Project – What key activities should the Internal Audit department include in their annual Audit Plan in regards to the IT Security project? What factors should the CAE consider in determining what resources (internal or external) to assign to this audit project?
- Insurance – What factors should the CFO consider in conjunction with investigating the purchase of cybersecurity insurance?