1. Identify & describe the failure points in TJX's security that require attention (including People, Work Process, and Technology
There were many failures that combined, created the largest breach of personal data ever reported in the history of IT security. People who are associated with the attack and need attention are the top-level executives and the Payment Card Industry Data Security Standard (PCI DSS) auditors. The top-level executives need to understand that IT security is a business issue and not just a technology issue. The article shows how by cutting corners and trying to “save” money by not investing in IT security, a breach cost them hundreds of millions of dollars in losses, which definitely it doesn’t only have an impact on the bottom-line but the image and reputation of TJX. The second major issue was the PCI DSS auditors whose job was to prevent this from happening, but according to the paper the PCI DSS auditors, failed to identify three key security issues when protecting the TJX’s network and they are: absence of network monitoring, absence of log data, and the presence of unencrypted data stored on the system. Another factor, the inexperience of the internal employees working inside the store and the lack of knowledge to identify the kind and use of equipment, allowed the perpetrators to use USB drives to upload software to kiosk system terminals available through the store.
The work process used by TJX to collect, retain and store customer information when a customer return is done without a receipt is unsecure. Unnecessary personal information collection and the length of time the information is stored before archiving it from the system is a main issue and this process needs to be reviewed. Collecting only the most important and basic information from the customer and storing the information for a short period of time or perhaps not accepting returns without a receipt might be a good solution for this