Threat modeling allows you to systematically identify and rate
the threats that are most likely to affect your system (Mcirosoft, 2003). By identifying and rating threats based on a
solid understanding of the architecture and implementation of your application,
you can address threats with appropriate countermeasures in a logical order,
starting with the threats that present the greatest risk (Mcirosoft, 2003). The threat
model is a program that was created to enable companies better secure their
network and assets depending on their individual network configuration.
of Ethics and Security Policies
Information is one of Target’s most valued assets. We use it every
day to make decisions about our business, from the way we market and advertise
to how we communicate to our guests and the public (Target, 2015). No matter what area of Target you work in, you
have access to information that could affect Target, our guests and our team
members if it falls into the wrong hands or is handled inappropriately (Target, 2015). In fact, there are laws that
require us to protect certain types of information and specify how it should be
protected. Target’s Information Security Policy and Standard outlines how
information is classified at Target and how you should protect it throughout
its life cycle (Target, 2015). It appears
that Target does not take security policies lightly especially after it was a
target of a cybercrime in 2013. They have taken a strong stance on protecting
the information of the customers and their employees which by doing so they had
to implement some changes to their security policies within the company. They
are continuing to pump up their security measures to minimize vulnerabilities
of their network in turn minimizing the amounts of threats towards Target.
Security Policies to be Implemented
Security policies that can be implemented on the information
system of Target would be the standard and guidelines recommended by SysAdmin,
Audit, Network, Security (SANS) Institute. SANS provides multiple
standards, policies and guidelines that is essential to the security as well as
the hardening of the network (SANS, 2018). I believe that one
major security policy that Target should implement is the policy of need to
know. Ensuring that the employees have appropriate access to the files and
folders and subfolders to conduct their job responsibilities. I also think that
removing vendor access to Target’s network and forcing the vendor to go through
Target’s employees will also eliminate some unnecessary threats to the network.
Ensuring that separation in duties is very important in every department. I
would also look into the specifics of the password policy and ensure there is
two factor authentication along with strong passwords utilizing a length of 12
to 24 characters to include a required two lower case, two upper case, two special
characters and two numbers minimum. It is also imperative for a password length
of time to be implemented on each of the employees’ accounts.
Components of Asset Security Standards/Governance
Asset Security Standards derived from the Office of the Chief
Information Officer, Washington State:
Proper policies need to be in place within the
organization. The documentation will be the groundwork of the company
emphasizing the importance of security measures and practices.
IT Risk Assessment
Implementing security scanning software that
will scan the network and provide the IT personnel the known vulnerabilities.
This tool will assist in mitigation of threats and attacks.
Security Design Review and Risk Assessment
Having a plan in place to look at the risk
assessment and make informed decisions on what the critical threats are and the
vulnerabilities that the company is willing to take on. The security design
will ultimately make the difference in the company’s ability to mitigate
IT Security Assessment
Assessing the network and locating vulnerabilities
coupled with ensuring that proper placement of policies will allow proper
security assessment. The impact on this will have on the company is large
because it assesses the security threat.
Education and Awareness
The education and awareness training will repay
the company immediately from IT personnel receiving additional training to gain
the knowledge to help secure the network better. They will also have additional
awareness with the knowledge gain. The personnel staff that receive training in
security awareness will add an additional layer of security to the company.
Ensuring that the company is under compliance
with security policies is vital to network security. Being within compliance
standards will eliminate many vulnerabilities and assist in keeping the network
Proper auditing by the company will ensure that
people have not gained access to the network without proper permissions. An
audit will ensure that the passwords of users and administrators are within
compliance. An audit of the security logs and events will allow proper third
party review of the network.
Keeping up on maintenance will minimize downtime
of the network. Maintaining proper backups of the data and creating proper
storage networks is important for the company to ensure that they are still
able to recover after a natural disaster.
is derived from Diligent:
approach cybersecurity as an enterprise-wide risk management issue.
It is important
the board members of Target to understand that realizing that cybersecurity is
an enterprise-wide issue will give Target the ability to leverage their need to
understand the legal implications of cyber risk.
legal implications of cyber risk and the obligations the company has to its
customers is very important.
have access to experts in cybersecurity and include the subject on their
Meeting with the
experts in cybersecurity to better analyze the new and upcoming threats is very
important for the company. This means that the company has the ability to get
ahead of the threats and vulnerability.
encourage management to establish “an enterprise cyber-risk management
cyber-risk management framework is important to keep and maintain to ensure it
stays in working order to help mitigate to vulnerabilities and threats.
discuss risk treatment, including which risks should be mitigated, transferred
and avoided, and how to do so.
treatment and mitigation is important at the board level. The board level is
also the approval level that allocates the budget. This is important to
remember because cyber security measures and framework are not cheap but, as we
know are a necessity.