The Role of TJX IT Management in IT Security - Research Paper Example

Abstract Information is the firm’s key strategic asset as it is a vital element in planning and decision making as well as in the day to day business control. Therefore, organizations must make all effort to make sure that their information capitals retain their correctness, integrity, and accessibility. Conversely, ensuring the security of company information assets has become a very complex and challenging action, due to the growing worth of information assets and augmented levels of interconnectivity amongst information systems both inside and among organizations. Indeed, many occurrences of security breaches propose that many organizations are failing to control their information resources efficiently. One increasingly vital mechanism for protecting company information, and in doing so, minimizing the incidences of security breaches, is by the formulation and submission of an official information security policy. Company Background TJX was the leading apparel and home fashion trader in the US, in the off-price section. TJX was graded 138th in the fortune 500 grading for 2006. With 17.4 billion US dollars in retailing for the year conclusion January 2007, the company was more than triple the range of Ross Stores Inc., its closest contestant. The failure points of the top management, middle management, and the user role at TJX. The main goal of information security policy is to offer the ideal operating surroundings for the organization of information security. A good quality security policy must: outline individual tasks, describe authorized and unauthorized uses of the structures, provide places for employee reporting of recognized or suspected threats to the system, describe penalties for breaches and offer a mechanism for revising the policy (Zeller, 2005, p C1). Researching the company revealed four significant documents related specifically to information security. These include computer information security, access control policy, electronic computer policy and information protection policy. The information protection policy is the center of the company’s ISMS. The information protection policy is deliberate to identify and protect all types of information possessed by the corporation or entrusted to it by other corporations. The aims of this policy are to protect against unlawful disclosure and against unlawful modification. It is the responsibilities of the managers and administrative to communicate and make sure compliance with this policy, as all employees who produce and control information are responsible for its safety according to the necessities of this policy. The administration at TJX does not seem to have hired to gripe up operational security or to persuade people to employ strong pass words. The firm’s computer Security Policy stems directly from its information protection policy and outlines the necessary steps to protect both computers and support company operations and the data that is maintained on those computers. This policy caters for not only privacy and truthfulness but also accessibility to ensure services is not denied to authorize users. These three aims are based on the three traits of CIA triangle, confidentiality, integrity, and accessibility, which also form the basis of the team on National Security Systems form of information security (C. Fisher, 2006. P. 47). The work of the managers and executives is to communicate this policy, but all employees are accountable for the firm’s property, information system deliverance, system testing, software safety, configuration administration, cryptography, system connectivity and design, security monitoring management, logging and incident response. In TJX employees were sucked for an online post examining that TJX has not beefed up security following the latest, massive information breach that saw 94 million credit card figures copied by criminals and money from their account stolen (Aplin, 2007, p. 531). The employee stated that, initially their user names were the similar as their pass words. After they needed stronger pass words, some executives complained, so they cooperated by allowing empty pass words. The role of TJX IT management in IT security, policy development, information security, and data and access security The firm’s Access Control Policy affirms that all users will be recognized, authenticated and allowed before granting contact to company information and computers from unlawful access. The policy winds up with a discussion of the procedures for acquiring security admission, securing computing services and protecting worker’s work station. In how bad guys got into the TJX network, "badly secured in-store workstation kiosks are at least partially to blame for acting as gateways to the corporation’s IT systems. According to a source familiar with the investigation, the kiosks, situated in lots of of TJX's retail stores, allows people apply for jobs by electronic means but also permitted direct access to the firm’s network, as they were not sheltered by firewalls. 'The group which started the breach unlocked the back of those terminals and utilized USB drives to load software onto those workstations,' states the source. The responsibilities of the user group in the TJX case. Lastly, the electronic communication security policy is also available. It was established to protect information that is processed, transmitted electronically or stored in support of the company. The policy summarizes the rules for electronic contact system use, as well as telephone and voice mail safety. It appears that the loss of over forty five million credit card figures and more than 450,000 SSNs, driver's license numbers, and military identifications started with somebody using a "telescope-shaped" antenna at a wireless connection at a Marshall's next to St. Paul, Minnesota in July 2005. The connection was encrypted via WEP, which had been identified to be wrecked ever since 2001 (Bunderson, 2001, p. 187). The crackers who found their way into the TJX inner databases are assumed to be Romanians or Russians with connection to the Russian gang. The ultimate cost of the TXJ failure could surpass $1 billion — not counting the numerous complaints filed against the trader. The role of TJX top management in funding and governing IT security For organizations that gather, maintain, and use private data, the laws governing these practices enforce requirements that are uncertain or may differ across jurisdictions or types of information, thereby posturing hard compliance challenges. These challenges may be additionally exacerbated by disagreements in the necessities of numerous state laws (Zeller 2005, p. 41). An overarching feeling in most of these constitutional laws and regulations is to know a duty of care among these institutes regarding the information they collect and preserve based on the consumer’s susceptibility and the real prospective for harm. Recommend improvements and changes to TJX's work process and IT security. In conclusion, since privacy crises such as data breaches are often distinguished by indicators that are best practical after the fact, a healthy governance plan embedded within a culture of moral accountability should, provide a more effectual approach to running privacy because uprightness is incorporated into the organization’s background. The stronger the logic of moral accountability as evidenced by the organization’s management and infused all through the company culture, the more likely the institute will be to have applied sound technical, structural, and bureaucratic improvements. References Aplin, D. G. (2007, April 2). “TJX Says at Least 46.2 Million Credit Cards Affected in Computer Hack, FTC Investigating,” BNA Privacy &Security Law Report (6:14), pp. 531-532. Bunderson, J. S. (2001). “Normal Injustices and Morality in Complex Organizations,” Journal of Business Ethics (33), pp.181-90 C. Fisher, (2006) Manage digital assets with ITIL: Improve product configurations and service management, Journal of Digital Asset Management 2(1), pp. 40–49. Zeller, T. (2005, February 24). “Breach Points up Flaws in Privacy Laws,” NewYork Times, pp. C1 Read More