Tuesday, February 11, 2014

ERM-BC-COOP:

Vendor with access to data
May be unanticipated risk

According to the Philadelphia Business Journal and other internet sources, hackers apparently accessed Target's data base via a subcontractor's data credentials.

The Wall Street Journal reports that a Pittsburgh PA refrigeration contractor began working with Target in 2006 installing and maintaining refrigerator systems in stores as the discounter expanded its fresh food offerings. Through that relationship, the contractor was linked remotely to Target's computer systems for "electronic billing, contract submission and project management.

Target's liability comes from its IT security advisors' failure to ask the important "What if" questions.

"What if" someone hacked into a vendor's system that has access to our (in this case, Target's) system?

Given that "What if," the vendor's client - Target - had several options, two of which were:

  1. Isolate its customer database from the equipment to which the vendor's system had access
  2. Have its own IT security personnel, or a qualified IT security organization, review the vendor's security measures - both data and physical access. If the security was found lacking, Target could have

    • Prevented the vendor from access to Target's system
    • Helped the vendor secure its system to Target requirements
    • Found another vendor

How difficult would it have been for Target to determine if the vendor's systems were secure?

It could have required the vendor to submit a risk management/business continuity plan, even if the plan was sanitized.

It could have insisted that the vendor have a high level of data and physical security.

It should have prevented vendor access to its customer database or if access was required for the vendor, then it should have put multiple layers of security on its own system.

I'm sure there are many more things Target could have, should have, done, but I am not an IT maven. Had I been part of Target's risk management operation, I would have consulted with my IT and security Subject Matter Experts (SMEs).

Failing to ask the "What if" questions has taken a toll on both Target's financial bottom line and on its reputation.

It could have been avoided if only someone had asked "What if?"

No comments: