1.Question Thread #1A: What do you think is meant by “Controls”? The author of this article describing the Target data breach is arguing that different controls could have prevented this bad event for Target. Before we can agree or disagree with the author’s premise, let me ask you: What do you think the author means by the terms “controls” in the Target situation?

2Question 1B: Threats demonstrated by the Target data breech In describing the attack vectors of the Target data breech, what kinds of different threats to an information system is the author telling us about? (You may want to see pages 12-17 of the Target article)?

3.Question Thread #1C: The ”ilities” at Target Forgetting about controls, IT security and threats for a moment, let’s just consider Target’s information systems infrastructure (see p. 175) as a mass retailer. For Target’s IT, which of the “ilities” (see P. 180-185) is the most important for the agility of its IT infrastructure? Which of these “ilities” is least significant?

4.Thread #2A: Realism of recommendations for Target Given what we have discussed about which are the critical “itilities” that underlie the overall agility of Target’s IT infrastructure, can you tell me which of the author’s recommendations (see p. 18-24 in the article) are realistic for a company like Target. In order to help you out, let me present one example of a very useful and realistic recommendation, along with one that is not: “Software is inventoried and white listed on POS machines” This recommendation for whitelisting (as described in more detail on page 11) is quite realistic – moreover by restricting the number and types of applications that are allowed to be run on the Point-of-Sale hardware (i.e. the cash registers in the store) this would only increase the reliability and performance of these devices as well. On the opposite end of the spectrum we have: “Separation of duties would have prevented insiders from having end-to-end system knowledge or access.” For an organization that needs to have an IT infrastructure that “supports change” as much as Target does (this is the textbook definition of agility), it is hard to imagine a worse recommendation than to diminish the degree to which insiders at Target have end-to-end knowledge of business and IT processes.?

5.Thread 2B: Comparison with Trinity In a general sense, how does the apparent success of implementing controls at Trinity compare to what was described at Target? Of course, this comparison may be difficult since the Trinity case address financial and process controls somewhat enabled by information technology whereas the Target case concerns the security of financial (i.e. Credit card) data. But in a general sense you should be able to draw some conclusions.?