Case Study A Scenario A major retailer asked the IS auditor to review their readiness for complying with credit card company requirements for protecting cardholder information. The IS auditor subsequently learned the following information. The retailer uses wireless point-of-sale registers that connect to application servers located at each store. These registers use wired equivalent protection (WEP) encryption. The application server, usually located in the middle of the store’s customer service area, forwards all sales data over a frame relay network to database servers located at the retailer’s corporate headquarters, and using strong encryption over an Internet virtual private network (VPN) to the credit card processor for approval of the sale. Corporate databases are located on a protected screened subset of the corporate local area network. Additionally, weekly aggregate sales data by product line is copied from the corporate databases to magnetic media and mailed to a third party for analysis of buying patterns. It was noted that the retailer’s database software has not been patched in over two years. This is because vendor support for the database package was dropped due to management’s plans to eventually upgrade to a new ERP system. REQUIRED: Choose and Explain Briefly 1.Which of the following would present the MOST significant risk to the retailer? A. Wireless point-of-sale registers use WEP encryption. B. Databases patches are severely out-of-date. C. Credit cardholder information is sent over the Internet. D. Aggregate sales data are mailed to a third party. 2. Based on the case study, which of the following controls would be the MOST important to implement? A. Store application servers should be located in a secure area. B. Point-of-sale registers should use two-factor authentication. C. Wireless access points should use MAC address filtering. D. Aggregate sales data sent offsite should be encrypted.
Case Study A Scenario
A major retailer asked the IS auditor to review their readiness for complying with credit card company requirements for protecting cardholder information. The IS auditor subsequently learned the following information. The retailer uses wireless point-of-sale registers that connect to application servers located at each store. These registers use wired equivalent protection (WEP) encryption.
The application server, usually located in the middle of the store’s customer service area, forwards all sales data over a frame relay network to database servers located at the retailer’s corporate headquarters, and using strong encryption over an Internet virtual private network (VPN) to the credit card processor for approval of the sale.
Corporate databases are located on a protected screened subset of the corporate local area network. Additionally, weekly aggregate sales data by product line is copied from the corporate databases to magnetic media and mailed to a third party for analysis of buying patterns. It was noted that the retailer’s database software has not been patched in over two years. This is because vendor support for the database package was dropped due to management’s plans to eventually upgrade to a new ERP system.
REQUIRED: Choose and Explain Briefly
1.Which of the following would present the MOST significant risk to the retailer?
A. Wireless point-of-sale registers use WEP encryption.
B. Databases patches are severely out-of-date.
C. Credit cardholder information is sent over the Internet.
D. Aggregate sales data are mailed to a third party.
2. Based on the case study, which of the following controls would be the MOST important to implement?
A. Store application servers should be located in a secure area.
B. Point-of-sale registers should use two-factor authentication.
C. Wireless access points should use MAC address filtering.
D. Aggregate sales data sent offsite should be encrypted.
Trending now
This is a popular solution!
Step by step
Solved in 2 steps
