Equifax Case Study Report



University of Wisconsin, Stout *

*We aren’t endorsed by this school




Information Systems


Feb 20, 2024





Uploaded by KidArt9882 on coursehero.com

Equifax Case Study Report 1. Do you think Equifax executed an incident response effort that aligns with the incident response process discussed in lesson 5? o No. I think Equifax failed in the very first stage of the process, preparation. They failed to upscale and prepare their IT after their rapid growth period from 2005-2017. Because of this Equifax accrued a massive amount of tech debt. This indicates the lack of preparation of Equifax’s IT infrastructure and teams. They also failed to adequately prepare for the public’s response to the incident. This is evident in the failures of the call center and website they set up to help effected customers. Equifax knew the scale of people effected by the incident and yet they failed to prepare call center workers and webservers for the amount of network traffic they would receive. 2. Given that resources are almost always constrained, what improvement to the IT or security environment would you chose to implement first and why? o I would immediately start working on the tech debt that has been accrued. As seen in this case study tech debt can be the root cause for a breach. Addressing tech debt can also be the cheapest option to improve security for an organization. Typically, a company already has what they need to reduce tech debt, they have the man power already, and most tech dept pertains to misconfigured software already bought and implemented. Thus since tackling tech debt is usually the cheapest and also sometimes the most impactful changes a company can make it’s the first thing I would try implement after an incident. 3. In the U.S. House of Representatives oversight report, there is a good discussion on the reporting relationship of the Chief Information Security Officer. At the time of the incident the CISO reported to the Chief Legal Council. In the report, it is stated repeatedly that a better structure would be to have the CISO report to the Chief Information Officer. The Equifax CISO now reports to the CEO. Which reporting structure do you feel would be best from a cyber incident response perspective? o I follow the same philosophy of the report in that the best approach is for the CISO to report to the CIO. I say this because the CIO has the baseline understanding and comprehension behind the issues the CISO will be bringing to them. The CIO has some kind of history or background knowledge in IT that enables them to have a better understanding of the issues the CISO is facing, whereas a CEO may not have that same understanding and thus may not fully comprehend the issue. In essence, I think the CIO is better equipped to receive reports from the CISO rather than the CEO.