Vincent Cooper Cyb 260 Module Fourt Privacy Laws and Compliance Controls (1)

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

260

Subject

Computer Science

Date

Feb 20, 2024

Type

docx

Pages

6

Uploaded by AdmiralMorningCapybara30

Report
1 4-3 Activity: Privacy Laws & Compliance Controls Vincent K. Cooper Department of Computer Science, Southern New Hampshire University CYB-260-R3460 Legal and Human Factors of Cyb February 8 th , 2024
2 4-3 Activity: Privacy Laws & Compliance Controls 1. Summarize: On April 15 th , 2015, the OPM discovered that millions of background checks which contained very sensitive data had been compromised. This data came in the form of SF-86 forms that contain the background check information. Even biometric data was compromised and made services that used this form of security now unsafe. Even though the data was stolen, it is said that the data hasn’t been used since the security breach happened. The breach was originally discovered by security engineer, Brendan Saulsbury. Brendan was decrypting pieces of the Secure Sockets Layer (SSL) which is data traffic that moves through the OPM’s private network. What was alarming to him was outbound traffic that wasn’t normally there. This was the first sign that the OPM’s network had become insecure. In 2013, a cyber attack that began the domino effect of the series of events that led to the 2015 attack, took place. In 2013, the hackers were able to obtain blueprints of the OPM’s network which gave them details on how it was set up and secured. The OPM decided to monitor this attack instead of acting before deciding in May of 2014 to do a complete system reset. This reset was supposed to effectively purge the hackers from the network. This same month, another group used login credentials stolen from a key point that was obtained from a previous hack into the OPM network done by the ‘previous group’. With this information, they were able to create a ‘back door’ into the network which effectively made them undetectable when logging into and accessing the network. The OPM had no clue until April 15 th , 2015. Due to the network infrastructure being focused on preventative measures rather than also utilizing and simultaneously focusing on security solutions, their network was compromised by these hackers for possibly over a year without their knowledge.
3 4-3 Activity: Privacy Laws & Compliance Controls 2. Privacy Laws: After carefully reviewing each privacy law from the list, I decided that both the E- Government Act of 2002 and Federal Information Security Management Act (FISMA) of 2002 relate the most to the scenario. The E-Government Act was enacted to improve the way electronic government processes flow by electing a Federal Chief Information Officer from the Office of Management and Budget. Basically, its purpose is to make a way for Federal Agencies to take advantage of how much faster and efficient government processes are with the use of computers and networks. This includes interactions with citizens and government entities. Background checks would fall under this act. All federal agencies must comply with conducting a privacy impact assessment (PIA) for all new or greatly modified technology that maintains, collects, or disseminates information that is deemed personally identifiable. This also applies to new pieces of data as well. I believe this act relates to the scenario because they would’ve had to follow this law and if they had followed the proper guidelines provided by the Office of Management and Budget (OMB) on conducting a privacy impact assessment, things could have been caught much earlier. FISMA was enacted with the purpose of improving the security and privacy of sensitive data located within the Federal Government’s computer systems. This act also requires the use and creation of computer security designs and plans which also require training for users and owners of these systems. I believe this act is relative to this scenario because the law would apply to the OPM since they were tasked with keeping sensitive data safe and they failed to do so. To be more specific, instead of coming up with a security infrastructure that could also act
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 4-3 Activity: Privacy Laws & Compliance Controls swiftly and efficiently when determining there was a compromise of the sensitive data, their network infrastructure focused on preventative measures. They were also aware of previous compromises and decided to take measures outside of combing through the network, identifying compromises, and taking care of these compromises while also patching up the infrastructure to prevent the same or similar cyber attack from happening. They assumed the problem was over when they decided to do a complete system reset rather than diagnosing the compromises to begin with. This was clearly neglect on OPM’s behalf and it was evident they didn’t properly follow FISMA guidelines provided by the National Institute of Standards and Technology (NIST). 3. Jurisdiction: The Director of the U.S. Office of Personnel Management (OPM) is responsible for following FISMA guidelines and laws as well as ensuring that the law is being applied within OPM’s operations. They are also responsible for following guidelines provided by OMB in relation to the E-government act. The Director is responsible for obtaining yearly reviews of the network infrastructure’s security as well as making sure it’s up to date with current guidelines as they change in attempt to keep up with the many new ways hackers are finding to compromise the network and the sensitive data it holds. 4. Law(s) requiring OPM to report their breach: The Security Breach Notification Law, which exists in all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands, requires private businesses to notify people when their personally identifiable information is involved in a data breach. In most states, this law also requires government entities to notify as well. FISMA also requires the reporting of security
5 4-3 Activity: Privacy Laws & Compliance Controls breaches as well. Since the Security Breach Notification Law is unique in accordance with each state and territory, I will use an example. In California, if the security breach requires the notice to be sent to over 500 residents, they must electronically send a copy of the security breach notification while excluding any personally identifiable information to the Attorney General. The people whose information has been compromised must be notified as soon as possible. If it is determined that notifying will impede a law enforcement investigation, then as soon as the investigation deems it appropriate, the notice should be sent. Some states require 45 days while others require 60. Some states also don’t even require notification unless it is believed that their information will be used. HEPPA requires 60 days for the individual(s) to be notified. FISMA requires this notification to be sent to Congress within a week. 5. CIS Controls: Data protection establishes protocols and measures to recognize, categorize, safeguard, store, and eliminate data securely. Monitoring this control would’ve aided in minimizing the breach because then the data would’ve been much more difficult to exploit if they would’ve taken measures to put an extra layer of protection on it (like strong encryptions). Continuous Vulnerability Management requires the creation of a strategy to consistently evaluate and monitor vulnerabilities across all organizational resources within the infrastructure. The purpose of this control is to rectify and reduce the timeframe in which potential hackers can exploit vulnerabilities. This control would have made it possible for them to catch the exploits in time before any serious damage was done like the data breach. Boundary Defense has the primary objective of guaranteeing access points to the network are distinctly established and monitored. This control would have made it possible for them to quickly and efficiently discover the
6 4-3 Activity: Privacy Laws & Compliance Controls hacker’s entry points into the network. It could have possibly also made it impossible for them to create the backdoor they did anyhow. Malware Defenses is a control that is responsible for safeguarding enterprise assets by proactively preventing or regulating the installation, dissemination, and execution of harmful applications, codes, and scripts. If utilized by OPM, the installation of the remote access trojans by the hackers could have been proactively stopped or quickly caught.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Vincent_Cooper IT 212 Project.docx
Vincent Cooper SCS 200 project one.docx
Unit 2 Milestone.pdf
Unit 1 Milestone - Intro to Python.pdf
FE469B54-8672-4793-83E1-50437D418723.jpeg
Homework Assignment 2-6122.docx
240_-_midterm.pdf
Quiz 2 JNT 632S.pdf
Mid term.docx
2..png
3..png
Team Consulting Project - Instructions v2 (1).docx
Recommended textbooks for you
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
SEE MORE TEXTBOOKS