4-3 Activity - Privacy Laws and Compliance Controls
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
260
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
7
Uploaded by SuperKoala931
1
4-3 Activity: Privacy Laws and Compliance Controls
Chris Lawton
Southern New Hampshire University
CYB 260: Legal and Human Factors of Cybersecurity
Prof. Aaron Dozier
September 24, 2023
2
Summary
In 2015 it was announced that a breach had occurred at the U.S. Office of Personnel
Management (OPM). It was discovered by a security engineer who was in the process of
decrypting a portion of the Secure Sockets Layer (SSL) traffic. During the process, they noticed
that there was outbound traffic that should not have been there. It was then that they discovered
their network had been compromised. The malware installed on the network was able to exploit
millions of SF-86 forms, forms that are used to gather sensitive information on personnel trying
to gain a security clearance. Attackers were also able to get away with millions of people’s
fingerprints.
The breach occurred due to neglect to take proper action after a previous attack – as well
as some key faults that lie within OPM’s network infrastructure. Their network had previously
been under attack in 2013. During this attack, the hackers gained access to blueprints of OPM’s
network architecture. After this attack, security should have tightened up with a more layered
approach such as multi-factor authentication, more routine system log audits, as well as utilizing
a managed detection and response solution. Some of these factors were neglected, which outlines
the key faults within the network infrastructure. The network architecture focused on perimeter
defense and not utilizing potential security solutions. The agency’s assistant inspector general for
audits even went on record during the hearing to characterize OPM’s cybersecurity as having a
“long history of systemic failures to properly manage its IT infrastructure.”
Privacy Laws
3
There are two privacy laws that I believe relate directly to the OPM breach. The first one
is the Federal Information Security Management Act (FISMA). This act was put in place to help
reduce the risk of a breach that could exploit federal information and data. The National Institute
of Standards and Technology (NIST) provided the key security standards and guidelines that are
required to stay compliant with the FISMA. Had the OPM network security team followed
proper guidelines and stayed compliant with the standards set forth, their risk of breach would
have been minimized.
The second law that I believe relates to the OPM breach would be the Health Insurance
Portability and Accountability Act (HIPAA). While OPM is not a health insurance company, the
storage of SF-86 forms contains sensitive Protected Health Information (PHI). Such information
includes past reported substance abuse, as well as psychiatric care that might have been received.
Due to the breach exploiting millions of SF-86 forms, OPM did not take proper measures to
secure this sensitive PHI, so they were in direct violation of HIPAA.
Jurisdiction
Under FISMA, the head of OPM would be responsible for complying with the standards
set forth by NIST to stay compliant with the FISMA laws. It is their responsibility to ensure
proper measures are taken to ensure the security and privacy of data is kept within their network.
It is also their responsibility to conduct annual security reviews to ensure that all their security
measures are up to date to prevent attacks as they grow, and hackers find new ways to exploit a
system to gain access to sensitive information. Next, under HIPAA, the responsibility of
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
compliance lies within the U.S. Department of Health and Human Services (HHS' Office for
Civil Rights). While they do not have direct jurisdiction over OPM’s agency, they can report
HIPAA violations that occur to Congress.
Reporting the Breach
There are a few regulations an organization must follow when it comes to reporting a
breach that occurs to their system. As outlined in FISMA, all major security breaches are
required to be reported to Congress within 7 days of the breach. OPM was also required to notify
the approximately four million individuals whose PII was compromised within 60 days of the
breach. A breach response team will then be formed to help mitigate further data loss, outlining
applicable privacy compliance documentation, as well as ensuring records are not duplicated by
sharing information across the agency. This response team will also help to outline the lessons
learned.
CIS Controls
There are four CIS Controls I would like to outline that could have helped in minimizing
OPM breaches.
1.
Continuous Vulnerability Management:
this would have helped by continuously
searching for vulnerabilities within the system to ensure they were fixed before an attack
could occur.
5
2.
Malware Defenses:
this could have helped to prevent PlugX, a remote access trojan, by
being deployed within the network to help monitor and scan for malware.
3.
Boundary Defense:
this could have helped with the utilization of IDS monitoring
software to notify system admins of unusual data packet activity. The systems’ admins
would then be able to respond much quicker to minimize damage.
4.
Data Protection:
this control is straightforward and should be a must-use control. This
outlines that data must go through any means necessary to ensure it is protected. This can
be done by encryption with strong key/s. It is much harder for an attacker to exploit data
that is encrypted properly.
6
References
Alder, S. (2015, June 5).
OPM 4M-Record Data Theft Linked to Recent HIPAA Data Breaches
.
The HIPAA Journal. Retrieved September 24, 2023, from
https://www.hipaajournal.com/opm-4m-record-data-theft-linked-to-recent-hipaa-data-
breaches-7054/
Data Breach Response: A Guide for Business
. (2023, August 10). Federal Trade Commission.
https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
Data Breach Rules & Regulations: Who To Notify and How Long You Have To Do It
. (n.d.).
Digital Guardian.
https://www.digitalguardian.com/blog/data-breach-rules-regulations-
who-notify-and-how-long-you-have-do-it#:~:text=their%20notification%20form.-,How
%20long%20organizations%20have%20to%20disclose%20the%20breach%3A%20All
%20affected,end%20of%20the%20calendar%20year
.
Fruhlinger, J. (2020). The OPM hack explained: Bad security practices meet China’s Captain
America.
CSO Online
.
https://www.csoonline.com/article/566509/the-opm-hack-
explained-bad-security-practices-meet-chinas-captain-america.html
Koerner, B. I. (2016, October 23). Inside the OPM Hack, The Cyberattack that Shocked the US
Government.
WIRED
.
https://www.wired.com/2016/10/inside-cyberattack-shocked-us-
government/#start-of-content
Sign in to your account
. (n.d.).
https://learn.snhu.edu/content/enforced/1375068-CYB-260-
R1980-OL-TRAD-UG.23EW1/course_documents/CYB%20260%20CIS%20Controls
%20Version%207.pdf?
_&d2lSessionVal=yW8qpbM696OMbnIaYfzZrUsr0&ou=1093182&_&d2lSessionVal=P
TkFFB2oE3z15R2BgDMpWzRK6&ou=1375068
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
What is FISMA Compliance? (Definition, Requirements, Penalties, & More)
. (n.d.). Digital
Guardian.
https://www.digitalguardian.com/blog/what-fisma-compliance-fisma-
definition-requirements-penalties-and-more#:~:text=FISMA%20compliance%20is
%20compliance%20with,information%20security%20and%20protection%20program.
What is Layered Security & How Does it Defend Your Network?
(n.d.).
https://blog.totalprosource.com/what-is-layered-security-how-does-it-defend-your-
network