4-3 Activity - Privacy Laws and Compliance Controls

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

260

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

7

Uploaded by SuperKoala931

Report
1 4-3 Activity: Privacy Laws and Compliance Controls Chris Lawton Southern New Hampshire University CYB 260: Legal and Human Factors of Cybersecurity Prof. Aaron Dozier September 24, 2023
2 Summary In 2015 it was announced that a breach had occurred at the U.S. Office of Personnel Management (OPM). It was discovered by a security engineer who was in the process of decrypting a portion of the Secure Sockets Layer (SSL) traffic. During the process, they noticed that there was outbound traffic that should not have been there. It was then that they discovered their network had been compromised. The malware installed on the network was able to exploit millions of SF-86 forms, forms that are used to gather sensitive information on personnel trying to gain a security clearance. Attackers were also able to get away with millions of people’s fingerprints. The breach occurred due to neglect to take proper action after a previous attack – as well as some key faults that lie within OPM’s network infrastructure. Their network had previously been under attack in 2013. During this attack, the hackers gained access to blueprints of OPM’s network architecture. After this attack, security should have tightened up with a more layered approach such as multi-factor authentication, more routine system log audits, as well as utilizing a managed detection and response solution. Some of these factors were neglected, which outlines the key faults within the network infrastructure. The network architecture focused on perimeter defense and not utilizing potential security solutions. The agency’s assistant inspector general for audits even went on record during the hearing to characterize OPM’s cybersecurity as having a “long history of systemic failures to properly manage its IT infrastructure.” Privacy Laws
3 There are two privacy laws that I believe relate directly to the OPM breach. The first one is the Federal Information Security Management Act (FISMA). This act was put in place to help reduce the risk of a breach that could exploit federal information and data. The National Institute of Standards and Technology (NIST) provided the key security standards and guidelines that are required to stay compliant with the FISMA. Had the OPM network security team followed proper guidelines and stayed compliant with the standards set forth, their risk of breach would have been minimized. The second law that I believe relates to the OPM breach would be the Health Insurance Portability and Accountability Act (HIPAA). While OPM is not a health insurance company, the storage of SF-86 forms contains sensitive Protected Health Information (PHI). Such information includes past reported substance abuse, as well as psychiatric care that might have been received. Due to the breach exploiting millions of SF-86 forms, OPM did not take proper measures to secure this sensitive PHI, so they were in direct violation of HIPAA. Jurisdiction Under FISMA, the head of OPM would be responsible for complying with the standards set forth by NIST to stay compliant with the FISMA laws. It is their responsibility to ensure proper measures are taken to ensure the security and privacy of data is kept within their network. It is also their responsibility to conduct annual security reviews to ensure that all their security measures are up to date to prevent attacks as they grow, and hackers find new ways to exploit a system to gain access to sensitive information. Next, under HIPAA, the responsibility of
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 compliance lies within the U.S. Department of Health and Human Services (HHS' Office for Civil Rights). While they do not have direct jurisdiction over OPM’s agency, they can report HIPAA violations that occur to Congress. Reporting the Breach There are a few regulations an organization must follow when it comes to reporting a breach that occurs to their system. As outlined in FISMA, all major security breaches are required to be reported to Congress within 7 days of the breach. OPM was also required to notify the approximately four million individuals whose PII was compromised within 60 days of the breach. A breach response team will then be formed to help mitigate further data loss, outlining applicable privacy compliance documentation, as well as ensuring records are not duplicated by sharing information across the agency. This response team will also help to outline the lessons learned. CIS Controls There are four CIS Controls I would like to outline that could have helped in minimizing OPM breaches. 1. Continuous Vulnerability Management: this would have helped by continuously searching for vulnerabilities within the system to ensure they were fixed before an attack could occur.
5 2. Malware Defenses: this could have helped to prevent PlugX, a remote access trojan, by being deployed within the network to help monitor and scan for malware. 3. Boundary Defense: this could have helped with the utilization of IDS monitoring software to notify system admins of unusual data packet activity. The systems’ admins would then be able to respond much quicker to minimize damage. 4. Data Protection: this control is straightforward and should be a must-use control. This outlines that data must go through any means necessary to ensure it is protected. This can be done by encryption with strong key/s. It is much harder for an attacker to exploit data that is encrypted properly.
6 References Alder, S. (2015, June 5). OPM 4M-Record Data Theft Linked to Recent HIPAA Data Breaches . The HIPAA Journal. Retrieved September 24, 2023, from https://www.hipaajournal.com/opm-4m-record-data-theft-linked-to-recent-hipaa-data- breaches-7054/ Data Breach Response: A Guide for Business . (2023, August 10). Federal Trade Commission. https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business Data Breach Rules & Regulations: Who To Notify and How Long You Have To Do It . (n.d.). Digital Guardian. https://www.digitalguardian.com/blog/data-breach-rules-regulations- who-notify-and-how-long-you-have-do-it#:~:text=their%20notification%20form.-,How %20long%20organizations%20have%20to%20disclose%20the%20breach%3A%20All %20affected,end%20of%20the%20calendar%20year . Fruhlinger, J. (2020). The OPM hack explained: Bad security practices meet China’s Captain America. CSO Online . https://www.csoonline.com/article/566509/the-opm-hack- explained-bad-security-practices-meet-chinas-captain-america.html Koerner, B. I. (2016, October 23). Inside the OPM Hack, The Cyberattack that Shocked the US Government. WIRED . https://www.wired.com/2016/10/inside-cyberattack-shocked-us- government/#start-of-content Sign in to your account . (n.d.). https://learn.snhu.edu/content/enforced/1375068-CYB-260- R1980-OL-TRAD-UG.23EW1/course_documents/CYB%20260%20CIS%20Controls %20Version%207.pdf? _&d2lSessionVal=yW8qpbM696OMbnIaYfzZrUsr0&ou=1093182&_&d2lSessionVal=P TkFFB2oE3z15R2BgDMpWzRK6&ou=1375068
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
7 What is FISMA Compliance? (Definition, Requirements, Penalties, & More) . (n.d.). Digital Guardian. https://www.digitalguardian.com/blog/what-fisma-compliance-fisma- definition-requirements-penalties-and-more#:~:text=FISMA%20compliance%20is %20compliance%20with,information%20security%20and%20protection%20program. What is Layered Security & How Does it Defend Your Network? (n.d.). https://blog.totalprosource.com/what-is-layered-security-how-does-it-defend-your- network