Assignment Task: Privacy Laws and Compliance Controls
Overview
A major security breach of the U.S. Office of Personnel Management (OPM) exposed a large amount of personally identifiable information (PII) of federal and state employees. The effects of this breach are still being explored, and the full extent of the damage it caused is unknown. This breach has become an important learning experience for cybersecurity professionals. A crucial step in developing an adversarial mindset is to examine laws intended to provide controls and minimize data breaches. This module's resources discuss the steps that can be taken to minimize the possibility of a data breach.
The Center for Internet Security (CIS) developed a simplified set of best practices to help organizations strengthen their cybersecurity. The CIS Critical Security Controls are standards that organizations can use to evaluate their compliance with industry regulations and privacy laws.
You have been preparing for this assignment by summarizing privacy laws and determining who is responsible for ensuring an organization's compliance with the law. You must complete this assignment in your own words. Express your own ideas about how the laws and controls can be applied to this breach. It is a security analyst's responsibility to explain breaches and the controls used to mitigate issues. Need Assignment Help?
The privacy laws you summarized in previous assignments and the CIS Critical Security Controls you learned about in this module are listed below. Use both to complete this activity.
Privacy Laws:
- Americans With Disabilities Act, Section 508
- Cable Communications Policy Act (1984)
- Census Confidentiality Act
- Children's Internet Protection Act (CIPA)
- Children's Online Privacy Protection Act (COPPA)
- Computer Security Act
- Driver's Privacy Protection Act (1994)
- E-Government Act (2002)
- Electronic Communications Privacy Act (1986)
- Federal Information Security Management Act (FISMA)
- Freedom of Information Act (1966)
- Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- Mail Privacy Statute (1971)
- Payment Card Industry Standards
- Privacy Act (1974)
- Red Flags Rule
- Sarbanes-Oxley Act
- State Data Breach Notification Laws
- U.S. Constitution
- USA Patriot Act
- Wiretap Act (1968, Amended)
CIS Controls:
1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defenses
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing
Prompt:
Before you begin working on this assignment, review the CIS Controls website and this module's resources about the OPM data breach. Then address the following critical elements:
I. Briefly summarize (in 1 to 2 paragraphs) the major issues with the OPM breach and how it occurred.
II. Select two of the privacy laws provided above and describe how they relate to the OPM breach.
III. Determine to what extent jurisdiction plays a role in the application of your selected laws.
IV. Identify which law or laws would have required OPM to report their breach and the steps the organization needs to take to report the issues.
V. Select four of the CIS controls provided above that could have been monitored to help minimize the possibility of the breach. Explain why monitoring these controls would have helped minimize the breach.
What to Submit:
Your submission should be 2 to 4 pages in length and should use double spacing, 12-point Times New Roman font, and one-inch margins. Any sources should be cited according to APA style.