Hello.
CYB 260 Module Four Activity Guidelines and Rubric Privacy Laws and Compliance Controls CYB 260 Module Four Activity Guidelines and Rubric Privacy Laws and Compliance Controls Overview A major security breach that happened within the federal government is the Office of Personnel Management (OPM) data breach, which exposed a large amount of personally identifiable information (PII) of federal and state employees. The effects of this breach are still being explored, and the full extent is still not known. This breach has become an important learning experience. Examining laws that suggest controls to minimize the possibility of data breaches is a crucial part of developing an adversarial mindset and will help with future instances of data breaches. There are numerous articles and research papers on the OPM breach, but the article provided in the prompt explores the breach from the employee perspective and discusses the steps that could have been used to help minimize the possibility of a data breach. The critical controls defined by the Center for Internet Security (CIS) are used as guidelines for processes that a company can incorporate for data security. The controls are used to determine compliance to a standard put forth by the organization. They are meant to be used as an adaptive tool that will allow an organization to evaluate compliance to a known risk-mitigation level. You have been preparing for this assignment by summarizing privacy laws and determining who is responsible for ensuring compliance to the law within an organization. It is important that you complete this assignment in your own words. Express your own ideas on how the laws and controls can be applied to this breach. It is the responsibility of a security analyst to be able to explain breaches and the controls used to mitigate issues. Listed below are the privacy laws you are familiar with and the critical controls you will be learning about to help you complete this activity. Privacy Laws Americans With Disabilities Act, Section 508 Cable Communications Policy Act (1984) Census Confidentiality Act Children’s Internet Protection Act (CIPA) Children’s Online Privacy Protection Act (COPPA) Computer Security Act Driver’s Privacy Protection Act (1994) E-Government Act (2002) Electronic Communications Privacy Act (1986) Federal Information Security Management Act (FISMA) Freedom of Information Act (1966) Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act Mail Privacy Statute (1971) Payment Card Industry Standards Privacy Act (1974) Red Flags Rule Sarbanes-Oxley Act State Data Breach Notification Laws U.S. Co nstitution USA Patriot Act Wiretap Act (1968, Amended) 1 CIS Controls 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 6. Maintenance, Monitoring, and Analysis of Audit Logs 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols, and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control 17. Implement a Security Awareness and Training Program 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises Prompt Before you begin working on this assignment, read the article Inside the Cyberattack That Shocked the US Government and review the CIS Controls website. Then address the following: I. Briefly summarize (in one to two paragraphs) the major issues with the OPM breach and how it occurred. II. Select two of the privacy laws provided above and describe how they relate to the OPM breach. III. Determine to what extent jurisdiction plays a role in the application of your selected laws. IV. Identify which law or laws would have required OPM to report their breach, and the steps the organization needs to take to report the issues. V. Select four of the CIS controls provided above that could have been monitored to help minimize the possibility of the breach. Explain why monitoring these controls would have helped minimize the breach. 2 https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/#start-of-content https://www.cisecurity.org/controls/ Rubric Guidelines for Submission: Your submission should be 2 to 4 pages in length and should use double spacing, 12-point Times New Roman font, and one-inch margins. Any sources should be cited according to APA style. Use a file name that includes the course code, the assignment number, and your name—for example, CYB_100_Project_One_Neo_Anderson.docx. Critical Elements Proficient (100%) Needs Improvement (70%) Not Evident (0%) Value Summarize Briefly summarizes the major issues with the OPM breach and how it occurred Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Privacy Laws Selects two privacy laws and describes how they relate to the OPM breach Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Jurisdiction Determines to what extent jurisdiction plays a role in the application of the selected laws Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Report Identifies which law or laws would have required OPM to report their breach, and the steps the organization needs to take to report the issues Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 CIS Controls Selects four CIS controls that could have been monitored to help minimize the possibility of the breach and explains why monitoring these controls would have helped Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Articulation of Response Submission is free of errors related to grammar, spelling, and organization and is presented in a professional and easy-to-read format Submission has some errors related to grammar, spelling, or organization that negatively impact readability and articulation of main ideas Submission has critical errors related to grammar, spelling, or organization that prevent understanding of ideas 10 Total 100% 2 CYB 260 Module Four Activity Guidelines and Rubric Privacy Laws and Compliance Controls Overview Privacy Laws CIS Controls Prompt Rubric