Uploaded byLizbethQuinonez813
DOCX, PDF23 views

Identity Theft ResponseYou have successfully presented an expa

The CEO has tasked you with developing an identity theft response plan for your financial organization. This plan will outline procedures for responding to potential cyberattacks involving theft or compromise of customers' personally identifiable information (PII). You will need to consider responses to both internal incidents, like a rogue employee accessing records, and external incidents, such as a hacker breaching systems. The plan will need to address regulatory compliance, communication with leadership and authorities, and recovery of operations should PII be stolen. It will also help the organization avoid damages to its reputation and legal liability in the event of an identity theft incident.

Embed presentation

Download to read offline
Identity Theft Response You have successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects. The CEO says to you, "The Incident Response Plan will be our company's action plan to recover should the 'worst' occur. In our case, the 'worst' would be a breach of the company's security that could occur through the theft of customers' personally identifiable information, possibly through an individual's mobile device. Such a breach could compromise the integrity of the financial institution's data." The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.” “Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?” You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts . Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light. The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
Identity theft is becoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft. As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization. Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.Competencies Your work will be evaluated using the competencies listed below. · 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas. · 2.2: Locate and access sufficient information to investigate the issue or problem. · 8.4: Design an enterprise cybersecurity incident response plan. Project 2: Identity Theft Response Step 1: Identify Potential PII Attacks Since this project will require an enterprise cybersecurity incident response plan with considerations specifically to identity theft, types of attacks must be identified. In a table or spreadsheet, identify the types of attacks that could result in denial of access to or theft of PII (personally identifiable information). Consider both internal and external incidents and those associated with employees and/or customers. Submit your list of potential PII attacks for feedback from your CIO (course instructor). Submission for Project 2: Potential PII Cyber Incident ListIncident Response Plan
Print Computer security incident response has become an important component of information technology (IT) programs. An incident is defined as "a security event that compromises the integrity, confidentiality, or availability of an information asset" (Gordon, 2015). Any organization in the business of handling personally identifiable information (PII) should establish an incident response capability. That capability, which requires planning and resources, should consider the following guidelines (Cichonski et al., 2012): · creating an incident response policy and plan · developing procedures for performing incident handling and reporting · setting guidelines for communicating with outside parties regarding incidents · selecting a team structure and staffing model · establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., human resources and legal department) and external (e.g., law enforcement agencies) · determining what services the incident response team should provide · staffing and training the incident response team The National Institute of Standards and Technology's (NIST) Computer Security Incident Handling Guide notes the importance of continually monitoring for attacks and establishing procedures for prioritizing incidents, as well as instituting methods of collecting, analyzing, and reporting data (Cichonski et al., 2012). References Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Special publication 800-61, revision 2: Computer security incident handling guide: National Institute of Standards and Technology.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-61r2.pdf Gordon, A. (Ed.) (2015). Official (ISC)2 guide to the CISSP CBK (4th ed.). CRC Press.Resources · Draft National Cyber Incident Response Plan · Cyber Incident Response: Bridging the Gap Between Cybersecurity and Emergency Management · National CSIRTs and Their Role in Computer Security Incident Response · Data Breach Response: A Guide for Business · Cybersecurity Incident Reports · Incident Response Theft of PII (Personally Identifiable Information) Print The importance of personally identifiable information (PII), and the need for its security, can be illustrated with a typical trip to a doctor's office. When the doctor comes to see you in the examination room, he or she may have a handheld computer that includes your personal medical data. And if the doctor's computer is linked to a health care organization or a hospital's mainframe, any physician from within the organization may access that information at any time. While this ability to access information from anywhere in a timeless fashion may be an advantage, it also has its shortcomings. If there is a breach, important information could be lost or used for nefarious purposes, and the cost to an organization can be significant, both personally and financially. In June 2015, the federal Office of Personnel Management (OPM) was hacked, and a large amount of PII, including Social Security numbers from people and relatives of those who applied for a government background investigation, was taken. Fingerprints from the database were also compromised, as well as usernames and passwords (OPM, 2016). OPM said that 21.5 million Social Security numbers were taken. The breach sparked a class-action lawsuit from the American Federation of Government Employees against the federal
government. The union was seeking $1 billion in damages (Hopkins, 2015). PII is defined by the federal government as "any information about an individual maintained by an agency, including (GAO, 2008): 1. any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and 2. any other information that is linked or linkable to an individual," such as medical, educational, financial, and employment information. The list of possible PII is extensive, and the examples below are just a representation of information that could be considered PII (McCallister et al., 2010): 1. name (e.g., full name, maiden name, mother's maiden name, alias) 2. personal identification number, such as Social Security number, passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number 3. address information, such as street address or email address 4. asset information, such as an Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific identifier that consistently links to a particular person or well-defined group 5. telephone numbers, including mobile, business, and personal numbers 6. personal characteristics, including photographs, x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry) 7. information identifying property, such as vehicle registration number or title number and related information 8. information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators,
employment information, medical information, education information, financial information) Any organization that handles PII should have mechanisms to identity and protect the PII of its clients. Privacy threshold analyses (PTAs) are one of the most widely used PII protections for organizations. PTAs are simple questionnaires that are completed by the system owner in collaboration with the data owner, and are usually submitted to an organization's privacy office for review and approval (McCallister et al., 2010). PTAs are used to determine if a system contains PII. In the federal government, they are used to determine whether a Privacy Impact Assessment (PIA) or a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system (McCallister et al., 2010). The Department of Homeland Security (DHS) also has its own PIA, which is required under the E-Government Act of 2002 and the Homeland Security Act of 2002. Under this policy, a PIA is required when developing or procuring a new program or system or revising an existing program or system dealing with PII, for budget submissions affecting PII, with pilot tests affecting PII, and when issuing rules involving PII (DHS, 2012). Federal guidelines also specify three levels of potential impact—low, medium, and high—in case of a security breach, defined as a loss of confidentiality, integrity, or availability (NIST, 2004). Details are found in the Federal Information Processing Standards (FIPS) Publication 199: Standards for Security Categorization of Federal Information and Information Systems. The differences between each level are based on the type of adverse effects: limited, serious, or severe. A limited adverse effect would result in minor damage to operations, assets, minor financial loss or minor harm to people. A serious adverse effect is when damages to operations, assets, finances, or injury to people are "significant," and a severe adverse effect is defined as "catastrophic" with loss of life or
severe injuries (NIST, 2004). Breach of clients' PII is not something to take lightly. Every report incident of a breach of PII should be treated as a potential disaster for an organization's reputation in the marketplace. References Department of Homeland Security. (2012). Privacy threshold analysis. https://www.dhs.gov/xlibrary/assets/privacy/privacy_pta_templa te.pdf Government Accountability Office (GAO). (2008, May). Privacy: Alternatives exist for enhancing protection of personally identifiable information. http://www.gao.gov/new.items/d08536.pdf. Hopkins, C. (2015, June 30). OPM hit by $1 billion class-action suit following personnel hack. https://www.dailydot.com/layer8/opm-hack-lawsuit/ McCallister, E., Grance, T., & Scarfone, K. (2010). Special publication 800-122: Guide to protecting the confidentiality of personally identifiable information (PII). National Institute of Standards and Technology (NIST). http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati o n800-122.pdf National Institute of Standards and Technology (NIST). (2004). Federal Information Processing Standards (FIPS) publication 199: Standards for security categorization of federal information and information systems. http://csrc.nist.gov/publications/fips/fips199/FIPS- PUB-199-final.pdf OPM.gov. (2016). What happened. https://www.opm.gov/cybersecurity/cybersecurity- incidents/Resources · Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) · Handbook for Safeguarding Sensitive Personally Identifiable
Information

More Related Content

PDF
INFORMATION SECURITY STUDY REGARDING PII
by- Mark - Fullbright
 
PDF
Incident Response
byMichaelRodriguesdosS1
 
PDF
Does Your Organization Have A Privacy Incident Response Plan?
bybdana68
 
PDF
A REVIEW OF CYBERSECURITY AS AN EFFECTIVE TOOL FOR FIGHTING IDENTITY THEFT AC...
byIJCI JOURNAL
 
DOCX
Incident ResponseAs a security professional, you will.docx
byMARRY7
 
PDF
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
byIJNSA Journal
 
PDF
Ijnsa050201
byIJNSA Journal
 
PDF
Beyond Tech using PIAs 2011
bycandy_alexander
 
INFORMATION SECURITY STUDY REGARDING PII
by- Mark - Fullbright
 
Incident Response
byMichaelRodriguesdosS1
 
Does Your Organization Have A Privacy Incident Response Plan?
bybdana68
 
A REVIEW OF CYBERSECURITY AS AN EFFECTIVE TOOL FOR FIGHTING IDENTITY THEFT AC...
byIJCI JOURNAL
 
Incident ResponseAs a security professional, you will.docx
byMARRY7
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
byIJNSA Journal
 
Ijnsa050201
byIJNSA Journal
 
Beyond Tech using PIAs 2011
bycandy_alexander
 

Similar to Identity Theft ResponseYou have successfully presented an expa

PDF
Cybersecurity Issues and Challenges
byTam Nguyen
 
PDF
Managing Personally Identifiable Information (PII)
byKP Naidu
 
DOCX
Running Head SECURITY AWARENESSSecurity Awareness .docx
bytoltonkendal
 
PDF
INFORMATION SECURITY: THREATS AND SOLUTIONS.
byNi
 
PDF
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
byinfomalad
 
PDF
4. Define communication security, information security, network secu.pdf
byarvindarora20042013
 
PDF
Responding to a Company-Wide PII Data Breach
byCBIZ, Inc.
 
PDF
Data Breach Response Checklist
by- Mark - Fullbright
 
DOCX
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
bysleeperharwell
 
DOCX
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
bymccormicknadine86
 
DOCX
Data Breach Research Plan 72415 FINAL
byJoseph White MPA CPM
 
DOCX
CST 610 Effective Communication/tutorialrank.com
byjonhson198
 
DOCX
CYB 610 Effective Communication/tutorialrank.com
byjonhson199
 
DOCX
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
byarnoldmeredith47041
 
DOC
Cst 610 Education is Power/newtonhelp.com
byamaranthbeg73
 
DOC
Cst 610 Motivated Minds/newtonhelp.com
byamaranthbeg53
 
DOC
Cst 610 Your world/newtonhelp.com
byamaranthbeg93
 
PPTX
Information Security
bysteffiann88
 
PPT
Session4807.ppt
bytalkaton
 
PPT
Harshit security
byHarshitGupta435
 
Cybersecurity Issues and Challenges
byTam Nguyen
 
Managing Personally Identifiable Information (PII)
byKP Naidu
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
bytoltonkendal
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
byNi
 
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
byinfomalad
 
4. Define communication security, information security, network secu.pdf
byarvindarora20042013
 
Responding to a Company-Wide PII Data Breach
byCBIZ, Inc.
 
Data Breach Response Checklist
by- Mark - Fullbright
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
bysleeperharwell
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
bymccormicknadine86
 
Data Breach Research Plan 72415 FINAL
byJoseph White MPA CPM
 
CST 610 Effective Communication/tutorialrank.com
byjonhson198
 
CYB 610 Effective Communication/tutorialrank.com
byjonhson199
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
byarnoldmeredith47041
 
Cst 610 Education is Power/newtonhelp.com
byamaranthbeg73
 
Cst 610 Motivated Minds/newtonhelp.com
byamaranthbeg53
 
Cst 610 Your world/newtonhelp.com
byamaranthbeg93
 
Information Security
bysteffiann88
 
Session4807.ppt
bytalkaton
 
Harshit security
byHarshitGupta435
 

More from LizbethQuinonez813

DOCX
Industry CompetitionChapter Outline3-1 Industry Life Cyc
byLizbethQuinonez813
 
DOCX
Inferential AnalysisChapter 20NUR 6812Nursing Research
byLizbethQuinonez813
 
DOCX
In this lab, you will observe the time progression of industrializat.docx
byLizbethQuinonez813
 
DOCX
Individual Focused Learning for Better Memory Retention Through
byLizbethQuinonez813
 
DOCX
In this module, we examined crimes against persons, crimes against p.docx
byLizbethQuinonez813
 
DOCX
Infectious diseases projectThis project is PowerPoint, or a pa
byLizbethQuinonez813
 
DOCX
Individual DifferencesSelf-Awareness and Working wit
byLizbethQuinonez813
 
DOCX
Individual Project You are a business analyst in a publicly-tr
byLizbethQuinonez813
 
DOCX
Infectious DiseasesNameCourseInstructorDateIntrodu
byLizbethQuinonez813
 
DOCX
Infancy to Early Childhood Case AnalysisPart IFor this di
byLizbethQuinonez813
 
DOCX
In this course, we have introduced and assessed many noteworthy figu.docx
byLizbethQuinonez813
 
DOCX
In this module we have discussed an organizations design and how it.docx
byLizbethQuinonez813
 
DOCX
In this discussion, please address the followingDiscuss how oft.docx
byLizbethQuinonez813
 
DOCX
In this Assignment, you will focus on Adaptive Leadership from a.docx
byLizbethQuinonez813
 
DOCX
In this module, we explore how sexual identity impacts the nature of.docx
byLizbethQuinonez813
 
DOCX
In this Reflection Activity, you will be asked to think and write ab.docx
byLizbethQuinonez813
 
DOCX
In this lab, you will gather data about CO2 emissions using the .docx
byLizbethQuinonez813
 
DOCX
In this reflection, introduce your professor to your project. Speak .docx
byLizbethQuinonez813
 
DOCX
In this five-page essay, your task is to consider how Enlightenment .docx
byLizbethQuinonez813
 
DOCX
In this module, we have studied Cultural Imperialism and Americaniza.docx
byLizbethQuinonez813
 
Industry CompetitionChapter Outline3-1 Industry Life Cyc
byLizbethQuinonez813
 
Inferential AnalysisChapter 20NUR 6812Nursing Research
byLizbethQuinonez813
 
In this lab, you will observe the time progression of industrializat.docx
byLizbethQuinonez813
 
Individual Focused Learning for Better Memory Retention Through
byLizbethQuinonez813
 
In this module, we examined crimes against persons, crimes against p.docx
byLizbethQuinonez813
 
Infectious diseases projectThis project is PowerPoint, or a pa
byLizbethQuinonez813
 
Individual DifferencesSelf-Awareness and Working wit
byLizbethQuinonez813
 
Individual Project You are a business analyst in a publicly-tr
byLizbethQuinonez813
 
Infectious DiseasesNameCourseInstructorDateIntrodu
byLizbethQuinonez813
 
Infancy to Early Childhood Case AnalysisPart IFor this di
byLizbethQuinonez813
 
In this course, we have introduced and assessed many noteworthy figu.docx
byLizbethQuinonez813
 
In this module we have discussed an organizations design and how it.docx
byLizbethQuinonez813
 
In this discussion, please address the followingDiscuss how oft.docx
byLizbethQuinonez813
 
In this Assignment, you will focus on Adaptive Leadership from a.docx
byLizbethQuinonez813
 
In this module, we explore how sexual identity impacts the nature of.docx
byLizbethQuinonez813
 
In this Reflection Activity, you will be asked to think and write ab.docx
byLizbethQuinonez813
 
In this lab, you will gather data about CO2 emissions using the .docx
byLizbethQuinonez813
 
In this reflection, introduce your professor to your project. Speak .docx
byLizbethQuinonez813
 
In this five-page essay, your task is to consider how Enlightenment .docx
byLizbethQuinonez813
 
In this module, we have studied Cultural Imperialism and Americaniza.docx
byLizbethQuinonez813
 

Recently uploaded

PDF
Risk Management and Regulatory Compliance - by Ms. Oceana Wong
byagenticroom
 
PDF
AI Chatbots and Prompt Engineering - by Ms. Oceana Wong
byagenticroom
 
PPTX
How to create a lead from a business card in odoo19
byCeline George
 
PDF
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
PDF
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
PDF
Cattolica University - Lab Generative and Agentic AI - Mario Bencivinni
byMario Bencivinni
 
PPTX
LYMPHATIC SYSTEM.pptx it includes lymph, lymph nodes, bone marrow, spleen
byReena Yadav
 
PPTX
How to Manage Incoming Shipment in 2 Steps in Odoo 18 Inventory
byCeline George
 
PDF
1. Doing Academic Research: Problems and Issues, 2. Academic Research Writing...
byProf. Vinod Kumar Kanvaria
 
PDF
the dynasty history of Chahmanas Early Medieval India
byPrachiSontakke5
 
PDF
Rigor, ethics, wellbeing and resilience in the biomedical doctoral journey
byYannis
 
PPTX
SP C PROGRAMMING BASIC CONCEPTS WITH SAMPLE CODE.pptx
byspunithasrit
 
PPTX
How to Enter Opening Stock in Odoo 18 Inventory
byCeline George
 
PDF
Photoperiod Classification of Vegetable Plants.pdf
bybisensharad
 
PDF
Plant propagation_Macro & Micro_Horticulture.pdf
bybisensharad
 
PPTX
Introduction to Beauty Care and Wellness Services.pptx-day fcs 3rd quarter tl...
byLourdesDamasco
 
PPTX
Prelims - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
PPTX
What are the Dark mode in Odoo 18.2 Pos _odoo 19
byCeline George
 
PPTX
DEVELOPMENTL BIOLOGY hormonal control of metamorphosis.
byKajal Kashyap
 
PPTX
Structure and Functions of Cell (Unit I)
byPranaliChandurkar2
 
Risk Management and Regulatory Compliance - by Ms. Oceana Wong
byagenticroom
 
AI Chatbots and Prompt Engineering - by Ms. Oceana Wong
byagenticroom
 
How to create a lead from a business card in odoo19
byCeline George
 
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
Cattolica University - Lab Generative and Agentic AI - Mario Bencivinni
byMario Bencivinni
 
LYMPHATIC SYSTEM.pptx it includes lymph, lymph nodes, bone marrow, spleen
byReena Yadav
 
How to Manage Incoming Shipment in 2 Steps in Odoo 18 Inventory
byCeline George
 
1. Doing Academic Research: Problems and Issues, 2. Academic Research Writing...
byProf. Vinod Kumar Kanvaria
 
the dynasty history of Chahmanas Early Medieval India
byPrachiSontakke5
 
Rigor, ethics, wellbeing and resilience in the biomedical doctoral journey
byYannis
 
SP C PROGRAMMING BASIC CONCEPTS WITH SAMPLE CODE.pptx
byspunithasrit
 
How to Enter Opening Stock in Odoo 18 Inventory
byCeline George
 
Photoperiod Classification of Vegetable Plants.pdf
bybisensharad
 
Plant propagation_Macro & Micro_Horticulture.pdf
bybisensharad
 
Introduction to Beauty Care and Wellness Services.pptx-day fcs 3rd quarter tl...
byLourdesDamasco
 
Prelims - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
What are the Dark mode in Odoo 18.2 Pos _odoo 19
byCeline George
 
DEVELOPMENTL BIOLOGY hormonal control of metamorphosis.
byKajal Kashyap
 
Structure and Functions of Cell (Unit I)
byPranaliChandurkar2
 

Identity Theft ResponseYou have successfully presented an expa

  • 1.
    Identity Theft Response Youhave successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects. The CEO says to you, "The Incident Response Plan will be our company's action plan to recover should the 'worst' occur. In our case, the 'worst' would be a breach of the company's security that could occur through the theft of customers' personally identifiable information, possibly through an individual's mobile device. Such a breach could compromise the integrity of the financial institution's data." The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.” “Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?” You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts . Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light. The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
  • 2.
    Identity theft isbecoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft. As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization. Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.Competencies Your work will be evaluated using the competencies listed below. · 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas. · 2.2: Locate and access sufficient information to investigate the issue or problem. · 8.4: Design an enterprise cybersecurity incident response plan. Project 2: Identity Theft Response Step 1: Identify Potential PII Attacks Since this project will require an enterprise cybersecurity incident response plan with considerations specifically to identity theft, types of attacks must be identified. In a table or spreadsheet, identify the types of attacks that could result in denial of access to or theft of PII (personally identifiable information). Consider both internal and external incidents and those associated with employees and/or customers. Submit your list of potential PII attacks for feedback from your CIO (course instructor). Submission for Project 2: Potential PII Cyber Incident ListIncident Response Plan
  • 3.
    Print Computer security incidentresponse has become an important component of information technology (IT) programs. An incident is defined as "a security event that compromises the integrity, confidentiality, or availability of an information asset" (Gordon, 2015). Any organization in the business of handling personally identifiable information (PII) should establish an incident response capability. That capability, which requires planning and resources, should consider the following guidelines (Cichonski et al., 2012): · creating an incident response policy and plan · developing procedures for performing incident handling and reporting · setting guidelines for communicating with outside parties regarding incidents · selecting a team structure and staffing model · establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., human resources and legal department) and external (e.g., law enforcement agencies) · determining what services the incident response team should provide · staffing and training the incident response team The National Institute of Standards and Technology's (NIST) Computer Security Incident Handling Guide notes the importance of continually monitoring for attacks and establishing procedures for prioritizing incidents, as well as instituting methods of collecting, analyzing, and reporting data (Cichonski et al., 2012). References Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Special publication 800-61, revision 2: Computer security incident handling guide: National Institute of Standards and Technology.
  • 4.
    http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-61r2.pdf Gordon, A. (Ed.)(2015). Official (ISC)2 guide to the CISSP CBK (4th ed.). CRC Press.Resources · Draft National Cyber Incident Response Plan · Cyber Incident Response: Bridging the Gap Between Cybersecurity and Emergency Management · National CSIRTs and Their Role in Computer Security Incident Response · Data Breach Response: A Guide for Business · Cybersecurity Incident Reports · Incident Response Theft of PII (Personally Identifiable Information) Print The importance of personally identifiable information (PII), and the need for its security, can be illustrated with a typical trip to a doctor's office. When the doctor comes to see you in the examination room, he or she may have a handheld computer that includes your personal medical data. And if the doctor's computer is linked to a health care organization or a hospital's mainframe, any physician from within the organization may access that information at any time. While this ability to access information from anywhere in a timeless fashion may be an advantage, it also has its shortcomings. If there is a breach, important information could be lost or used for nefarious purposes, and the cost to an organization can be significant, both personally and financially. In June 2015, the federal Office of Personnel Management (OPM) was hacked, and a large amount of PII, including Social Security numbers from people and relatives of those who applied for a government background investigation, was taken. Fingerprints from the database were also compromised, as well as usernames and passwords (OPM, 2016). OPM said that 21.5 million Social Security numbers were taken. The breach sparked a class-action lawsuit from the American Federation of Government Employees against the federal
  • 5.
    government. The unionwas seeking $1 billion in damages (Hopkins, 2015). PII is defined by the federal government as "any information about an individual maintained by an agency, including (GAO, 2008): 1. any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and 2. any other information that is linked or linkable to an individual," such as medical, educational, financial, and employment information. The list of possible PII is extensive, and the examples below are just a representation of information that could be considered PII (McCallister et al., 2010): 1. name (e.g., full name, maiden name, mother's maiden name, alias) 2. personal identification number, such as Social Security number, passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number 3. address information, such as street address or email address 4. asset information, such as an Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific identifier that consistently links to a particular person or well-defined group 5. telephone numbers, including mobile, business, and personal numbers 6. personal characteristics, including photographs, x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry) 7. information identifying property, such as vehicle registration number or title number and related information 8. information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators,
  • 6.
    employment information, medicalinformation, education information, financial information) Any organization that handles PII should have mechanisms to identity and protect the PII of its clients. Privacy threshold analyses (PTAs) are one of the most widely used PII protections for organizations. PTAs are simple questionnaires that are completed by the system owner in collaboration with the data owner, and are usually submitted to an organization's privacy office for review and approval (McCallister et al., 2010). PTAs are used to determine if a system contains PII. In the federal government, they are used to determine whether a Privacy Impact Assessment (PIA) or a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system (McCallister et al., 2010). The Department of Homeland Security (DHS) also has its own PIA, which is required under the E-Government Act of 2002 and the Homeland Security Act of 2002. Under this policy, a PIA is required when developing or procuring a new program or system or revising an existing program or system dealing with PII, for budget submissions affecting PII, with pilot tests affecting PII, and when issuing rules involving PII (DHS, 2012). Federal guidelines also specify three levels of potential impact—low, medium, and high—in case of a security breach, defined as a loss of confidentiality, integrity, or availability (NIST, 2004). Details are found in the Federal Information Processing Standards (FIPS) Publication 199: Standards for Security Categorization of Federal Information and Information Systems. The differences between each level are based on the type of adverse effects: limited, serious, or severe. A limited adverse effect would result in minor damage to operations, assets, minor financial loss or minor harm to people. A serious adverse effect is when damages to operations, assets, finances, or injury to people are "significant," and a severe adverse effect is defined as "catastrophic" with loss of life or
  • 7.
    severe injuries (NIST,2004). Breach of clients' PII is not something to take lightly. Every report incident of a breach of PII should be treated as a potential disaster for an organization's reputation in the marketplace. References Department of Homeland Security. (2012). Privacy threshold analysis. https://www.dhs.gov/xlibrary/assets/privacy/privacy_pta_templa te.pdf Government Accountability Office (GAO). (2008, May). Privacy: Alternatives exist for enhancing protection of personally identifiable information. http://www.gao.gov/new.items/d08536.pdf. Hopkins, C. (2015, June 30). OPM hit by $1 billion class-action suit following personnel hack. https://www.dailydot.com/layer8/opm-hack-lawsuit/ McCallister, E., Grance, T., & Scarfone, K. (2010). Special publication 800-122: Guide to protecting the confidentiality of personally identifiable information (PII). National Institute of Standards and Technology (NIST). http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati o n800-122.pdf National Institute of Standards and Technology (NIST). (2004). Federal Information Processing Standards (FIPS) publication 199: Standards for security categorization of federal information and information systems. http://csrc.nist.gov/publications/fips/fips199/FIPS- PUB-199-final.pdf OPM.gov. (2016). What happened. https://www.opm.gov/cybersecurity/cybersecurity- incidents/Resources · Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) · Handbook for Safeguarding Sensitive Personally Identifiable
  • 8.