A major security breach that happened within the federal government is the Office of Personnel Management (OPM) data breach, which exposed a large amount of personally identifiable information (PII) of federal and state employees. The effects of this breach are still being explored, and the full extent is still not known. This breach has become an important learning experience. Examining laws that suggest controls to minimize the possibility of data breaches is a crucial part of developing an adversarial mindset and will help with future instances of data breaches. There are numerous articles and research papers on the OPM breach, but the article provided in the prompt explores the breach from the employee perspective and discusses the steps that could have been used to help minimize the possibility of a data breach.
The critical controls defined by the Center for Internet Security (CIS) are used as guidelines for processes that a company can incorporate for data security. The controls are used to determine compliance to a standard put forth by the organization. They are meant to be used as an adaptive tool that will allow an organization to evaluate compliance to a known risk-mitigation level.
You have been preparing for this assignment by summarizing privacy laws and determining who is responsible for ensuring compliance to the law within an organization. It is important that you complete this assignment in your own words. Express your own ideas on how the laws and controls can be applied to this breach. It is the responsibility of a security analyst to be able to explain breaches and the controls used to mitigate issues.
Listed below are the privacy laws you are familiar with and the critical controls you will be learning about to help you complete this activity.
Americans With Disabilities Act, Section 508
Cable Communications Policy Act (1984)
Census Confidentiality Act
Children’s Internet Protection Act (CIPA)
Children’s Online Privacy Protection Act (COPPA)
Computer Security Act
Driver’s Privacy Protection Act (1994)
E-Government Act (2002)
Electronic Communications Privacy Act (1986)
Federal Information Security Management Act (FISMA)
Freedom of Information Act (1966)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH) Act
Mail Privacy Statute (1971)
Payment Card Industry Standards
Privacy Act (1974)
Red Flags Rule
State Data Breach Notification Laws
USA Patriot Act
Wiretap Act (1968, Amended)
Inventory and Control of Hardware Assets
Inventory and Control of Software Assets
Continuous Vulnerability Management
Controlled Use of Administrative Privileges
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Maintenance, Monitoring, and Analysis of Audit Logs
Email and Web Browser Protections
Limitation and Control of Network Ports, Protocols, and Services
Data Recovery Capabilities
Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Controlled Access Based on the Need to Know
Wireless Access Control
Account Monitoring and Control
Implement a Security Awareness and Training Program
Application Software Security
Incident Response and Management
Penetration Tests and Red Team Exercises
Before you begin working on this assignment, read the article Inside the Cyberattack That Shocked the US Government and review the CIS Controls website. Then address the following:
Briefly summarize (in one to two paragraphs) the major issues with the OPM breach and how it occurred.
Select two of the privacy laws provided above and describe how they relate to the OPM breach.
Determine to what extent jurisdiction plays a role in the application of your selected laws.
Identify which law or laws would have required OPM to report their breach, and the steps the organization needs to take to report the issues.
Select four of the CIS controls provided above that could have been monitored to help minimize the possibility of the breach. Explain why monitoring these controls would have helped minimize the breach.
Your submission should be 2 to 4 pages in length and should use double spacing, 12-point Times New Roman font, and one-inch margins. Any sources should be cited according to APA style.
**Please use both as resources**