The CEO has tasked you with developing an identity theft response plan for your financial organization. This plan will outline procedures for responding to potential cyberattacks involving theft or compromise of customers' personally identifiable information (PII). You will need to consider responses to both internal incidents, like a rogue employee accessing records, and external incidents, such as a hacker breaching systems. The plan will need to address regulatory compliance, communication with leadership and authorities, and recovery of operations should PII be stolen. It will also help the organization avoid damages to its reputation and legal liability in the event of an identity theft incident.
Identity Theft ResponseYou have successfully presented an expa
1. Identity Theft Response
You have successfully presented an expanded Mobile Device
Management Policy, which was approved by the CEO. He now
wants you to work on a response plan for identity theft, which
you proposed a few weeks earlier as part of a series of four
cybersecurity projects.
The CEO says to you, "The Incident Response Plan will be our
company's action plan to recover should the 'worst' occur. In
our case, the 'worst' would be a breach of the company's
security that could occur through the theft of customers'
personally identifiable information, possibly through an
individual's mobile device. Such a breach could compromise the
integrity of the financial institution's data."
The CEO continues: “It is your responsibility to be fully
prepared, and I want you to ask your team some ‘What if’
questions.”
“Specifically, I want you to ask: What if our customer
information system is compromised internally by a misguided
employee? What do we do? And, What if the system is breached
by an external hacker and all our customer records are
exfiltrated and/or deleted? How would we respond?”
You know that any stolen identity might be that of an employee
and/or the identities within the customer information module,
which would affect a large number of accounts . Either way,
even the slightest breach would be serious, and not having an
approved, executable plan of action would only compound the
problem. Any lack of regulatory compliance by the organization
could also be brought to light.
The CEO closes by saying, “A comprehensive plan for identity
theft response is mandatory, and it will receive a lot of scrutiny
from senior leadership. Everyone in the company realizes it is a
critical component of our success and continued operation. I’m
counting on you to do it well.”
2. Identity theft is becoming more common as technology
continues to advance exponentially. Mobile devices,
applications, and email make it more convenient for individuals
to access records and financial accounts, but also increase the
risk of identity theft.
As the CISO, you will be drafting an incident response plan to
address identity theft for your financial organization.
Identity Theft Response is the second of four sequential projects
in this course. The final plan will be about 10-12 pages in
length. There are 16 steps in this project and it should take
about 14 days to complete. Begin with Step 1, where you will
identify types of cyberattacks in which personally identifiable
information could be vulnerable.Competencies
Your work will be evaluated using the competencies listed
below.
· 1.3: Provide sufficient, correctly cited support that
substantiates the writer's ideas.
· 2.2: Locate and access sufficient information to investigate the
issue or problem.
· 8.4: Design an enterprise cybersecurity incident response plan.
Project 2: Identity Theft Response
Step 1: Identify Potential PII Attacks
Since this project will require an enterprise
cybersecurity incident response plan with considerations
specifically to identity theft, types of attacks must be identified.
In a table or spreadsheet, identify the types of attacks that could
result in denial of access to or theft of PII (personally
identifiable information). Consider both internal and external
incidents and those associated with employees and/or
customers. Submit your list of potential PII attacks for feedback
from your CIO (course instructor).
Submission for Project 2: Potential PII Cyber Incident
ListIncident Response Plan
3. Print
Computer security incident response has become an important
component of information technology (IT) programs. An
incident is defined as "a security event that compromises the
integrity, confidentiality, or availability of an information
asset" (Gordon, 2015).
Any organization in the business of handling personally
identifiable information (PII) should establish an incident
response capability. That capability, which requires planning
and resources, should consider the following guidelines
(Cichonski et al., 2012):
· creating an incident response policy and plan
· developing procedures for performing incident handling and
reporting
· setting guidelines for communicating with outside parties
regarding incidents
· selecting a team structure and staffing model
· establishing relationships and lines of communication between
the incident response team and other groups, both internal (e.g.,
human resources and legal department) and external (e.g., law
enforcement agencies)
· determining what services the incident response team should
provide
· staffing and training the incident response team
The National Institute of Standards and Technology's
(NIST) Computer Security Incident Handling Guide notes the
importance of continually monitoring for attacks and
establishing procedures for prioritizing incidents, as well as
instituting methods of collecting, analyzing, and reporting data
(Cichonski et al., 2012).
References
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012).
Special publication 800-61, revision 2: Computer security
incident handling guide: National Institute of Standards and
Technology.
4. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-61r2.pdf
Gordon, A. (Ed.) (2015). Official (ISC)2 guide to the CISSP
CBK (4th ed.). CRC Press.Resources
· Draft National Cyber Incident Response Plan
· Cyber Incident Response: Bridging the Gap Between
Cybersecurity and Emergency Management
· National CSIRTs and Their Role in Computer Security
Incident Response
· Data Breach Response: A Guide for Business
· Cybersecurity Incident Reports
· Incident Response
Theft of PII (Personally Identifiable Information)
Print
The importance of personally identifiable information (PII), and
the need for its security, can be illustrated with a typical trip to
a doctor's office. When the doctor comes to see you in the
examination room, he or she may have a handheld computer that
includes your personal medical data. And if the doctor's
computer is linked to a health care organization or a hospital's
mainframe, any physician from within the organization may
access that information at any time.
While this ability to access information from anywhere in a
timeless fashion may be an advantage, it also has its
shortcomings. If there is a breach, important information could
be lost or used for nefarious purposes, and the cost to an
organization can be significant, both personally and financially.
In June 2015, the federal Office of Personnel Management
(OPM) was hacked, and a large amount of PII, including Social
Security numbers from people and relatives of those who
applied for a government background investigation, was taken.
Fingerprints from the database were also compromised, as well
as usernames and passwords (OPM, 2016). OPM said that 21.5
million Social Security numbers were taken.
The breach sparked a class-action lawsuit from the American
Federation of Government Employees against the federal
5. government. The union was seeking $1 billion in damages
(Hopkins, 2015).
PII is defined by the federal government as "any information
about an individual maintained by an agency, including (GAO,
2008):
1. any information that can be used to distinguish or trace an
individual's identity, such as name, social security number, date
and place of birth, mother's maiden name, or biometric records;
and
2. any other information that is linked or linkable to an
individual," such as medical, educational, financial, and
employment information.
The list of possible PII is extensive, and the examples below are
just a representation of information that could be considered PII
(McCallister et al., 2010):
1. name (e.g., full name, maiden name, mother's maiden name,
alias)
2. personal identification number, such as Social Security
number, passport number, driver's license number, taxpayer
identification number, patient identification number, and
financial account or credit card number
3. address information, such as street address or email address
4. asset information, such as an Internet Protocol (IP) or Media
Access Control (MAC) address or other host-specific identifier
that consistently links to a particular person or well-defined
group
5. telephone numbers, including mobile, business, and personal
numbers
6. personal characteristics, including photographs, x-rays,
fingerprints, or other biometric image or template data (e.g.,
retina scan, voice signature, facial geometry)
7. information identifying property, such as vehicle registration
number or title number and related information
8. information about an individual that is linked or linkable to
one of the above (e.g., date of birth, place of birth, race,
religion, weight, activities, geographical indicators,
6. employment information, medical information, education
information, financial information)
Any organization that handles PII should have mechanisms to
identity and protect the PII of its clients. Privacy threshold
analyses (PTAs) are one of the most widely used PII protections
for organizations. PTAs are simple questionnaires that are
completed by the system owner in collaboration with the data
owner, and are usually submitted to an organization's privacy
office for review and approval (McCallister et al., 2010).
PTAs are used to determine if a system contains PII. In the
federal government, they are used to determine whether a
Privacy Impact Assessment (PIA) or a System of Records
Notice (SORN) is required, and if any other privacy
requirements apply to the information system (McCallister et
al., 2010).
The Department of Homeland Security (DHS) also has its own
PIA, which is required under the E-Government Act of 2002 and
the Homeland Security Act of 2002. Under this policy, a PIA is
required when developing or procuring a new program or
system or revising an existing program or system dealing with
PII, for budget submissions affecting PII, with pilot tests
affecting PII, and when issuing rules involving PII (DHS,
2012).
Federal guidelines also specify three levels of potential
impact—low, medium, and high—in case of a security breach,
defined as a loss of confidentiality, integrity, or availability
(NIST, 2004). Details are found in the Federal Information
Processing Standards (FIPS) Publication 199: Standards for
Security Categorization of Federal Information and Information
Systems. The differences between each level are based on the
type of adverse effects: limited, serious, or severe.
A limited adverse effect would result in minor damage to
operations, assets, minor financial loss or minor harm to people.
A serious adverse effect is when damages to operations, assets,
finances, or injury to people are "significant," and a severe
adverse effect is defined as "catastrophic" with loss of life or
7. severe injuries (NIST, 2004).
Breach of clients' PII is not something to take lightly. Every
report incident of a breach of PII should be treated as a
potential disaster for an organization's reputation in the
marketplace.
References
Department of Homeland Security. (2012). Privacy threshold
analysis.
https://www.dhs.gov/xlibrary/assets/privacy/privacy_pta_templa
te.pdf
Government Accountability Office (GAO). (2008, May).
Privacy: Alternatives exist for enhancing protection of
personally identifiable information.
http://www.gao.gov/new.items/d08536.pdf.
Hopkins, C. (2015, June 30). OPM hit by $1 billion class-action
suit following personnel hack.
https://www.dailydot.com/layer8/opm-hack-lawsuit/
McCallister, E., Grance, T., & Scarfone, K. (2010). Special
publication 800-122: Guide to protecting the confidentiality of
personally identifiable information (PII). National Institute of
Standards and Technology (NIST).
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati o
n800-122.pdf
National Institute of Standards and Technology (NIST). (2004).
Federal Information Processing Standards (FIPS) publication
199: Standards for security categorization of federal
information and information
systems. http://csrc.nist.gov/publications/fips/fips199/FIPS-
PUB-199-final.pdf
OPM.gov. (2016). What happened.
https://www.opm.gov/cybersecurity/cybersecurity-
incidents/Resources
· Guide to Protecting the Confidentiality of Personally
Identifiable Information (PII)
· Handbook for Safeguarding Sensitive Personally Identifiable