Assignment 1: Privacy, Laws, and Security Measures

Assignment 1: Privacy, Laws, and Security Measures

Terri Cooks
Dr. Randy Arvay, CISSP, PMP
Strayer University
April 24, 2015

Assignment 1: Privacy, Laws, and Security Measures

When looking at any organization today major privacy issues are a big problem with data
breaches being at the top of the list. As stated in an article on the IT Business Edge website,
Data breaches, cloud computing, location-based services and regulatory changes will force
virtually all organizations to review, and at least half of all organizations to also revise, their
current privacy policies before year-end 2012, according to Gartner, Inc. These issues will
dominate the privacy officers agenda for the next two years. In 2010, organizations saw new
threats to personal data and privacy, while budgets for privacy protection remained under
pressure, said Carsten Casper, research director at Gartner. Throughout 2011 and 2012, privacy
programs will remain chronically underfunded, requiring privacy officers to build and maintain
strong relationships with corporate counsel, lines of business, HR, IT security, IT operations and
application development teams. An established relationship with regulatory authorities and the
privacy advocacy community will also be an advantage to them. (2015, ItBusinessEdge.com)
To analyze the major privacy issues that are described in the section above and compare
to any other businesses that are facing potential privacy risks first is the point out the privacy
issue in which was a data breach. When a data breach occurs a lot of information becomes at
risk. As stated in an article on Tech Target by Margaret Rouse, A data breach is an incident in
which sensitive, protected or confidential data has potentially been viewed, stolen or used by an
individual unauthorized to do so. Data breaches may involve personal health information (PHI),
personally identifiable information (PII), trade secrets or intellectual property. The most common
concept of a data breach is an attacker hacking into a corporate network to steal sensitive data.
However, not all data breaches are so dramatic. If an unauthorized hospital employee views a

Assignment 1: Privacy, Laws, and Security Measures

patient's health information on a computer screen over the shoulder of an authorized employee
that also constitutes a data breach. (2015, M Rouse)

When looking at the strict risks and applicable laws that govern the privacy risk first you
have to look at the federal and state regulatory framework. As stated in an article written by A
strict federal and state regulatory framework that is aggressively enforced, coupled with the everincreasing challenges that new technology imposes, requires that financial institutions dedicate
substantial resources at all levels of their organizations to mitigate these risks. A robust privacy
and information security risk management program must deal with these challenges holistically
to ensure that when not if a privacy or information security incident occurs, the negative
impacts of it are minimized and promptly remediated.
The key for financial institutions is to understand that privacy and information security
risk management is everyones business, from the CEO to the mailroom clerk. Financial
institutions must know the applicable laws and regulations; identify the privacy and information
security risks that they face; implement and reinforce policies, procedures and practices with all
employees and agents; establish adequate corporate governance; and ensure that accountability
permeates the organization.
There are several separate sets of laws and regulations that govern how financial
institutions manage privacy and information security risks. These include federal and state
privacy laws, the NAIC Model Regulation Act on privacy, state insurance departments
safeguarding of customer information rules, and state information security breach laws. In
addition, Massachusetts issued its landmark data security law back in 2010. (2013, B Loutrel)

Assignment 1: Privacy, Laws, and Security Measures

All of the security measures that the organization needs to implement to mitigate the risks
should be in place no matter the size of the company in question. When assessing and migrating
the risks look at the impact and the risk levels. As stated In the Guide to Developing a Cyber
Security and Risk Mitigation Plan, A careful risk assessment considers both the likelihood of a
successful attack and its impact on the organizations mission and goals. When assessing the
level of security protection required for smart grid assets, NIST guidance is to consider only the
potential impact of exposed, compromised, or lost data or operations. Furthermore, the most
valuable part of a systemthe high-water markdetermines the impact level of the system
itself. For example, consider a system that is not critical to smart grid operations: The potential
impact of a loss of integrity or availability for each asset is low. Therefore, the systems assessed
impact levels for these two security goals are both low. In addition, most of the data stored, used,
or transmitted by the system is not sensitive; these cyber assets have a low potential impact from
a loss of confidentiality. However, if a single system data set contains PII, that asset has a high
level of potential impact from a loss of confidentiality. Therefore, the confidentiality impact level
is high for the entire system. In turn, the overall impact level of the systemconsidering all three
security goalsis high. The entire system requires a high level of security protection. The risk
level, or its severity, is a combination of assessed likelihood and assessed impact. Although the
likelihood of loss does not affect the level of protection the system requires, it usually plays a
role in prioritizing security efforts. Among systems with high impact ratings, those with
significant threats and vulnerabilities might currently carry the highest risk to the organization
and receive high priority for remediation. Finally, the nature of an impact affects the level of risk
the organization is willing to assume. Not all high impact ratings are equal. Impacts could be
ranked as follows: Safety: Causing risk to life and limb. Outage: Leading to improper

Assignment 1: Privacy, Laws, and Security Measures

operation of a power system device, possibly resulting in a consumer outage. Privacy:
Disclosing private data, such as social security or credit card numbers. Monetary: Leading to
increased tangible costs to the utility. (Copyright 2011, National Rural Electric Cooperative
Association)

Assignment 1: Privacy, Laws, and Security Measures

References

It Business Edge.com 2015 Top Five Privacy Issues Organizations Must Tackle
http://www.itbusinessedge.com/slideshows/show.aspx?c=91946

Loutrel B 2013 How to manage privacy and information security risk Life
Health Pro
http://www.lifehealthpro.com/2013/06/12/how-to-manage-privacy-and-information-security-ris?
t=life-practice-management
National Rural Electric Cooperative Association, Copyright 2011 Guide to Developing a Cyber
Security and Risk Mitigation Plan
https://www.smartgrid.gov/sites/default/files/doc/files/CyberSecurityGuideforanElectricCooperat
iveV11-2%5B1%5D.pdf
Rouse M, 2015 Data Breach Tech
Target

http://searchsecurity.techtarget.com/definition/data-breach