Cyberlaw, Regulations, and Compliance

        Task 1 Introduction: Due to policy changes, personnel changes, systems changes, and audits it is often necessary to review and revise information security policies. Information security professionals are responsible for ensuring that policies are in line with current industry standards. Scenario Heart-Healthy Insurance Information Security Policy You are the manager of the information security analyst team for a large health insurance company. Your supervisor has asked you to review and provide recommendations for changes to the company’s information security policy. The intent of this review is to ensure that the policy complies with current regulatory requirements, obtains the benefits of industry specific standards, utilizes a recognized framework, is relevant for your company, and meets the requirements of all relevant regulations and standards. The review’s outcome should be to recommend modifications to the policy to ensure alignment with relevant regulatory requirements. The policy is a large document that discusses confidentiality, integrity, and availability across the spectrum of the electronic information systems that your company utilizes. Among the services that your company provides are patient-history evaluations for chronic illness indicators, insurance rate underwriting, paying claims to healthcare providers, accepting premium payments from employers, and accepting copayments from claimants. In addition to regulatory requirements, the U.S. Department of Health and Human Services (HHS) has set some national standards for identification of employers, providers, transactions, procedure codes, and place of service codes. The company you work for holds information that is protected by regulatory requirements. This information includes individual privacy information, personal health information, financial information, and credit information. Information about employees and patients, also known as demographics, contain personally identifiable information, which is covered under the U.S. Federal Privacy Laws. Health information that is personally identifiable, also known as PHI, is required to be protected under HIPAA and HITECH. Because the company is an insurance company the government classifies the company as a financial institution, it is required to comply with the GLBA. Also, the company takes credit cards to pay for premiums and deductibles and consequently must be PCI-DSS compliant. Of greatest concern to your supervisor are the sections of the policy that stipulate how a new user is provided access to information systems and the password requirements for those systems.     Task: A. Develop new policy statements with two modifications for each of the following sections of the attached “Heart-Healthy Insurance Information Security Policy”: 1. New Users 2. Password Requirements B. Justify each of your modifications in parts A1 and A2 based on specific current industry standards that are applicable to the case study. C. When you use sources, include all in-text citations and references in APA format.       Task 1 – Policy Statements For given scenario, develop/revise two policy statements (new users and password requirements). Justify policies based on current federal information security laws/ regulations or U.S. federal regulatory requirements [i.e., HIPAA, HITECH, PCI-DSS, U.S. Federal Privacy Laws, Gramm Leach Bliley (GLBA), etc   Justify your two policies based on current federal information security laws/ regulations. For your justifications, your policies and the recommendations that you made within each policy should be related to a U.S. regulatory requirement (U.S. law).       Task 2 Introduction: As an information security professional, you are responsible for ensuring preventive information security controls are in place. Such controls include implementing organizational and security policies, processes, and other forms of preventive security measures. Scenario: During a routine audit of an electronic health record (EHR) system, a major healthcare provider discovered three undocumented accounts that appear to have access to the entire clinical and financial health record within the system. Further investigation revealed that these accounts were accessing records around the clock via remote access to the healthcare system’s network. Three remote access accounts appear to have been set up at least six months prior to the creation date of the first account in the EHR. Additionally, the accounts in the EHR were originally established as standard user accounts approximately two months ago and escalated to full access over the course of two weeks. System controls are verified to be in effect that limit access for each account to no more than 300 records per day. Over the course of the past two months it is estimated that more than 37,000 but no more than 50,000 records could have been accessed. Reports are being run to determine which patient accounts were accessed, but the reports will take more than two weeks to identify the record identification numbers and then take longer than 60 days to compile the usernames and addresses. An audit of other systems that contain sensitive information revealed no other unauthorized access. Audit files that would normally identify the creator of the accounts overwrite themselves after two weeks in the systems that provide remote access and the EHR. No one in senior management has any reason to suspect that it was an inside job, but based on the short duration for log retention there is no way to eliminate that possibility either.     A. Describe three of the security faults in this scenario that caused a security breach. B. After researching the national and international standards, create three policy statements that apply to the entire organization, comply with a national or international standard, and might have prevented the security breaches identified in part A. 1. Justify how each organizational policy statement in part B complies with a specific nationally or internationally recognized standard (e.g., ISO/IEC, NIST) and could plausibly be enforced at the company. Note: The policy statements should match the baseline requirements of the standards for organizational compliance. C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.     For given scenario, develop three policy statements that would have prevented a security breach. Justify policies based on national or international standards (i.e.,NIST, ISO) NOT HIPAA     Task 3 Introduction: For this task you will respond to a hypothetical business arrangement where you have been asked to review an initial draft of a service level agreement (SLA) between your company, Finman Account Management, and two other companies, Datanal and Minertek. Based on your recommendations for modifications, Finman will propose a final agreement. Task: A. Recommend changes (i.e., modifications, insertions, or deletions) to the attached “Service Level Agreement” to better protect Finman’s data and intellectual property. 1. Justify how your recommendations will limit use, sharing, retention, and destruction of Finman’s corporate data by Datanal and Minertek. 2. Justify how your recommendations will assure that Finman’s property, patents, copyrights, and other proprietary rights are protected.     Task 4 Scenario: You are the chief information security officer (CISO) for VL Bank as depicted in the attached “VL Bank Case Study.” Examine the body of evidence that your information security analysts have collected and consider the following: • Who is affected? • What happened? • Where have the events occurred? • How will you resolve the cybercrime? • How did this happen? Task: A. Develop a report (suggested length of 3–5 pages) for VL Bank senior management regarding the cybercrime from the attached “VL Bank Case Study” in which you do the following: 1. Discuss how two laws or regulations apply to the case study. a. Discuss how VL Bank will work within the parameters of appropriate legal jurisdiction with specific bodies of law enforcement to resolve the situation. b. Discuss legal considerations for preparing the digital evidence VL Bank will need to provide law enforcement and attorneys. c. Explain what coordination should take place between the CISO and VL Bank’s lawyer. 2. Discuss how this cybercrime could affect VL Bank’s enterprise continuity. a. Explain how VL Bank could use technology to prevent the cybercrime in the case scenario. 3. Discuss information security and assurance controls that could mitigate future attacks of this kind at VL Bank. a. Explain how these controls align to regulatory requirements and standards       VL Bank Case Study You are the chief information security officer (CISO) for the VL Bank based in Atlanta, Georgia. Recently, a highly sophisticated and cleverly orchestrated crime was brought to your attention by the information security analysts in your department and by a growing number of business customers. Your company’s commercial customers utilize a digital certificate multifactor authentication process to access wire transfers, cash management, deposit operations, and account management applications common to all business customers. The problem is that several customers have reported that new user accounts have been set up under their names without their authorization and these accounts are initiating several fund transfers for $10,000. The wire transfers are being sent to various other bank accounts across the United States. As of today, the amount of fraudulent transfers has been over $290,000. The bank’s affected customers are calling to get answers and reclaim lost funds. Your supervisor is demanding answers from you as well. The bank’s general counsel is preparing for litigation threats from the affected customers. This could be a business nightmare, especially if you fail to resolve the situation quickly. After further analysis, you learn some additional information about the case: 1. The $10,000 individual transfers are going to several U.S. bank accounts of individuals before being automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. 2. The bank’s affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. These computers did not have anti-virus or security software installed. 3. The bank’s customers are frequently experiencing what is known as spear phishing attacks against them, which are fake e-mails that resemble normal business e-mail messages to customers, but contain the keystroke logging virus. 4. The bank’s systems have not been breached and no customer data has been stolen except for the few business customers whose personal business computers were compromised. 5. The U.S. banks that received fraudulent funds transfers are located in four other U.S. states in addition to VL Bank in Georgia. They are Bank A in California, Bank B in New York, Bank C in Texas, and Bank D in Florida. 6. VL Bank’s account manager responsible for these affected customers has access to copies of the digital certificates used by the customers as well as account access.       A1. Laws or Regulations: Identify 2 laws that apply to the case. Discuss how the two laws apply to the case. A1a. Legal jurisdiction: This case involves several other countries. Students may discuss the international nature of the incident and describe how the U.S. will work with and through international organizations to investigate the cybercrime. What kinds of things might they do in order to put together a case against the culprit, like tracing emails, interviewing customers, etc? This case also involves several states. Local, state and federal bodies of law enforcement may also come into play. (National and International) A1b. Legal Considerations: Discuss the acquisition of evidence, record keeping, the handling of evidence, and evidence protection. There should be a discussion of the legal considerations for digital evidence. How should digital evidence be properly handled. What could happen in the courtroom if it is not handled appropriately? A1c. Coordination: Consider the responsibilities of the CISO. The discussion should include some ideas for coordination between the CISO and the attorney to help law enforcement to make a case. How could they develop a framework for coordinating the digital evidence? Think of the kinds of steps the CISO and attorney may take to assist in coordinating the evidence. A2. Cybercrime effects: Consider the meaning of the term business continuity. Discuss some of the possible repercussions to the bank as a result of the cybercrime. Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Explain what could possibly happen in technical terms and in practical terms. How would this event impact the bank? Technical = system crashes, downtime to restore data, etc / Practical = damage corporate reputation, financial loss, etc You may also want to explain how the crime would impact each part of the CIA TRIAD. A2a. Technology: Identify a specific technology that would help the bank to mitigate the cybercrime's effects on the bank's daily operations. One technology is sufficient. Explain in detail how it may have mitigated / stopped this crime from occurring. A3. Controls: Describe IS controls that could prevent future attacks. These controls should come from standards / frameworks / laws. Name the control and explain what security fault (in the scenario) it would have prevented. A couple (3) will be sufficient. Your controls may come from several standards / frameworks / laws or from only one. Tell what each control would have mitigated / stopped in the scenario. Short explanation of how. A3a. Alignment: Identify specific regulatory requirements and standards that align to the controls that you identified in A3 and describe how they are related to the controls and a potential cybercrime. In other words, name the control again and explain what standard / framework / law it is from. XX control is in compliance with guidance from xxxx section xxx which states xxxx.