Step 15 Plan for the IRP Implementation

profilejay662
Project2PotentialPIICyberIncidentListUR.docx

1

7

Urie L. Reed

Potential PII Cyber Incident List

Dr. Roger Ward

CMP 640 Cyber Security Program Development

University of Maryland Global Campus

Project 2: Identity Theft Response

The table below lists the many forms of attacks that potentially lead to the theft or denial of access to personally identifiable information (PII). It covers both internal and external occurrences, as well as those involving our workers and/or customers.

There are a number of essential standards and rules in the financial sector. One of the most important is the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to make their information-sharing policies and procedures, as well as the safeguards they have in place to protect sensitive data, known to their clients. The Sarbanes-Oxley Act (SOX) is another legislation that mandates the secure storage and administration of corporate-facing electronic financial records, as well as the monitoring, logging, and auditing of specific activities (Wyre & Lacey, 2020). The Data Security and Breach Notification Act (DSBNA), which was enacted in 2017, is the final regulation discussed in this study. It mandates that companies report security breaches within 30 days of their discovery. Companies who actively cover up breaches or postpone notification face harsh fines if they do not comply.

There are also a number of state-level regulations and norms. The California Consumer Privacy Act (CCPA) established consumer privacy rights and required businesses doing business in California to make structural improvements to their privacy procedures. Another key state regulation is (NYDFS) Cybersecurity Regulation, which is a set of restrictions imposed by the NYDFS on all financial institutions based in New York.

The (EU’s) General Data Protection Rule (GDPR), which is the principal comprehensive international regulation for dealing with privacy and PII breaches, is one important international compliance regulation. GDPR imposes severe penalties for non-compliance or data breaches (McNally, 2012). Because they provide norms and regulations for the protection of PII, the regulations and standards apply to all attack vectors.

Type of Attack

Description

Federal government Policy standards

Physical Attacks

Theft of sensitive hard copy PII from a facility or organization is one example of this type of attack. It could also include breaking into a place or organization and connecting an unlawful equipment that allows for the theft of personal information.

GLBA

CCPA

SOX

PCI

DSS

DSBNA

GDPR

CCPA

NYDFS

Ransomware

This sort of assault employs malicious software to prevent access to a company's systems or data until payment is made. The software only prevents access to the information, not its integrity or secrecy.

GLBA

CCPA

SOX

PCI

DSS

DSBNA

GDPR

CCPA

NYDFS

Insider Threat

This sort of assault involves a security breach within the company that allows for the theft or denial of PII. Insider threats are frequently disgruntled or bribed to steal PII, implant harmful hardware, smuggle out devices containing PII, or provide physical but unauthorized access to someone else who carries out the attack. Emotional, opportunistic, calculating, or terror-related motivations are all common.

GLBA

CCPA

SOX

PCI

DSS

DSBNA

GDPR

CCPA

NYDFS

Phishing

This type of attack occurs when an employee of an organization receives an e-mail that appears to be legitimate, but is actually sent by someone attempting to abuse that employee in order to acquire access to personally identifiable information (PII) (Lininger & Vines, 2008).

GLBA

CCPA

SOX

PCI

DSS

DSBNA

GDPR

CCPA

NYDFS

SQL Injection

An SQL injection attack happens when a SQL query is sent to a database from a client to a server, resulting in the injection of malicious code. This can allow the user to gain access and do operations such as editing, deleting, and issuing commands in administrator mode. This can both limit access to and facilitate the theft of personally identifiable information (PII).

SOX

PCI

DSS

DSBNA

GDPR

CCPA

NYDFS

GLBA

CCPA

Denial of Service (DoS)

This sort of attack seeks to limit the use of a system or service while also denying access to personally identifiable information (PII). A denial of service (DoS) can occur when a malicious request is delivered to a system with the intent of crashing the system. Additionally, it can occur when a large number of legitimate requests are made to a system in an attempt to overwhelm the system. Depending on the volume of data sent, the system may crash or be unable to process valid requests (McNally, 2012). This would prevent access to personally identifiable information.

GLBA

CCPA

SOX

PCI

DSS

DSBNA

GDPR

CCPA

NYDFS

References

Lininger, R., & Vines, R. D. (2008). Phishing: Cutting the identity theft line. John Wiley & Sons.

McNally, M. (2012). Identity theft in today's world. ABC-CLIO.

Wyre, M., & Lacey, D. (2020). The identity theft response system. doi:10.52922/ti04299