Identity Theft Response
You have successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects.
The CEO says to you, “The Incident Response Plan will be our company’s action plan to recover should the ‘worst’ occur. In our case, the ‘worst’ would be a breach of the company’s security that could occur through the theft of customers’ personally identifiable information, possibly through an individual’s mobile device. Such a breach could compromise the integrity of the financial institution’s data.”
The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.”
“Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?”
You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts. Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light.
The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
Identity theft is becoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft.
As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization.
Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.
Your work will be evaluated using the competencies listed below.
· 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
· 2.2: Locate and access sufficient information to investigate the issue or problem.
· 8.4: Design an enterprise cybersecurity incident response plan.
Project 2: Identity Theft Response
Step 1: Identify Potential PII Attacks
Since this project will require an enterprise cybersecurity incident response plan with considerations specifically to identity theft, types of attacks must be identified. In a table or spreadsheet, identify the types of attacks that could result in denial of access to or theft of PII (personally identifiable information). Consider both internal and external incidents and those associated with employees and/or customers. Submit your list of potential PII attacks for feedback from your CIO (course instructor).
Submission for Project 2: Potential PII Cyber Incident List
Incident Response Plan
Computer security incident response has become an important component of information technology (IT) programs. An incident is defined as “a security event that compromises the integrity, confidentiality, or availability of an information asset” (Gordon, 2015).
Any organization in the business of handling personally identifiable information (PII) should establish an incident response capability. That capability, which requires planning and resources, should consider the following guidelines (Cichonski et al., 2012):
· creating an incident response policy and plan
· developing procedures for performing incident handling and reporting
· setting guidelines for communicating with outside parties regarding incidents
· selecting a team structure and staffing model
· establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., human resources and legal department) and external (e.g., law enforcement agencies)
· determining what services the incident response team should provide
· staffing and training the incident response team
The National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide notes the importance of continually monitoring for attacks and establishing procedures for prioritizing incidents, as well as instituting methods of collecting, analyzing, and reporting data (Cichonski et al., 2012).
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Special publication 800-61, revision 2: Computer security incident handling guide: National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Gordon, A. (Ed.) (2015). Official (ISC)2 guide to the CISSP CBK (4th ed.). CRC Press.
Theft of PII (Personally Identifiable Information)
The importance of personally identifiable information (PII), and the need for its security, can be illustrated with a typical trip to a doctor’s office. When the doctor comes to see you in the examination room, he or she may have a handheld computer that includes your personal medical data. And if the doctor’s computer is linked to a health care organization or a hospital’s mainframe, any physician from within the organization may access that information at any time.
While this ability to access information from anywhere in a timeless fashion may be an advantage, it also has its shortcomings. If there is a breach, important information could be lost or used for nefarious purposes, and the cost to an organization can be significant, both personally and financially.
In June 2015, the federal Office of Personnel Management (OPM) was hacked, and a large amount of PII, including Social Security numbers from people and relatives of those who applied for a government background investigation, was taken. Fingerprints from the database were also compromised, as well as usernames and passwords (OPM, 2016). OPM said that 21.5 million Social Security numbers were taken.
The breach sparked a class-action lawsuit from the American Federation of Government Employees against the federal government. The union was seeking $1 billion in damages (Hopkins, 2015).
PII is defined by the federal government as “any information about an individual maintained by an agency, including (GAO, 2008):
1. any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and
2. any other information that is linked or linkable to an individual,” such as medical, educational, financial, and employment information.
The list of possible PII is extensive, and the examples below are just a representation of information that could be considered PII (McCallister et al., 2010):
1. name (e.g., full name, maiden name, mother’s maiden name, alias)
2. personal identification number, such as Social Security number, passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number
3. address information, such as street address or email address
4. asset information, such as an Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific identifier that consistently links to a particular person or well-defined group
5. telephone numbers, including mobile, business, and personal numbers
6. personal characteristics, including photographs, x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
7. information identifying property, such as vehicle registration number or title number and related information
8. information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information)
Any organization that handles PII should have mechanisms to identity and protect the PII of its clients. Privacy threshold analyses (PTAs) are one of the most widely used PII protections for organizations. PTAs are simple questionnaires that are completed by the system owner in collaboration with the data owner, and are usually submitted to an organization’s privacy office for review and approval (McCallister et al., 2010).
PTAs are used to determine if a system contains PII. In the federal government, they are used to determine whether a Privacy Impact Assessment (PIA) or a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system (McCallister et al., 2010).
The Department of Homeland Security (DHS) also has its own PIA, which is required under the E-Government Act of 2002 and the Homeland Security Act of 2002. Under this policy, a PIA is required when developing or procuring a new program or system or revising an existing program or system dealing with PII, for budget submissions affecting PII, with pilot tests affecting PII, and when issuing rules involving PII (DHS, 2012).
Federal guidelines also specify three levels of potential impact—low, medium, and high—in case of a security breach, defined as a loss of confidentiality, integrity, or availability (NIST, 2004). Details are found in the Federal Information Processing Standards (FIPS) Publication 199: Standards for Security Categorization of Federal Information and Information Systems. The differences between each level are based on the type of adverse effects: limited, serious, or severe.
A limited adverse effect would result in minor damage to operations, assets, minor financial loss or minor harm to people. A serious adverse effect is when damages to operations, assets, finances, or injury to people are “significant,” and a severe adverse effect is defined as “catastrophic” with loss of life or severe injuries (NIST, 2004).
Breach of clients’ PII is not something to take lightly. Every report incident of a breach of PII should be treated as a potential disaster for an organization’s reputation in the marketplace.
Department of Homeland Security. (2012). Privacy threshold analysis. https://www.dhs.gov/xlibrary/assets/privacy/privacy_pta_template.pdf
Government Accountability Office (GAO). (2008, May). Privacy: Alternatives exist for enhancing protection of personally identifiable information. http://www.gao.gov/new.items/d08536.pdf.
Hopkins, C. (2015, June 30). OPM hit by $1 billion class-action suit following personnel hack. https://www.dailydot.com/layer8/opm-hack-lawsuit/
McCallister, E., Grance, T., & Scarfone, K. (2010). Special publication 800-122: Guide to protecting the confidentiality of personally identifiable information (PII). National Institute of Standards and Technology (NIST). http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
National Institute of Standards and Technology (NIST). (2004). Federal Information Processing Standards (FIPS) publication 199: Standards for security categorization of federal information and information systems. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
OPM.gov. (2016). What happened. https://www.opm.gov/cybersecurity/cybersecurity-incidents/