MCyber_Chap22N23

The Gramm-Leach-Bliley Act (GLBA) is a piece of legislation that mainly affects the financial industry.

However, a portion of that legislation also provides opt-out provisions for individuals, putting them in control of how the information they share with an organization during a business transaction is used.

The GLBA restricts information sharing with third party organizations.

IT security governance determines who is authorized to make decisions about cybersecurity risks within an organization.

It demonstrates accountability and provides oversight to ensure that any risks are adequately mitigated and that security strategies are aligned with the organization’s business objectives and are compliant with regulations.

An organization should implement measures to manage user threats, including:
1) Conduct security awareness training to prevent employees from falling victim to phishing scams.

2) Enabling content filtering to permit or deny specific domains in accordance with acceptable use policies.

3) Disabling internal CD drives and USB ports.

4) Enabling automatic antimalware scans for inserted media drives, files, and email attachments.

5) Allocating write and delete permissions to the data owner only.

Enacted in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, CFAA prohibits unauthorized access to computer systems.

Knowingly accessing a government computer without permission or accessing any computer used in or affecting interstate or foreign commerce is a criminal offense. The Act also criminalizes the trafficking of passwords or similar access information, as well as knowingly transmitting a program, code or a command that results in damage.

Organizations with significant resources and cybersecurity expertise run penetration tests and red team exercises (simulated attack exercises) to gauge the security capabilities of an organization.

The Center for Internet Security (CIS) developed a set of critical security controls to help organizations with different levels of resources and expertise at their disposal to improve their cyber defenses.

The National Institute of Standards and Technologies (NIST) created the National Cybersecurity Workforce Framework to support organizations seeking cybersecurity professionals. The framework organizes cybersecurity work into seven categories:

1) Operate and maintain – Provides the support, administration and maintenance required to ensure effective and efficient IT system performance and security.

2) Protect and defend – Identifies, analyzes, and mitigates threats to internal systems and networks.

3) Investigate – Investigates cybersecurity events and/or cyber-attacks involving IT resources.

4) Collect and operate – Provides specialized denial and deception operations and collection of cybersecurity information.

5) Analyze – Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.

6) Oversee and govern – Provides leadership, management, direction or development and advocacy so an organization may effectively conduct cybersecurity work.

7) Securely provision – Conceptualizes, designs, procures or builds secure IT systems.

Family Education Records and Privacy Act (FERPA) is an US federal law that governs the access to education records.

Under the law, parents must approve the disclosure of a student’s educational information to public entities prior to the actual disclosure. When a student turns 18 years old, or enters a postsecondary institution at any age, their rights under FERPA transfer from the parents to the student.

Employees in an organization are typically granted access to the data and information that they need to do their job.

The U.S. government uses the “need to know” principle in its access control models.

The Cloud Security Alliance (CSA) provides security guidance to any organization that uses cloud computing or wants to assess the overall security risk of a cloud provider.