A major security breach that happened within the federal government is the Office of Personnel Management (OPM) data breach, which exposed a large
amount of personally identifiable information (PII) of federal and state employees. The effects of this breach are still being explored, and the full extent is still
not known. This breach has become an important learning experience. Examining laws that suggest controls to minimize the possibility of data breaches is a
crucial part of developing an adversarial mindset and will help with future instances of data breaches.
There are numerous articles and research papers on the
OPM breach, but the article provided in the prompt explores the breach from the employee perspective and discusses the steps that could have been used to
help minimize the possibility of a data breach.
The critical controls defined by the Center for Internet Security (CIS) are used as guidelines for processes that a company can incorporate for data security. The
controls are used to determine compliance to a standard put forth by the organization. They are meant to be used as an adaptive tool that will allow an
organization to evaluate compliance to a known risk-mitigation level.
You have been preparing for this assignment by summarizing privacy laws and determining who is responsible for ensuring compliance to the law within an
organization. It is important that you complete this assignment in your own words. Express your own ideas on how the laws and controls can be applied to this
breach. It is the responsibility of a security analyst to be able to explain breaches and the controls used to mitigate issues.
Before you begin working on this assignment, read the article Inside the Cyberattack That Shocked the US Government and review the CIS Controls website.
Then address the following:
I. Briefly summarize (in one to two paragraphs) the major issues with the OPM breach and how it occurred.
II. Select two of the privacy laws provided above and describe how they relate to the OPM breach.
III. Determine to what extent jurisdiction plays a role in the application of your selected laws.
IV. Identify which law or laws would have required OPM to report their breach, and the steps the organization needs to take to report the issues.
V. Select four of the CIS controls provided above that could have been monitored to help minimize the possibility of the breach. Explain why monitoring
these controls would have helped minimize the breach.