Security Measures Paper

You have just been hired as the security administrator of a major organization that was recently breached by a social engineer. After a thorough analysis of the network security, you have determined that there was no security plan in place and no standard operating procedures for e-mail, acceptable use, physical security, and incident response. It will require the student to use the case and legal concepts from the text book, research the legal aspects of the case on websites such as FindLaw.com, do research on the parties and circumstances of the case itself and incorporate some audio-visual modality as a part of the case analysis. The result should be substantive and address all aspects of the assignment as well as being informative and entertaining as it is shared with other students in a participatory environment.

Please type a three to five page (800 to 1,200 word) paper using APA style, explaining your recommendations and why you think that they are necessary.

Use transition words, a thesis statement, an introduction, a body, a conclusion, and a reference page with at least two references. Use double-spaced, 12-point Arial font.

Cyber Security Legal Aspects
Student Name
Institute:

Cyber Security Legal Aspects
Expert advice is needed in companied concerning internal security procedures. Monitoring daily operations concerning cyber security issues is very important in an organization, especially in detecting security vulnerabilities. Information technology systems hold valuable and sensitive information in protecting virtual data and other forms of data. Most organizations lack a security protocol, such as standard operating procedures, physical security, and incident response is a legal issue, especially with the increasing nature of cyber-attacks (Srinivas, Das, and Kumar, 2019). There are laws and compliance standards that cater to issues concerned with cybersecurity. Cybercrime laws focus on both the victim of cyber-attack and the attacker. Some of the laws concerning cybersecurity include federal computer fraud, abuse act (CFAA), the electronic communication protection act (ECPA), and other computer hacking laws.
On the other hand, the federal-state commission (FTC, and the cybersecurity information sharing ACT ensure organizations have security requirements, such as monitoring network traffic and security defensive measures to protect the company. The CISA requires the organization to frequently assess its network communication channel and information sharing between clients and the organization. The CISA and the FTC encourages and ensures organizations have defensive measures in place. Information about cyber-attacks and cyber threats with the government for Helpance. The united states’ cybersecurity laws ensure commercial organizations have measures for monitoring, detecting, preventing, and responding to a cybersecurity issue (Wall, Lowry, and Barlow, 2015). Also, data breach laws govern organizations, especially in the maintenance of information privacy and confidentiality. The regulated companies should have security measures and a security compliance framework, such as the NIST cybersecurity framework. NIST framework allows organizations to identify, assess, design, and implement policies and controls (Wall, Lowry, and Barlow, 2015). Different states have different laws that apply to organizations and need security measures, such as the NEW YORK SHIELD and the Massachusetts cyber security regulations.
Additionally, cybersecurity safety is a very important aspect of organizations. The organization should protect itself from cybersecurity issues as a legal obligation. The organization should implement the right technology to handle external threats and vulnerabilities; the organization should have security policies, practices, and procedures in place that control and government employees in the organization, and a strategy on how to respond to cases of a data breach, and an incident response security protocol (Srinivas, Das, and Kumar, 2019). The incident response strategy Helps deal with legal issues brought about by the cyber-attack, reputational impacts, and technical impacts. Privacy being a major issue, organizations should focus on developing security measures that protect the confidentiality of information in the organization, including individual personal information.
The organization owns shareholders, other affected members of the organization’s duty of care, and fiduciary duty according to state laws and legal requirements specific to the organization (Wall, Lowry, and Barlow, 2015). The organization should be fully informed about cybersecurity; for instance, the organization’s board officers should be well informed about cybersecurity issues and ways to address the issues (Srinivas, Das, and Kumar, 2019). Failure to exercise cyber security practices and protocols may engage the organization in a derivative action for failing to exercise the fiduciary duties. The organization is held liable for failing to have security measures in place, failure to investigate an incident, and provision of misleading statements. However, the organization can be subjected to a fine according to the damages caused by the data breach. For instance, in the Yahoo data breach, the security officer and the board were fined twenty-nine million dollars and another fine of thirty-five million from the security and exchange commission (Wall, Lowry, and Barlow, 2015).
On the other hand, the organization must have a chief information security officer (CISO), have a designed policy and response plan, and frequently conduct a cybersecurity vulnerability assessment. The organization should conduct a cybersecurity assessment for third-party vendors through a vulnerability assessment plan or a penetration test. For instance, states like New York advocate for bi-annual vulnerability assessment and annual penetration testing (Sullivan, and Maniff, 2016). On the other hand, the law advocates for a security program that can protect an organization’s internal and external risks that impact its security, integrity, and confidentiality.
The exchange commission require public companies to put security measures in place, such as an incident response plan, a risk assessment plan, and penetration testing. In case of an incident, the organization should disclose information about a cybersecurity incident. Reporting and disclosure can be done to the affected third-party vendors and the government. Under the breach notification status, the organization ensures the organizations send a notification to the affected parties (Sullivan, and Maniff, 2016). The affected parties include those whose personal information has been compromised by the incident. The definition and type of personal information include account numbers, social security number, credit card number, access code number, driver license number, identification number, and security code (Wall, Lowry, and Barlow, 2015). Additionally, the data breach notification statutes require the security notice with the number of affected persons to the state agency. Reporting a data breach should be within thirty days, which is a common regulatory standard.

References
Buccafurri, F., Fotia, L., Furfaro, A., Garro, A., Giacalone, M., & Tundis, A. (2015, September). An analytical processing approach to supporting cyber security compliance assessment. In Proceedings of the 8th International Conference on Security of Information and Networks (pp. 46-53).
Rishikof, H., & Sullivan, C. (2017). Legal and compliance. The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities, 255-270.
Srinivas, J., Das, A. K., & Kumar, N. (2019). Government regulations in cyber security: Framework, standards and recommendations. Future Generation Computer Systems, 92, 178-188.
Sullivan, R. J., & Maniff, J. L. (2016). Data Breach Notification Laws. Economic Review (01612387), 101(1).
Wall, J., Lowry, P. B., & Barlow, J. B. (2015). Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems, 17(1), 39-76.

Published by
Essays
View all posts