CYBERLAW
Competency 423.1.5: Regulatory Requirements and Standards - The graduate ensures alignment of regulatory requirements and standards with appropriate information security and assurance controls for organizations that process or hold privacy, financial, or medical information electronically.
Introduction:
Due to policy changes, personnel changes, systems changes, and audits it is often necessary to review and revise information security policies. Information security professionals are responsible for ensuring that policies are in line with current industry standards.
Task:
A. Develop new policy statements with two modifications for each of the following sections of the attached “Heart-Healthy Insurance Information Security Policy”:
1. New Users
2. Password Requirements
B. Justify each of your modifications in parts A1 and A2 based on specific current industry standards that are applicable to the case study.
C. When you use sources, include all in-text citations and references in APA format.
Note: For definitions of terms commonly used in the rubric, see the Rubric Terms web link included in the Evaluation Procedures section.
Note: When using sources to support ideas and elements in an assessment, the submission MUST include APA formatted in-text citations with a corresponding reference list for any direct quotes or paraphrasing. It is not necessary to list sources that were consulted if they have not been quoted or paraphrased in the text of the assessment.
Note: No more than a combined total of 30% of a submission can be directly quoted or closely paraphrased from outside sources, even if cited correctly. For tips on using APA style, please refer to the APA Handout web link included in the APA Guidelines section.
Heart-Healthy Insurance Information Security Policy
You are the manager of the information security analyst team for a large health insurance
company. Your supervisor has asked you to review and provide recommendations for
changes to the company’s information security policy. The intent of this review is to ensure
that the policy complies with current regulatory requirements, obtains the benefits of
industry specific standards, utilizes a recognized framework, is relevant for your company,
and meets the requirements of all relevant regulations and standards. The review’s outcome
should be to recommend modifications to the policy to ensure alignment with relevant
regulatory requirements.
The policy is a large document that discusses confidentiality, integrity, and availability
across the spectrum of the electronic information systems that your company utilizes.
Among the services that your company provides are patient-history evaluations for chronic
illness indicators, insurance rate underwriting, paying claims to healthcare providers,
accepting premium payments from employers, and accepting copayments from claimants.
In addition to regulatory requirements, the U.S. Department of.
CYBERLAWCompetency 423.1.5 Regulatory Requirements and Stan.docx
1. CYBERLAW
Competency 423.1.5: Regulatory Requirements and Standards -
The graduate ensures alignment of regulatory requirements and
standards with appropriate information security and assurance
controls for organizations that process or hold privacy,
financial, or medical information electronically.
Introduction:
Due to policy changes, personnel changes, systems changes, and
audits it is often necessary to review and revise information
security policies. Information security professionals are
responsible for ensuring that policies are in line with current
industry standards.
Task:
A. Develop new policy statements with two modifications for
each of the following sections of the attached “Heart-Healthy
Insurance Information Security Policy”:
1. New Users
2. Password Requirements
B. Justify each of your modifications in parts A1 and A2 based
on specific current industry standards that are applicable to the
case study.
C. When you use sources, include all in-text citations and
references in APA format.
Note: For definitions of terms commonly used in the rubric, see
the Rubric Terms web link included in the Evaluation
Procedures section.
2. Note: When using sources to support ideas and elements in an
assessment, the submission MUST include APA formatted in-
text citations with a corresponding reference list for any direct
quotes or paraphrasing. It is not necessary to list sources that
were consulted if they have not been quoted or paraphrased in
the text of the assessment.
Note: No more than a combined total of 30% of a submission
can be directly quoted or closely paraphrased from outside
sources, even if cited correctly. For tips on using APA style,
please refer to the APA Handout web link included in the APA
Guidelines section.
Heart-Healthy Insurance Information Security Policy
You are the manager of the information security analyst team
for a large health insurance
company. Your supervisor has asked you to review and provide
recommendations for
changes to the company’s information security policy. The
intent of this review is to ensure
that the policy complies with current regulatory requirements,
obtains the benefits of
industry specific standards, utilizes a recognized framework, is
relevant for your company,
and meets the requirements of all relevant regulations and
standards. The review’s outcome
3. should be to recommend modifications to the policy to ensure
alignment with relevant
regulatory requirements.
The policy is a large document that discusses confidentiality,
integrity, and availability
across the spectrum of the electronic information systems that
your company utilizes.
Among the services that your company provides are patient-
history evaluations for chronic
illness indicators, insurance rate underwriting, paying claims to
healthcare providers,
accepting premium payments from employers, and accepting
copayments from claimants.
In addition to regulatory requirements, the U.S. Department of
Health and Human Services
(HHS) has set some national standards for identification of
employers, providers,
transactions, procedure codes, and place of service codes.
The company you work for holds information that is protected
by regulatory requirements.
This information includes individual privacy information,
4. personal health information,
financial information, and credit information. Information about
employees and patients,
also known as demographics, contain personally identifiable
information, which is covered
under the U.S. Federal Privacy Laws. Health information that is
personally identifiable, also
known as PHI, is required to be protected under HIPAA and
HITECH. Because the company
is an insurance company the government classifies the company
as a financial institution, it
is required to comply with the GLBA. Also, the company takes
credit cards to pay for
premiums and deductibles and consequently must be PCI-DSS
compliant.
Of greatest concern to your supervisor are the sections of the
policy that stipulate how a
new user is provided access to information systems and the
password requirements for
those systems.
New Users
The current new user section of the policy states:
5. “New users are assigned access based on the content of an
access request. The
submitter must sign the request and indicate which systems the
new user will need
access to and what level of access will be needed. A manager’s
approval is required
to grant administrator level access.”
Password Requirements
The current password requirements section of the policy states:
“Passwords must be at least eight characters long and contain a
combination of
upper- and lowercase letters. Shared passwords are not
permitted on any system
that contains patient information. When resetting a password,
users cannot reuse
any of the previous six passwords that were used. Users
entering an incorrect
password more than three times will be locked out for at least
15 minutes before the
password can be reset.”
6. TFT Task 1
value: 0.00
value: 1.00
value: 2.00
Score/Level
Articulation of Response (clarity, organization,
mechanics)
The candidate provides unsatisfactory
articulation of response.
The candidate provides weak
articulation of response.
The candidate provides adequate
articulation of response.
7. A1. New-User Section
The candidate does not provide a new
policy statement with 2 modifications for the New Users section
of the attached “Heart-Healthy Insurance Information Security
Policy.”
The candidate provides, a new policy
statement with 1 modification for New Users section of the
attached “Heart-Healthy Insurance Information Security
Policy.”
The candidate provides a new policy
statement with 2 modifications for the New Users section of the
attached “Heart-Healthy Insurance Information Security
Policy.”
A2. Password Requirements Section
8. The candidate does not provide a new
policy statement with 2 modifications for the Password
Requirements section of the attached “Heart-Healthy Insurance
Information Security Policy.”
The candidate provides a new policy
statement with 1 modification for the Password Requirements
section of the attached “Heart-Healthy Insurance Information
Security Policy.”
The candidate provides a new policy
statement with 2 modifications for the Password Requirements
section of the attached “Heart-Healthy Insurance Information
Security Policy.”
B. Justification
The candidate does not provide a logical
justification of each of the modifications in parts A1 and A2
based on specific current industry standards that are applicable
to the case study.
The candidate provides a logical
justification, with insufficient support, of each of the
modifications in parts A1 and A2 based on specific current
industry standards that are applicable to the case study.
9. The candidate provides a logical
justification, with sufficient support, of each of the
modifications in parts A1 and A2 based on specific current
industry standards that are applicable to the case study.
C. Sources
When the candidate uses sources, the
candidate does not provide in-text citations and references for
each source used.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
with major deviations from APA style.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
accurately or with only minor deviations from APA style, OR
the candidate does not use sources.
SUBDOMAIN 423.1 - CYBERLAW
Competency 423.1.1: Standards and Legal Issues - The graduate
10. develops a legal analysis addressing legal issues, standards,
policies, legislation, and governance related to cybercrimes for
enterprise systems.
Introduction:
As an information security professional, you are responsible for
ensuring preventive information security controls are in place.
Such controls include implementing organizational and security
policies, processes, and other forms of preventive security
measures.
Scenario:
During a routine audit of an electronic health record (EHR)
system, a major healthcare provider discovered three
undocumented accounts that appear to have access to the entire
clinical and financial health record within the system. Further
investigation revealed that these accounts were accessing
records around the clock via remote access to the healthcare
system’s network. Three remote access accounts appear to have
been set up at least six months prior to the creation date of the
first account in the EHR. Additionally, the accounts in the EHR
were originally established as standard user accounts
approximately two months ago and escalated to full access over
the course of two weeks.
System controls are verified to be in effect that limit access for
each account to no more than 300 records per day. Over the
course of the past two months it is estimated that more than
37,000 but no more than 50,000 records could have been
accessed. Reports are being run to determine which patient
accounts were accessed, but the reports will take more than two
weeks to identify the record identification numbers and then
take longer than 60 days to compile the usernames and
addresses. An audit of other systems that contain sensitive
11. information revealed no other unauthorized access.
Audit files that would normally identify the creator of the
accounts overwrite themselves after two weeks in the systems
that provide remote access and the EHR. No one in senior
management has any reason to suspect that it was an inside job,
but based on the short duration for log retention there is no way
to eliminate that possibility either.
Task:
Create a legal analysis by doing the following:
A. Create three organizational policy statements that may have
prevented the security breach.
1. Justify each organizational policy statement based on a
nationally or internationally recognized standard (e.g., ISO/IEC,
NIST).
B. When you use sources, include all in-text citations and
references in APA format.
Note: When bulleted points are present in the task prompt, the
level of detail or support called for in the rubric refers to those
bulleted points.
Note: For definitions of terms commonly used in the rubric, see
the Rubric Terms web link included in the Evaluation
Procedures section.
Note: When using sources to support ideas and elements in a
paper or project, the submission MUST include APA formatted
in-text citations with a corresponding reference list for any
direct quotes or paraphrasing. It is not necessary to list sources
that were consulted if they have not been quoted or paraphrased
in the text of the paper or project.
12. Note: No more than a combined total of 30% of a submission
can be directly quoted or closely paraphrased from sources,
even if cited correctly. For tips on using APA style, please refer
to the APA Handout web link included in the General
Instructions section
TFT Task 2
value: 0.00
value: 1.00
value: 2.00
Score/Level
Articulation of Response (clarity, organization,
mechanics)
The candidate provides unsatisfactory
articulation of response.
13. The candidate provides weak
articulation of response.
The candidate provides adequate
articulation of response.
A. Policy Statements
The candidate does not provide 3
organizational policy statements that may have prevented the
security breach.
The candidate provides, with
insufficient detail, 3 organizational policy statements that may
have prevented the security breach.
The candidate provides, with sufficient
detail, 3 organizational policy statements that may have
prevented the security breach.
A1. Justification
14. The candidate does not provide a logical
justification of each organizational policy statement based on a
nationally or internationally recognized standard.
The candidate provides a logical
justification, with insufficient support, of each organizational
policy statement based on a nationally or internationally
recognized standard.
The candidate provides a logical
justification, with sufficient support, of each organizational
policy statement based on a nationally or internationally
recognized standard.
B. Sources
When the candidate uses sources, the
candidate does not provide in-text citations and references for
each source used.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
15. with major deviations from APA style.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
accurately or with only minor deviations from APA style, OR
the candidate does not use sources.
SUBDOMAIN 423.1 - CYBERLAWCompetency 423.1.4: Cyber
Agreements - The graduate explains the underlying principles
governing e-commerce third-party vendor agreements and
translates them into practical recommendations for the
implementation of such agreements.
Introduction:
For this task you will respond to a hypothetical business
arrangement where you have been asked to review an initial
draft of a service level agreement (SLA) between your
company, Finman Account Management, and two other
companies, Datanal and Minertek. Based on your
recommendations for modifications, Finman will propose a final
agreement.
Task:
A. Recommend changes (i.e., modifications, insertions, or
deletions) to the attached “Service Level Agreement” to better
protect Finman’s data and intellectual property.
1. Justify how your recommendations will limit use, sharing,
retention, and destruction of Finman’s corporate data by
Datanal and Minertek.
2. Justify how your recommendations will assure that Finman’s
property, patents, copyrights, and other proprietary rights are
16. protected.
B. When you use sources, include all in-text citations and
references in APA format.
Note: When bulleted points are present in the task prompt, the
level of detail or support called for in the rubric refers to those
bulleted points.
Note: For definitions of terms commonly used in the rubric, see
the Rubric Terms web link included in the Evaluation
Procedures section.
Note: When using sources to support ideas and elements in a
paper or project, the submission MUST include APA formatted
in-text citations with a corresponding reference list for any
direct quotes or paraphrasing. It is not necessary to list sources
that were consulted if they have not been quoted or paraphrased
in the text of the paper or project.
Note: No more than a combined total of 30% of a submission
can be directly quoted or closely paraphrased from sources,
even if cited correctly. For tips on using APA style, please refer
to the APA Handout web link included in the General
Instructions section.
A Service Level Agreement for Provision of Specified IT
Services Between Finman
Account Management, LLC, Datanal, Inc., and Minertek, Inc.
1. Period of Service
17. The service level agreement (SLA) is for a period of three
years, commencing on July 1,
2011, and concluding on June 30, 2014, with provision for
renewal and extension upon
agreement of all parties and contingent upon satisfactory
fulfillment of specified services, as
determined by semiannual review.
2. Parties to the Agreement
Finman Account Management, LLC, employs more than 9,000
professional staff in 70 offices
located in 20 countries and realizes gross income of nearly $4
billion annually. Finman
provides a range of business management services and takes
particular pride in staying
abreast of information technologies, trends, and applications—
particularly those that help
control costs, eliminate overlap, and enhance efficiency and
productivity.
With more than 50 years experience in business management,
Finman has gained a broad
and deep understanding of their own and their customers’
resources, needs, and growth
potential, particularly in the present rapidly evolving and
expanding IT environment. After
meticulous review, Finman has determined that with the
assistance of the above-named
18. firms, Finman will be positioned to significantly improve and
expand its services to its
existing customers and compete more effectively nationally and
internationally.
Datanal, Inc., was established by five IT entrepreneur
colleagues in 2002. It enjoys a
reputation for outstanding performance and presently employs
some 350 IT specialists,
most with proven skill in analyzing, organizing, and managing
large, diversified streams of
data and databases in logical, systematic form, transparently
and effectively bridging
present artificial separations. By enabling customers to
assimilate a consistently large influx
of new data while simultaneously drawing from previously
unrealized complementary
database resources, Datanal enables its customers to perform
more effectively in a highly
competitive economy. Datanal works toward a unified IT
management plan across an entire
organization—even across separate departments and divisions.
Minertek, Inc., begun by two federal laboratory computer
scientists in 2005, has built a
team of more than 200 skilled software developers with
particular interest and proficiency in
designing and creating innovative and effective data mining
programs and applications for
research and business. Minertek previously teamed up with
Datanal to provide more cost-
19. effective software and data management approaches for payroll
and tax services, enabling
customers to reduce or eliminate duplicate, parallel systems and
achieve economies of
scale.
Datanal and Minertek’s combined expertise will enable Finman
to significantly advance
beyond its traditional yet highly respected services. Finman
expects to expand its services
to existing customers by 5 to 10% over the first year of the
SLA, increasing its market
share by more than $1 million in the succeeding year, with
proportionate increases in
subsequent years.
3. Background and Rationale
In recent years Finman and its customers have devoted time and
resources to anticipate IT
trends and applications that have a transforming effect on their
companies and operations,
presenting them with sometimes difficult short-term choices and
radically different
strategies for the future. The IT challenges have been
paramount, effecting structural and
operational change in government, academic and research
institutions, healthcare and
20. emergency services, banking and finance, manufacturing,
transportation, and all service
providers.
Finman views this SLA as a groundbreaking venture to harness
the diverse array of IT-
borne customer demands and opportunities that cannot be met
by adhering to traditional
paradigms. Finman’s objectives in the SLA are to compete more
effectively in a highly
competitive industry by offering its customers a unified IT
management plan across an
entire organization or even, if the customer wishes, across
separate departments and
divisions. Datanal, utilizing sophisticated data-mining software
developed by Minertek, will
recognize and integrate common IT characteristics from
disparate operations, programs,
procedures, and products—even those located in separate and
unrelated service areas. This
enables the customer to reduce or eliminate duplicate, parallel
systems and to achieve
economies of scale and open new opportunities.
4. Statement of Intent
As recognized by leading research and consulting firms with
knowledgeable, skilled
management, advanced state-of-the-art IT affords extraordinary
opportunities for greater
21. efficiencies, cost reduction, higher productivity, customer
satisfaction, and profitability.
Sophisticated IT applications realize their full potential with
highly specialized technical
knowledge and management skills readily available only in
smaller firms focused primarily
or exclusively on such applications.
Finman has determined that service level management (SLM)
offers the most promising
strategy for the firm, both near and long-term, and the present
SLA is a significant part of
that strategy.
5. Scope of the Work Effort
In the initial year, Finman, Datanal, and Minertek will each
deploy, on a gradual basis, a
force of 20–25 specialists together with attendant management
and supervisory and
support personnel in the United States., Europe, and Asia to be
increased as the effort
expands to its full complement, perhaps three times that
number.
Datanal and Minertek have proffered specific information to
show that they have in their
present employ a cadre of skilled and experienced technical
experts prepared and available
to take on the required responsibilities. The firms attest that
together they have on hand
22. and available all IT hardware and software required to
undertake and carry out this work
effort.
Within two weeks of the signing of the SLA, Datanal and
Minertek will present to Finman’s
account manager a detailed plan for the conduct of this effort,
based upon and incorporating
plans and proposals for the work effort, as agreed upon in a
series of preliminary meetings
over more than six months.
In 30–90 days from the signing of this SLA, all parties will
have data management systems,
hardware, and software in place in at least 10 locations selected
by Finman in the United
States and abroad, according to the agreed-upon schedule and
responsibilities, to begin
inspection, collection, assortment, analysis, and assimilation of
customer data, together
with indications of common, similar, or analogous
characteristics.
6. Non-Exclusivity
This agreement is non-exclusive.
7. Metrics
23. Throughout this work effort, progress will be gauged by
specific, clearly defined metrics
developed by all parties to the agreement, which is fully agreed
upon and simple to
understand and employ. Metrics will reflect specifically and in
all aspects the principal,
strategic objectives of the SLA for Finman and its customers,
Datanal, and Minertek.
Metrics will be designed to set clear and straightforward targets
to determine performance.
A helpful rule noted by CAST is that, “Software quality that
cannot be measured cannot be
managed.”
8. Quality
The success or failure of this work effort depends
fundamentally on the quality of effort of
each person involved, with careful attention to detail in defining
specific tasks, establishing
clear and fully agreed upon metrics, obtaining and preserving
all relevant data intact, and
analyzing data meticulously and creatively for its potential
benefits and uses.
Those engaged in this work effort are expected to apply the full
potential of their knowledge
24. and creativity to its success.
9. Personal Conduct
Everyone associated with this work effort must adhere to the
highest standards of
professional conduct at all times, particularly in and around
customers’ offices, cubicles,
labs, and other work locations.
Every effort must be made by all persons associated with this
effort to respect all employees
and all property of Finman and its customers in particular. All
involved in the work effort
should take particular precautions to respect each person’s work
space, papers, property,
and privacy.
10. Deliverables and Feedback
Three months after the signing of the SLA, Datanal, with
Minertek’s full input, will present to
Finman a detailed review of the combined progress of the work
effort to date. In particular,
the review should indicate likely opportunities that appear to be
emerging for Finman’s
customers to realize significantly improved, potentially
productive, and more cost-effective
management services, which would afford these customers new
business opportunities at
reduced costs.
25. The report will discuss the specific feedback from Finman’s
data-systems managers and
customer-account managers on the perceived impact of the work
effort. All reports should
measure perceived progress against recognized and accepted
historical performance data
and specify actionable items. A few specific metrics are
particularly valuable for decision
making.
The report will present specific and objective feedback from
Finman, Datanal, and Minertek
employees on complaints received, including any interruption,
loss, change, or corruption of
data. Also, the report will, to the extent possible, provide an
explanation for such
interference.
At the six month anniversary of the SLA, a complete and
detailed review will be presented
to the senior management at Finman, inviting and responding to
questions from Finman
management.
Subsequent progress reviews and fully detailed reviews will be
presented alternately at
three-month intervals.
26. All reports will be presented in hardbound copies and in
personal presentations to Finman
management.
11. Compensation
Compensation for this work effort will be agreed upon and set
in advance at a fixed annual
amount, payable by Finman in equal monthly installments on
the first day of each month.
12. Termination of the Agreement
The SLA may be terminated immediately by Finman upon clear
showing of non-performance
or malfeasance.
TFT Task 3
value: 0.00
value: 1.00
27. value: 2.00
Score/Level
Articulation of Response (clarity, organization,
mechanics)
The candidate provides unsatisfactory
articulation of response.
The candidate provides weak
articulation of response.
The candidate provides adequate
articulation of response.
A. Recommendations
The candidate does not provide
appropriate recommendations for changes to the attached
“Service Level Agreement” to better protect Finman’s data and
28. intellectual property.
The candidate provides appropriate
recommendations, with insufficient detail, for changes to the
attached “Service Level Agreement” to better protect Finman’s
data and intellectual property.
The candidate provides appropriate
recommendations, with sufficient detail, for changes to the
attached “Service Level Agreement” to better protect Finman’s
data and intellectual property.
A1. Justification: Data
The candidate does not provide a logical
justification of how the recommendations will limit use,
sharing, retention, and destruction of Finman’s corporate data
by Datanal and Minertek.
The candidate provides a logical
justification, with insufficient support, of how the
recommendations will limit use, sharing, retention, and
destruction of Finman’s corporate data by Datanal and
Minertek.
29. The candidate provides a logical
justification, with sufficient support, of how the
recommendations will limit use, sharing, retention, and
destruction of Finman’s corporate data by Datanal and
Minertek.
A2. Justification: Rights
The candidate does not provide a logical
justification of how the recommendations will assure that
Finman’s property, patents, copyrights, and other proprietary
rights are protected.
The candidate provides a logical
justification, with insufficient support, of how the
recommendations will assure that Finman’s property, patents,
copyrights, and other proprietary rights are protected.
The candidate provides a logical
justification, with sufficient support, of how the
recommendations will assure that Finman’s property, patents,
copyrights, and other proprietary rights are protected.
B. Sources
30. When the candidate uses sources, the
candidate does not provide in-text citations and references for
each source used.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
with major deviations from APA style.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
accurately or with only minor deviations from APA style, OR
the candidate does not use sources.
DOMAIN 423.1 - CYBERLAW
Competency 423.1.3: Laws and Regulations of Cyberterrorism
and Cybercrimes - The graduate evaluates the application of
current laws and regulations in situations involving
constitutional controversy and authority, deterring terrorism,
ethical implications, or cybercrime.
Competency 423.1.5: Regulatory Requirements and Standards -
The graduate ensures alignment of regulatory requirements and
standards with appropriate information security and assurance
controls for organizations that process or hold privacy,
financial, or medical information electronically.
Competency 423.1.7 Cybercrimes - The graduate analyzes
cybercrime scenarios to determine potential implications to
31. enterprise continuity.
Scenario:
You are the chief information security officer (CISO) for VL
Bank as depicted in the attached “VL Bank Case Study.”
Examine the body of evidence that your information security
analysts have collected and consider the following:
• Who is affected?
• What happened?
• Where have the events occurred?
• How will you resolve the cybercrime?
• How did this happen?
Task:
A. Develop a report (suggested length of 3–5 pages) for VL
Bank senior management regarding the cybercrime from the
attached “VL Bank Case Study” in which you do the following:
1. Discuss how two laws or regulations apply to the case study.
a. Discuss how VL Bank will work within the parameters of
appropriate legal jurisdiction with specific bodies of law
enforcement to resolve the situation.
b. Discuss legal considerations for preparing the digital
evidence VL Bank will need to provide law enforcement and
attorneys.
c. Explain what coordination should take place between the
CISO and VL Bank’s lawyer.
2. Discuss how this cybercrime could affect VL Bank’s
enterprise continuity.
a. Explain how VL Bank could use technology to prevent the
cybercrime in the case scenario.
3. Discuss information security and assurance controls that
could mitigate future attacks of this kind at VL Bank.
a. Explain how these controls align to regulatory requirements
and standards.
32. B. When you use sources, include all in-text citations and
references in APA format.
Note: When bulleted points are present in the task prompt, the
level of detail or support called for in the rubric refers to those
bulleted points.
Note: For definitions of terms commonly used in the rubric, see
the Rubric Terms web link included in the Evaluation
Procedures section.
Note: When using sources to support ideas and elements in a
paper or project, the submission MUST include APA formatted
in-text citations with a corresponding reference list for any
direct quotes or paraphrasing. It is not necessary to list sources
that were consulted if they have not been quoted or paraphrased
in the text of the paper or project.
Note: No more than a combined total of 30% of a submission
can be directly quoted or closely paraphrased from sources,
even if cited correctly. For tips on using APA style, please refer
to the APA Handout web link included in the General
Instructions section.
VL Bank Case Study
You are the chief information security officer (CISO) for the
VL Bank based in Atlanta,
Georgia. Recently, a highly sophisticated and cleverly
orchestrated crime was brought to
your attention by the information security analysts in your
33. department and by a growing
number of business customers.
Your company’s commercial customers utilize a digital
certificate multifactor authentication
process to access wire transfers, cash management, deposit
operations, and account
management applications common to all business customers.
The problem is that several
customers have reported that new user accounts have been set
up under their names
without their authorization and these accounts are initiating
several fund transfers for
$10,000. The wire transfers are being sent to various other bank
accounts across the United
States. As of today, the amount of fraudulent transfers has been
over $290,000.
The bank’s affected customers are calling to get answers and
reclaim lost funds. Your
supervisor is demanding answers from you as well. The bank’s
general counsel is preparing
for litigation threats from the affected customers. This could be
a business nightmare,
34. especially if you fail to resolve the situation quickly.
After further analysis, you learn some additional information
about the case:
1. The $10,000 individual transfers are going to several U.S.
bank accounts of
individuals before being automatically transferred to several
international bank
accounts located in Romania, Thailand, Moldavia, and China.
2. The bank’s affected customers all used computers infected
with a keystroke logger
virus that collected usernames, passwords, account numbers,
personal identification
numbers, URL addresses, and digital certificates. These
computers did not have anti-
virus or security software installed.
3. The bank’s customers are frequently experiencing what is
known as spear phishing
attacks against them, which are fake e-mails that resemble
normal business e-mail
messages to customers, but contain the keystroke logging virus.
4. The bank’s systems have not been breached and no customer
data has been stolen
35. except for the few business customers whose personal business
computers were
compromised.
5. The U.S. banks that received fraudulent funds transfers are
located in four other U.S.
states in addition to VL Bank in Georgia. They are Bank A in
California, Bank B in
New York, Bank C in Texas, and Bank D in Florida.
6. VL Bank’s account manager responsible for these affected
customers has access to
copies of the digital certificates used by the customers as well
as account access.
TFT Task 4
value: 0.00
value: 1.00
36. value: 2.00
value: 3.00
value: 4.00
Score/Level
Articulation of Response (clarity, organization,
mechanics)
The candidate provides unsatisfactory
articulation of response.
The candidate provides weak
articulation of response.
The candidate provides limited
articulation of response.
The candidate provides adequate
articulation of response.
37. The candidate provides substantial
articulation of response.
A1. Laws or Regulations
The candidate does not provide a logical
discussion of how 2 laws or regulations apply to the case study.
The candidate provides a logical
discussion, with no support, of how 2 laws or regulations apply
to the case study.
The candidate provides a logical
discussion, with limited support, of how 2 laws or regulations
apply to the case study.
The candidate provides a logical
discussion, with adequate support, of how 2 laws or regulations
apply to the case study.
The candidate provides a logical
discussion, with substantial support, of how 2 laws or
regulations apply to the case study.
38. A1a. Legal Jurisdiction
The candidate does not provide a logical
discussion of how VL Bank will work within the parameters of
appropriate legal jurisdiction with specific bodies of law
enforcement to resolve the situation.
The candidate provides a logical
discussion, with no support, of how VL Bank will work within
the parameters of appropriate legal jurisdiction with specific
bodies of law enforcement to resolve the situation.
The candidate provides a logical
discussion, with limited support, of how VL Bank will work
within the parameters of appropriate legal jurisdiction with
specific bodies of law enforcement to resolve the situation.
The candidate provides a logical
discussion, with adequate support, of how VL Bank will work
within the parameters of appropriate legal jurisdiction with
specific bodies of law enforcement to resolve the situation.
The candidate provides a logical
discussion, with substantial support, of how VL Bank will work
within the parameters of appropriate legal jurisdiction with
specific bodies of law enforcement to resolve the situation.
39. A1b. Legal Considerations
The candidate does not provide a logical
discussion of legal considerations for preparing the digital
evidence VL Bank will need to provide law enforcement and
attorneys.
The candidate provides a logical
discussion, with no support, of legal considerations for
preparing the digital evidence VL Bank will need to provide law
enforcement and attorneys.
The candidate provides a logical
discussion, with limited support, of legal considerations for
preparing the digital evidence VL Bank will need to provide law
enforcement and attorneys.
The candidate provides a logical
discussion, with adequate support, of legal considerations for
preparing the digital evidence VL Bank will need to provide law
enforcement and attorneys.
The candidate provides a logical
discussion, with substantial support, of legal considerations for
40. preparing the digital evidence VL Bank will need to provide law
enforcement and attorneys.
A1c. Coordination
The candidate does not provide a logical
explanation of what coordination should take place between the
CISO and VL Bank’s lawyer.
The candidate provides a logical
explanation, with no detail, of what coordination should take
place between the CISO and VL Bank’s lawyer.
The candidate provides a logical
explanation, with limited detail, of what coordination should
take place between the CISO and VL Bank’s lawyer.
The candidate provides a logical
explanation, with adequate detail, of what coordination should
take place between the CISO and VL Bank’s lawyer.
The candidate provides a logical
explanation, with substantial detail, of what coordination should
take place between the CISO and VL Bank’s lawyer.
41. A2. Cybercrime Effects
The candidate does not provide a logical
discussion of how the cybercrime could affect VL Bank’s
enterprise continuity.
The candidate provides a logical
discussion, with no support, of how the cybercrime could affect
VL Bank’s enterprise continuity.
The candidate provides a logical
discussion, with limited support, of how the cybercrime could
affect VL Bank’s enterprise continuity.
The candidate provides a logical
discussion, with adequate support, of how the cybercrime could
affect VL Bank’s enterprise continuity.
The candidate provides a logical
discussion, with substantial support, of how the cybercrime
could affect VL Bank’s enterprise continuity.
A2a. Technology
42. The candidate does not provide a logical
explanation of how VL Bank could use technology to prevent
the cybercrime in the case scenario.
The candidate provides a logical
explanation, with no support, of how VL Bank could use
technology to prevent the cybercrime in the case scenario.
The candidate provides a logical
explanation, with limited support, of how VL Bank could use
technology to prevent the cybercrime in the case scenario.
The candidate provides a logical
explanation, with adequate support, of how VL Bank could use
technology to prevent the cybercrime in the case scenario.
The candidate provides a logical
explanation, with substantial support, of how VL Bank could
use technology to prevent the cybercrime in the case scenario.
A3. Controls
43. The candidate does not provide a logical
discussion of information security and assurance controls that
could mitigate future attacks of this kind at VL Bank.
The candidate provides a logical
discussion, with no detail, of information security and assurance
controls that could mitigate future attacks of this kind at VL
Bank.
The candidate provides a logical
discussion, with limited detail, of information security and
assurance controls that could mitigate future attacks of this kind
at VL Bank.
The candidate provides a logical
discussion, with adequate detail, of information security and
assurance controls that could mitigate future attacks of this kind
at VL Bank.
The candidate provides a logical
discussion, with substantial detail, of information security and
assurance controls that could mitigate future attacks of this kind
at VL Bank.
A3a. Alignment
44. The candidate does not provide a logical
explanation of how the controls align to regulatory requirements
and standards.
The candidate provides a logical
explanation, with no support, of how the controls align to
regulatory requirements and standards.
The candidate provides a logical
explanation, with limited support, of how the controls align to
regulatory requirements and standards.
The candidate provides a logical
explanation, with adequate support, of how the controls align to
regulatory requirements and standards.
The candidate provides a logical
explanation, with substantial support, of how the controls align
to regulatory requirements and standards.
B. Sources
45. When the candidate uses sources, the
candidate does not provide in-text citations and references.
When the candidate uses sources, the
candidate provides only some in-text citations and references.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
with major deviations from APA style.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
with minor deviations from APA style.
When the candidate uses sources, the
candidate provides appropriate in-text citations and references
with no readily detectable deviations from APA style, OR the
candidate does not use sources.
Cyberlaw, regulations and compliance
Please only bid if you are familiar with this topic. the last few
times people just give plagiarized info or they are totally off
topic. I have four assignments, some have attachments that need
to be referred to and each task has a grading scale that it needs
to adhere too. So Task 1 will have a grading scale and will ask a
questions and in that section of the paper, you need to answered
the question on the far side of the grading scale. Attached are
the 4 assignments, please look them over before bidding. I need
these in 3 days