CIS 438 Assignment 1 Privacy Laws and Security Measures

Strayer Information Security Legal Issues Assignment 1: Privacy, Laws, and Security Measures
Due Week 3 and worth 70 points
5 pages, 760 words, Graded A
You are an information security manager for a large retail sporting goods store. The CEO is concerned about the amount of information that is being collected and maintained within the organization. The sporting goods store is involved in the following in which they:
• Maintain an internal network and an intranet protected by a firewall
• Maintain a Web server in the DMZ that is protected by another firewall
• Accept credit card sales in the store and over the Web via e-Commerce transactions
• Maintain an email server for employee email communication and communication with other business partners and customers
• Maintain a wireless network within the store
• Use RFID for inventory and theft prevention
• Maintain a Facebook presence
• Provide health screening for high blood pressure, high cholesterol, and other potential health risks
Write a three to five page paper in which you:
1. Describe the major privacy issues facing organizations today.
2. Analyze the major privacy issues described above and compare that to the potential privacy risks facing the sporting goods store.
3. Explain the security risks and applicable laws that govern the privacy risk.
4. Describe the security measures that the organization needs to implement to mitigate the risks.

Download Now
(sent via email)

Discussion 3/1
For many years, we have encountered significant issues associated with Pll being
compromised. Likewise, we have regulatory requirements and regulatory agencies
designed to protect our Pll and financial data.
• Select one federal bank regulatory agency, and describe its control and
governance over the financial industry.

The National Credit Union Administration (NCUA) has jurisdiction over
federally chartered credit unions. These are identified by the word Federal in
the title of the credit union. Contact: National Credit Union Administration
The National Credit Union Administration (NCUA) is the independent federal
agency that regulates, charters and supervises federal credit unions. With the
backing of the full faith and credit of the U.S. Government, NCUA operates and
manages the National Credit Union Share Insurance Fund (NCUSIF), insuring
the deposits of more than 95 million account holders in all federal credit unions
and the overwhelming majority of state-chartered credit unions.
I The Federal Credit Union Act (FCUA) is the source of authority for all federally
chartered credit unions and governs the coverage and terms of insured accounts
at all federally insured credit unions. It also determines the structure and duties
of NCUA The Congress of the United States found the following, and embodied
the same in the Federal Credit Union Act of 1934 (most recent revision April
The Federal Reserve does not supervise or regulate credit unions. Federally
chartered credit unions are regulated by the National Credit Union
Administration, while state-chartered credit unions are regulated at the state
The Federal Reserve makes consumer protection rules (including rules that
implement the Truth in Lending, Home Mortgage Disclosure, and, Equal Credit
Opportunity Acts) that all lenders, including credit unions, must follow. While
the Federal Reserve is responsible for writing these rules, enforcement is
handled by the NCUA for federally chartered credit unions and by the Federal
Trade Commission (FTC) and state regulators for state-chartered credit unions.
like other financial institutions, credit unions are subject to a variety of other
laws and regulations that are enforced at both the state and federal levels

• Suggest changes that need to take place, if any given the continued incidents
that occur, to better mitigate the number of incidents associated with
compromised PI I. Provide a rationale for your answer.

It doesn’t matter how many controls are in place and how many times an
organization is audited or fined, the human factor will always come into play.
listed below are a few ways to mitigate incidents of compromised PII.
1.Stay informed on privacy policies and best practices – when you know, you can
2.Actively engage in protecting PII within business area – know the risks,
document the controls and implement the security requirements
3.Monitor adoption of privacy best practices within business area, and help staff
and management comply – education and more education
4.Periodically conduct Privacy Impact Assessments (PIA) or some type of audit
to ensure PII is protected – fix your problems before they become a big issue or
found by auditors.

Discussion 3/2
From the e-Activity, discuss how students’ educational information
is safeguarded. Decide if you believe that the safeguard methods
are Sufficient, too stringent, or too lenient and support your

FERP gives parents certain rights with respect to their children’s education
records. Generally, schools must have written permission from the parent or
eligible student in order to release any information from a student’s education
record. However, FERP A allows schools to disclose those records, without
consent, to the following parties or under the following conditions:
1.School officials with legitimate educational interest;
2.0ther schools to which a student is transferring;
3.Specified officials for audit or evaluation purposes;
4.Appropriate parties in connection with financial aid to a student;
s.Organizations conducting certain studies for or on behalf of the school;
6.Accrediting organizations;
7.To comply with a judicial order or lawfully issued subpoena;
S.Appropriate officials in cases of health and safety emergencies; and
g.State and local authorities, within a juvenile justice system, pursuant to
specific State law.
Schools may disclose, without consent, “directory” information such as a
student’s name, address, telephone number, date and place of birth, honors and
awards, and dates of attendance. However, schools must tell parents and
eligible students about directory information and allow parents and eligible
students a reasonable amount of time to request that the school not disclose
directory information about them. Schools must notify parents and eligible
students annually of their rights under FERP The actual means of notification
(special letter, inclusion in a PTA bulletin, student handbook, or newspaper
article) is left to the discretion of each school.
FERP generally prohibits the improper disclosure of personally identifiable
information derived from education records. Thus, information that an official
obtained through personal knowledge or observation, or has heard orally from
others, is not protected under FERP This remains applicable even if
education records exist which contain that information, unless the official had
an official role in making a determination that generated a protected education
With all that said, I think the safeguard methods are to lenient. The list of
parties who can have access to a student’s records without consent is to large.
Every year I do get the letter from the school about ‘directory’ information and I
respond ‘No’ to this request. I don’t want my child’s name, address, telephone
number, date and place of birth generally available. People intent on identity
theft don’t need much more information than that to steal your child’s identity.
Also, if a teacher overhears another teacher talking negatively about a student or
disclosing family information, health information, etc about a student, isn’t
protected under FERPA

Discuss the similarities and the differences in how education
records are protected compared to how health information records
are protected.

The HIP AA Privacy Rule requires covered entities to protect individuals’ health
records and other identifiable health information by requiring appropriate
safeguards to protect privacy, and setting limits and conditions on the uses and
disclosures that may be made of such information without patient
authorization. The rule also gives patients rights over their health information,
including rights to examine and obtain a copy of their health records, and to
request corrections.
FERP applies to educational agencies and institutions that receive funds
under any program administered by the U.S. Department of Education. This
includes virtually all public schools and school districts and most private and
public postsecondary institutions, including medical and other professional
Schools can disclose some information (called directory information) without
Student’s name
Address & telephone number
Email address
Data & place of birth
Honors & awards
Dates of attendance
Personal Health Information (which cannot be disclosed) are:
Street address
Telephone & fax numbers
Email address
Social Security number
Medical record numbers
Full face photograph
Some overlap exists between what HIP AA defines as PHI and what FERP A
considers okay to disclose. Based on the research I did on this topic, I believe
there are more similarities in protecting student medical records than
differences. The big difference, in my opinion, is there is so much more in the
news about HIP AA than FERP A so medical facilities may be more cautious
about ensuring patient information is protected than schools do.