Lab #1 - Assessment Worksheet
LAB # 1 : Creating an IT Infrastructure Asset List and Identifying Where Privacy Data Resides
Overview: In this lab, you created an IT asset/inventory checklist organized within the seven domains of a typical IT infrastructure, you performed an asset identification and classification exercise, you explained how a data classification standard is linked to customer privacy data and security controls, and you identified where privacy data resides and what security controls are needed to maintain compliance.
Lab Assessment Questions
1. What is the purpose of identifying IT assets and inventory?
2. What is the purpose of an asset classification?
3. Why might an organization's Web site classification be minor, but its e-commerce server be considered critical for your scenario?
4. Why would you classify customer privacy data and intellectual property assets as critical?
5. What are some examples of security controls for recent compliance law requirements?
6. How can a data classification standard help with asset classification?
7. Given the importance of a Master SQL database that houses customer privacy data and intellectual property assets, what security controls and security countermeasures can you apply to help protect these assets?
8. From a legal and liability perspective, what recommendations do you have for ensuring the confidentiality of customer privacy data throughout the Mock IT infrastructure?
9. What can your organization document and implement to help mitigate the risks, threats, and liabilities typically found in an IT infrastructure?
10. True or false: Organizations under recent compliancy laws, such as HIPAA and the Gramm-Leach-Bliley Act (GLBA), are mandated to have documented IT security policies, standards, procedures, and guidelines.
11. Why is it important to identify where privacy data resides throughout your IT infrastructure?
Lab #2 - Assessment Worksheet
Case Study on U.S. Veterans Affairs and Loss of Privacy Information
Overview: In this lab, you reviewed a real-world case study that involved the loss of privacy information, and you analyzed what violations occurred, the implications of those violations, and the possible mitigation remedies that could prevent future violations.
Lab Assessment Questions & Answers
1. What is the difference between privacy law and information systems security? How are they related?
2. Was the employee justified in taking home official data? Why or why not?
3. What are the possible consequences associated with the data loss?
4. Regarding the loss of privacy data, was there any data containing protected health information (PHI) making this a Health Insurance Portability and Accountability Act (HIPAA)compliance violation?
5. What action can the agency take against the employee concerned?
6. Would the response of the agency have been different had the data theft occurred at work instead of happening at the employee's residence? Why or why not?
7. Why were the VA data analyst's two supervisors reprimanded and demoted by the VA secretary? Do you think this was justified? Why or why not?
8. What was violated in this data breach?
9. If the database had been encrypted because of VA policy, would this data loss issue even have been an issue? Why or why not?
10. What risk mitigation or security control recommendations would you suggest to prevent this from occurring again?
11. What information systems security and privacy security policies do you think would help mitigate this breach and loss of privacy data?
12. What or who was the weakest link in this chain of security and protection of privacy data?
13. If the VA had performed a security and information assurance audit for compliance, what could the VA do on an annual basis to help mitigate this type of loose policy conformance?
14. True or false: U.S. taxpayers ended up paying for this VA security breach, notifications, and post-mortem damage control.
15. Which organization in the U.S. federal government is responsible for performing audits on other U.S. federal government agencies? (Hint: It is also known as the "Congressional Watchdog.")