Assignment:

Part 1: Complete the Executing the Response to a Cyberattack eLearning Module

So far, you have identified potential PII attacks and developed a set of PII solution and prevention alternatives. Before outlining a strategy for breach management, review Executing the Response to a Cyberattack. A response to cyberattack typically includes prevention measures, which you have already considered, but it also includes defense, detection, recovery, and response concerns. These areas should be developed with business considerations and subject to the advice of company leaders.

Now that you have become more familiar with an overview of how to execute a response to a cyberattack, proceed to the next step to outline a breach management strategy.

Part 2: Outline Breach Management Strategy

The next several steps will fit the alternatives into a breach management strategy. Strategic thinking can be challenging in a project environment. A "project" is work- and task-oriented, and it includes specific deliverables produced within a defined timeframe. Such projects have a limited budget and are developed to exact specifications. This project's charter is to present a strategic view of responding to a potential breach in the area of the system containing PII.

This section of the planning should explore areas other than cyber technology. It is about policies, required and recommended, that expand the project notes you have been creating to address corporate concerns outside of the technology realm, such as legal implications, reporting, etc.

Briefly outline, for use in the next few steps, a strategic approach in response to a breach allowing access to PII-customers and/or employees. Think of the policy aspects that will have to be addressed. You will continue to use the findings determined here and over the next few steps to produce a breach management strategy.

Breach management options will be considered in the next step.

Part 3: Determine Breach Management Options

Using the outline of the strategic approach developed in the previous step, determine both the technical and strategic options available in addressing a breach of PII. The eventual goal is to help senior management understand the level of effort required in an appropriate response to a breach. Take note of these options for future use.

Once complete, you will be ready to research legal issues in the next step.

Part 4: Research Breach Management Legal Issues

With breach management options identified in the last step, begin to research associated legal issues. Breach management in response to exfiltration of PII is well documented in a legal context. Multiple resources are available that address the issue. This section of your research and breach management strategy report should carefully identify all the concerns being raised in the courts surrounding previously documented cases.

The idea is to find evidence of court cases being litigated that are a result of a PII breach-not necessarily the outcomes of those legal proceedings. Identify the issues that your policy strategy should address and draft a discussion. This discussion will be used in a future report. After considering legal issues, move to the next step, which will be a look at cyber insurance.

Part 5: Research Breach Management Cyber Insurance Options

Redirect the research from legal issues in the last step to cyber insurance options in this step. As the number of PII breaches grows, so does the new industry of cyber insurance. Draft several paragraphs that state the options now available for this component of risk mitigation. Be sure to include what is covered by most readily available insurance policies, as well as what is not covered.

As an example: Is the institution covered for a customer PII breach if it is determined the breach was caused by an employee? The intent is not to make you a cyber insurance expert, but to offer senior leadership some of the strategic, big-picture options. This draft will be used in a future report.

In the next step, you will research the regulatory requirements of breach management.

Part 6: Research Breach Management Reporting and Other Requirements

Publicly traded enterprises and health care organizations are subject to governmental regulations and requirements where PII is concerned. In addition, some industries voluntarily impose standards upon their members. This is the section of the breach management strategy to address those issues.

What are the minimum reporting requirements applicable to financial institutions (in this case)? What standards are in place that must be met to prevent additional damage to the institution in the way of fines, warnings, or other sanctions as a result of noncompliance with regulations on reporting the breach?

Actual requirements for other industries could be similar, overlapping, or not, determined by the business sector, inclusion in critical infrastructure classification, and a number of other factors. The financial sector is our example for this project and not to be considered comprehensive or all-inclusive across all sectors.

In the next step, you will compile the report on breach management strategy.

Part 7: Compile the Breach Management Strategy Report

After considering the elements of breach management strategy over the last several steps, compile all drafts and revise into a complete five- to seven-page Breach Management Strategy that will present policies to senior leadership for the response to a PII breach.

You will need to include an overview of your strategic approach, options available, legal issues, cyber insurance, reporting and other requirements, and finally the proposal. Your proposal should identify issues/impacts with mitigation strategies, and include regulatory responses where they exist. Note how financial industry reporting requirements differ from health care or other industries.

Submit the Breach Management Strategy for feedback. This report will help complete your work on the final incident response plan.