Northern Virginia Community College Cybersecurity Strategy Essay

User Generated

Abboznfgre961

Writing

Description

Write a paper in APA format...in the attachment "paper 1 instructions" it shows you how to write the paper. The first 7 pages are an example of how the final paper will look like. On page 8 is where the assignment starts, there are 5 parts to it you only have to do part 3 which i highlighted in yellow on page 9. Here is part 3: 

Part 3: Private Sector Organizations

  • Review the General Data Protection Regulation (GDPR) of the European Commission (EU). It includes many provisions and arguably strengthens data protection for individuals within the EU. It even includes the right to be forgotten. The United States does not have a similar regulation. There have only been a few regulations implemented related to US citizens' private data, which include medical and financial industries. Some argue implementing regulation such as GDPR in the United States would hinder innovation. They contend that the End User License Agreements (EULA) provide enough protections and allow the citizens to make the choice of what is and is not shared.
    • As a private sector organization, do you believe that an equivalent to GDPR should be implemented in the United States?
    • - Please write as much as you can and Don't forget to add references   

Unformatted Attachment Preview

Cybersecurity Strategy, Law and Policy Part 1: Cybersecurity Strategy This section explores the different cybersecurity priorities and strategies of the European Union, the United States and with NATO, the North Atlantic Treaty Organization. You will learn about US national security and cybersecurity policies, with specific regulations in health care, financial organizations, and federal agencies. For an international perspective, review the NATO Cooperative Cyber Defense Centre of Excellence efforts to support member nations with cyber defense initiatives. What Is a National Cybersecurity Strategy? A national cybersecurity strategy (NCSS) is a plan designed to improve the security and resilience of national infrastructure and services such as roads, bridges, tunnels, water supply, sewers, electrical grids, and telecommunications (ENISA, n.d.), "a high-level top-down approach to cybersecurity that establishes a range of national objectives and priorities that should be achieved in a specific timeframe." At least, that is how the European Union Agency for Network and Information Security (ENISA) defines it. So, what is the perspective of the United States? Well, that is complicated. Let's quickly review where the United States has been, and perhaps where it is going. References European Union Agency for Network and Information Security (ENISA). (n.d.). National cybersecurity strategies. Retrieved from https://www.enisa.europa.eu/topics/national-cyber-securitystrategies History of US Cybersecurity Strategy and Laws On February 14, 2003, the Department of Homeland Security (DHS) released the National Strategy to Secure Cyberspace (DHS, 2003). This strategy was a subcomponent of the larger National Strategy for Homeland Security and was in response to the terrorist attacks of September 11, 2001. To summarize, it offers suggestions to the private sector, academia, and citizens for how to protect individual and organizational components that make up the informational, hardware, and software components that are operated via the internet. This document also introduces one of the first officials uses for the term "cyberspace." In January 2008, the president of the United States, George W. Bush, established the Comprehensive National Cybersecurity Initiative (CNCI). The initiative outlines US cybersecurity goals and spans multiple federal agencies including the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the National Security Agency (NSA) (DHS, 2003). The details of the CNCI were kept classified until the next president took office. In May 2009, the Obama administration declassified parts of the CNCI (Vijayan, 2010) and accepted the results. The next step was to strengthen the effort. In doing so, we learned that the goals of the initiative included (White House, 2017): 1. Establishing a front line of defense against network intrusion. 2. Defending the United States against the full spectrum of threats through counterintelligence. 3. Strengthening the future cybersecurity environment through education, coordination, and research. In 2014, there were two national legislative efforts that were passed into law (Skeath, 2014): 1. The Cybersecurity Enhancement Act of 2014, which allows the National Institute of Standards and Technology (NIST) to facilitate the development of a private and publicsector set of cybersecurity best practices for critical infrastructure. 2. The National Cybersecurity Protection Act of 2014, which codified the DHS existing National Cybersecurity and Communication Integration Center (NCCIC). The intent of the NCCIC is to facilitate private and public sector sharing of information security threats, incident response, and technical assistance. In 2015, the United States released its National Security Strategy, which discussed how cybersecurity would be addressed domestically and internationally. For example, the strategy claims that "we are working with the owners and operators of our Nation's critical cyber and physical infrastructure across every sector—financial, energy, transportation, health, information technology, and more – to decrease vulnerabilities and increase resilience" (White House, 2015). Also in 2015, the Department of Defense (DoD) released its Cyber Strategy. The DoD Cyber Strategy focuses on three primary missions (Department of Defense, 2015): 1. Defend DoD networks, systems, and information 2. Defend the US homeland and US national interests against cyberattacks of significant consequence 3. Provide cyber support to military operational and contingency plans Source: US Department of Defense (n.d.). DoD's three primary cyber missions. In the public domain. Retrieved from http://archive.defense.gov/home/features/2015/0415_cyber-strategy/ Finally, and arguably most significant, the Cybersecurity Act of 2015 was signed into law. The reason why some argue this act was so significant was because it established a mechanism for cybersecurity information sharing among private-sector and federal government entities (Sullivan & Cromwell, 2015). In the context of its short history, this was a big year for cybersecurity strategy and legislation. In 2017, President Donald Trump signed a cybersecurity executive order that outlined three key priorities: (1) protecting federal networks, (2) updating antiquated and outdated systems, and (3) directing all department and agency heads to work together (White House, 2017). Also, the National Security Strategy of 2017 again touched on cybersecurity as a subcomponent of a larger national strategy (Sulmeyer, 2017). References Department of Defense. (2015). The Department of Defense cyber strategy. Retrieved from https://dod.defense.gov/News/Special-Reports/0415_Cyber-Strategy/ Department of Homeland Security (DHS). (2003). National strategy to secure cyberspace. Retrieved from https://www.dhs.gov/national-strategy-secure-cyberspace Sheath, C. (2014, December 12). Congress passes five cybersecurity bills. Retrieved from https://www.insideprivacy.com/united-states/congress-passes-four-cybersecurity-bills/ Sullivan & Cromwell LLP. (2015, December 22). The Cybersecurity Act of 2015. Retrieved from https://www.sullcrom.com/siteFiles/Publications/SC_Publication_The_Cybersecurity_Act_of_2015.pdf Sulmeyer, M. (2017, December 19). Cybersecurity in the 2017 National Security Strategy [Blog post]. Retrieved from https://www.lawfareblog.com/cybersecurity-2017-national-security-strategy White House. (2007). The comprehensive national cybersecurity initiative. Retrieved from https://obamawhitehouse.archives.gov/node/233086 White House. (2015). National cybersecurity strategy. Retrieved from http://nssarchive.us/wpcontent/uploads/2015/02/2015.pdf. White House. (2017). Presidential executive order on strengthening the cybersecurity of federal networks and critical infrastructure. Retrieved from https://www.whitehouse.gov/presidentialactions/presidential-executive-order-strengthening-cybersecurity-federal-networks-criticalinfrastructure/ Cybersecurity Strategy vs. Regulation If the previous section is a bit confusing, or you're left wondering "so what does it all mean," you are not alone. In short, the United States has not been successful in establishing a comprehensive national cybersecurity strategy—at least as compared with the European Union, which features unified cybersecurity regulations for its members. However, some argue that private and public-sector cybersecurity cooperation should be voluntary and not mandatory (Boulee et al., 2013). In fact, the United States has mandated regulation only in specific industries. Examples include: 1. Health Insurance Portability and Accountability Act (HIPAA) 2. Gramm-Leach-Bliley Act 3. Homeland Security Act/Federal Information Security Management Act Those regulations mandate that health care organizations, financial institutions, and federal agencies protect their systems and the information in those systems. Outside of those exceptions, the executive and legislative branch of the United States government have sided with those that believe private and public-sector cooperation for all other organizations and entities should be voluntary. There are pros and cons to this approach. Some contend that even with these regulations, there still have been many breaches, so the regulations have little effect. Some of the more prominent breaches include: 1. Anthem medical data breach 1. 2. Equifax data breach 1. 3. On February 4, 2015, the personal medical data of 78.8 million people was stolen over a period of weeks the month before the breach was discovered. On September 7, 2017, the credit reporting agency Equifax announced that the personal and financial data of over 140 million people had been stolen in one of the largest breaches of data in history. Office of Personnel Management (OPM) data breach 1. Between 2014 and 2015, two separates but linked cyberattacks exposed the personnel records of 21.5 million people, including those who had undergone background checks but may not have been current or former government employees. matejmo/Getty Images References Boulee, J-P., Davis, W. W., Kantner, R. W., McDonald, K. P., Metcalf, J. C., & Paez, M. F. (2013). The cybersecurity debate: Voluntary versus mandatory cooperation between the private sector and the federal government. Jones Day. Retrieved from https://www.lexology.com/library/detail.aspx?g=70a72c39-3168-45c3-9da6-5c4baadaf94b What About the Rest of the World? And what about the rest of the world? The NATO Cooperative Cyber Defense Centre of Excellence maintains a holistic repository of all NATO members' national cybersecurity strategies. Ensuring GDPR Compliance Portions of Ensuring GDPR Compliance are adapted from How Will the GDPR Impact Open Source Communities? by Robin Muilwijk from Opensource.com, available under a Creative Commons Attribution-ShareAlike 4.0 International license. UMUC has modified this work and it is available under the original license. Ensuring GDPR Compliance The European Union's GDPR regulations affect how organizations need to protect personal data on a global scale. The GDPR brings many changes, strengthening data protection and privacy of EU persons, compared to the previous directive, including the following requirements: Explicit Consent GDPR strengthens the requirements to seek consent. Users must give explicit consent using clear and plain language. It also makes it easier for users to withdraw consent. According to Article 4(11) of GDPR (European Commission, 2018), consent is: "any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed" Kaelin (2018) describes what this means, explaining that consent for the collection of personal information must be 1. 2. 3. 4. freely given—truly optional, with no penalty for declining data collection specific and unambiguous—data controllers must clearly spell out the type of data to be proceed, the reason for collection, who will be processing the data, when the processing will take place, and the expiration date of the agreement informed—the request cannot be embedded inside another common statement, such as a the terms of service or privacy policies given with clear affirmative action—consent must be opt-in rather than opt-out. Right to Access EU persons get expanded rights by the GDPR. One of them is the right to ask an organization if, where, and which personal data is processed. Upon request, they should also be provided with a free copy of this data, and in an electronic format if this data subject (e.g., EU citizen) asks for it (Muilwijk, 2018). Right to Be Forgotten Another right EU citizen get through the GDPR is the "right to be forgotten," also known as data erasure. This means that subject to certain limitation, the organization will have to erase an EU citizen's data, and possibly even stop any further processing, including by the organization's third parties. The above three changes imply that any platform(s) software will need to comply with certain aspects of the GDPR as well. It will need to have specific features such as obtaining and storing consent, extracting data and providing a copy in electronic format to a data subject, and finally the means to erase specific data about a data subject (Muilwijk, 2018). Breach Notification Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the authorization of the data subject. Once discovered, you should notify your affected persons within 72 hours unless the personal data breach is unlikely to result "in a risk to the rights and freedoms of natural persons." This breach notification is mandatory under the GDPR (Muilwijk, 2018). References European Commission. (2018). 2018 reform of EU data protection rules.Retrieved from https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018reform-eu-data-protection-rules_en Kaelin, M. (2018, April 12). Understand the GDPR guidelines for obtaining lawful consent to process data.Retrieved from https://www.techrepublic.com/article/gdpr-guidelines-for-obtaining-valid-andlawful-consent-to-process-data/ Muilwijk, R. (2018, April 19). How will the GDPR impact open source communities? Available under the Creative Commons Attribution-ShareAlike 4.0 International license. Retrieved from https://opensource.com/article/18/4/gdpr-impact Cybersecurity Policy A policy is typically a document that outlines specific requirements or rules that must be met. For example, an "acceptable use" policy would cover the rules and regulations for appropriate use of computing facilities (SANS, n.d.). A security policy is a statement of responsible decision makers about the protection mechanism of an organization's crucial physical and information assets (InfoSec Institute, n.d.). The National Institutes for Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber-attacks (NIST, 2018). Source: N. Hanacek/National Institute of Standards and Technology. Cybersecurity Framework Version 1.1. In the public domain. Retrieved from https://www.nist.gov/cyberframeworkThis NIST CSF is voluntary guidance based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk (FRSecure, n.d.). It was also developed for other organizations and industries to use as well. References FRSecure. (n.d.). How to use (and not use) the NIST CSF [Blog post]. Retrieved from https://frsecure.com/blog/how-to-use-and-not-use-the-nist-csf/ InfoSec Institute. (n.d.). An introduction to cyber security policy. Retrieved from https://resources.infosecinstitute.com/cyber-security-policy-part-1/#gref National Institute of Standards and Technology (NIST). (2018, April). Cybersecurity framework. Retrieved from https://www.nist.gov/cyberframework SANS Institute. (n.d.). Information security policy templates. Retrieved from https://www.sans.org/security-resources/policies Assignments You will be collaborating with your previously assigned group on this assignment. It is up to the group members to decide how they will plan, meet, discuss, and complete the five sections of the paper. Remember, if a member fails to complete his or her part of the work, the group is still responsible for all sections. Part 1: National Security Strategy and Cybersecurity 1. After reading the National Security Strategy (2017), comment on the following. 1. Should the United States create a separate cybersecurity strategy to be published alongside the National Security Strategy (NSS), or do you feel the NSS is enough? Why or why not? 2. Consider your answer in the context of the original National Strategy to Secure Cyberspace (2003). What is not adequately addressed in the National Security Strategy (2017) as it relates to cybersecurity? Part 2: Public/Private Partnerships 1. After reading the Cybersecurity Act of 2015, address the private/public partnership with the DHS National Cybersecurity and Communications Integration Center (NCCIC), arguably the most important aspect of the act. The Cybersecurity Act of 2015 allows for private and public sharing of cybersecurity threat information. 1. What should the DHS NCCIC (public) share with private sector organizations? What type of threat information would enable private organizations to better secure their networks? 2. On the flip side, what should private organizations share with the NCCIC? As it is written, private organization sharing is completely voluntary. Should this be mandatory? If so, what are the implications to the customers' private data? 3. The government is not allowed to collect data on citizens. How should the act be updated to make it better and more value-added for the public-private partnership regarding cybersecurity? Part 3: Private Sector Organizations 1. Review the General Data Protection Regulation (GDPR) of the European Commission (EU). It includes many provisions and arguably strengthens data protection for individuals within the EU. It even includes the right to be forgotten. The United States does not have a similar regulation. There have only been a few regulations implemented related to US citizens' private data, which include medical and financial industries. Some argue implementing regulation such as GDPR in the United States would hinder innovation. They contend that the End User License Agreements (EULA) provide enough protections and allow the citizens to make the choice of what is and is not shared. 1. As a private sector organization, do you believe that an equivalent to GDPR should be implemented in the United States? Part 4: Protecting Critical Infrastructure and the Homeland 1. The Department of Defense (DoD) Cyber Strategy 2018 discusses the protection of critical infrastructure and the homeland. 1. What does that mean to private organizations such as yours? 2. If most critical infrastructure in the United States is owned by the private sector, what responsibility does the DoD have in this regard? 3. Some would argue US laws are outdated and thus the DoD has little authority to assist. Others would argue US laws were purposely established such that the private sector would defend itself and not need assistance from the military. Obviously, for the DoD to assist, it would need the private organizations' data. Said another way, the DoD would need your data as a private citizen/customer of that organization. Those that believe our laws need to be updated argue giving up privacy for protection is legitimate. 4. Others will argue that we should not give private information of citizens to the government for any reason. As a citizen, would you feel comfortable with this? As a private organization, would you feel comfortable giving information that may contain your customers' private data to the DoD? 5. Is there a third solution (middle ground) you would propose that enables privacy but also enables cybersecurity? Part 5: Cybersecurity Technologies 1. The authors of the National Security Strategy (2017) are looking to address particular technologies that have the opportunity to revolutionize cybersecurity. They believe that blockchain technology is a revolutionary technology that can significantly improve cybersecurity. 1. What would be your recommendation for how the NSS should incorporate this technology to the public? 2. Propose exactly what you believe should be written in the NSS. Specifically, explain the blockchain technology in layman's terms to nontechnical people that may be reading the NSS, give examples of how it could be used to provide revolutionary cybersecurity, include examples of how it is being used to provide cybersecurity solutions, and discuss what, if any policies or laws should be established to mandate its use in specific industries. Structure/Format • • • • • • • Use additional sources of information but also describe the concept in layman's terms. Use visuals where appropriate. While quality is valued over quantity, it is expected that a quality paper will result in a minimum length of 10–15 pages. Please APA formatting for the formatting of your paper. Use the outline above for the structure of your paper. Please provide a title page with Group # and members. Please label each section that each user did. Ex o Introduction (Steven Tharp)
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: GENERAL DATA PROTECTION REGULATION (GDPR)

General Data Protection Regulation (GDPR)
Institution Affiliation
Date

1

GENERAL DATA PROTECTION REGULATION (GDPR)

2

Introduction
General Data Protection Regulation (GDPR) refers to a legal framework that lays down the
guidelines for the collection as well as the processing of personal data of the individual who live
in European Union EU. The location of the websites does not matter, all the states that normally
attract European visitors must comply with the framework. This is regardless of whether they are
marketing goods or services to the residents of the EU (Voigt and Von dem Bussche, 2017).
General Data Protection Regulation (GDPR) may have its flaws but the idea of having the
consumers in charge of their information is correct. The user is able to gain access and correct the
information that the firm has of them.
Why The United State Should A...

Related Tags