Personally Identifiable Information Incident

Cyber security, due primarily to globalization has become a profound issue. With the advent of the internet, new threats to privacy and security have arisen. For one, threats have caused data breaches and loss of service for many internet providers. Recently, American banks have become targets of cyber attacks from unknown sources. In many instances, it is difficult to detect the whereabouts of a cyber attack. The anonymity of an attack makes this threat particularly appealing to third world and developed nations. Due primarily to its ability to go undetected PII attacks have become very commonplace. PII, otherwise known as personally identifiable information, have a direct appeal to those who would like to do harm to developed countries. PII attacks are particularly profound as information including name, Social Security numbers and date of birth, stored in the vendor's database can be access by unauthorized user (Denning, 2008).

PII attacks are not unusual by any means. However, the concepts used to alleviate and rectify breaches have evolved over time. In many respects, preventive techniques must be adopted in a proactive fashion in order to circumvent the overall threat of PII attacks. As such the proactive nature of prevention constitutes constant innovation. Current procedures to help alleviate PII breaches are very simple and rely heavily on execution rather than strategy. For one, in order to reduce the threat of attack, the following three concepts should be adopted.

1. reducing the volume of collected and retained information to the minimum necessary;

2. limiting access of data to only those individuals who must have such access

3. Using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals (Gorman, 2013).

The incident response team is also a vital component of addresses cyber, PII attacks. During a data breach, having the correct people within the organization is often the catalyst for effective crisis aversion. Computer security experts specialize in helping companies to mitigate threats before, during, and after an attack. Therefore, have the proper personnel is integral in alleviating cyber, PII attacks. Incident response is not just limited to hacking, but it also combines intellectual property theft and data leakage, human resources complaints, and ongoing litigation and legal holds, among other frequent corporate occurrences. The varying and ever evolving nature of cyber threats makes it ever more important to hire, attract and retain competent individuals.

To prevent future occurrences, the following concepts should be utilized:

First the organization must first establish rules of proper conduct regarding personal information. Companies should first establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records. This is critical as internal breach is often the manner in which PII attacks occur. Internal threats are often more profound than external threats. For one, individuals are aware of system operations and any apparent flaws. Further, many individuals could possible collude, causing damage well after it is caught.

Second, the organization should establish proper safeguards. Agencies are also required to establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records. This will also protect against any anticipated threats. Safeguards act as a deterrent to PII attacks due primarily to their overall difficulty in overcoming them.

Third, agencies should train all stakeholders on their privacy and security responsibilities within their primary job function. This should occur before permitting access to agency information and information systems. In addition the organization should provide at least annual refresher training to ensure that all stakeholders understand their obligations to the organization and to society at large.

Finally, in order to prevent a future breach from occurring, the organization can immediately encrypt all PII data. Encryption, in essence, is using only NIST certified cryptographic modules for all data on mobile computers and devices. In addition, the organization can control the overall remote access of information. For example, the organization could allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access. When access is granted however, the organization could institute a time-out function. Use a "time-out" function for remote access and mobile devices requiring user re-authentication after thirty minutes of inactivity. This concept helps insure that unauthorized users don't contaminate the system.

When an incident does occur the members and the roles they play will become very critical. For one, when an incident occurs in regards to financial data, an immediate freeze on credit accounts should occur. In addition, leaders should call credit agencies to communicate an overall fraud or breach. The patrons of the account should be notified via phone, email, or mail as to possible occurrence and its implications on their financial activity. In general, notification to parties affected by the breach should be issued by the Component Head. This act demonstrates that the leaders of the organization are abreast of the situation and are willing to alleviate it. According to the Department of Justice, the response should include the following contents to be effective (Tom, 2013):