William Slater's CYBR 510

William Slater's CYBR 510
CYBR 510 - Physical, Operations, and Personnel Security

Wednesday, December 21, 2011

Post 010 - CYBR 510






Source: NIST SP 800-50



 Week Four Assignments

Week 4 Summary
Theme for the Week-Training and Development for High Performance


This week:
Why and how to train
Computer aided training
Measureing effectiveness


Learning Objectives:
Distinguish the effectiveness of training methods in an organization.
Evaluate training case studies.
Compare and contrast the benefits of training in a security program.

Readings
Week 4 Reading Assignments
Security Operations Management, Chapter 4
Security Operations Management - Appendix C- Task Force Report

Week 4 Discussion Post


On Week 4 Forum, post your response to one of the following questions:


Explain how important training is for security personnel. Discuss the similarities and differences between security training and law enforcement training.  This is your opinion and viewpoints on the importance of security training. You can provide examples and analogies to back up your point.


Explain how security personnel training can be evaluated. How do you measure the effectiveness of the training? What are the inherent limitations in measuring the effectiveness of training?


How has the Information Age affected content and delivery of training programs?


What are the strengths of the case history  method for training? What are its weaknesses?


What are the differences and similarities between training, education, and awareness? Provide scenarios for each.


Compare and contrast two training techniques. Provide specific examples where each is effective and ineffective.


Your answer should be 2-3 paragraphs in length with proper attention given to spelling and grammar. Try not to repeat a question answered by another student. You can use the textbook and supplemental reading, but you should also include at least one Internet site or outside reference that provides information on your topic. Once you have submitted your initial post, read each of your classmates' initial posts and respond to at least four of them (by Friday, Jan 6). You should be posting on multiple days. In your response, provide your comments and any additional information you might have. Remember to cite your sources.


Directions: Each student must respond to a minimum of four other students’ threaded discussion postings in a “substantive and meaningful” manner. Do not simply agree or disagree – provide a quality response that reflects critical thinking. To foster learning, “professional and constructive” criticism is encouraged when responding to your classmates.


The weekly discussion questions, to allow time for students to respond, must be answered by 11:59 p.m. on Sunday of each week. Please see the discussion evaluation section in the syllabus for detailed expectations and directions of how your discussion board postings and overall participation is evaluated. 
Reminders: Each student must respond to the weekly questions. Discussion postings should reflect some new or original information – do not just regurgitate data or opinion posted by previous students. The quality of your effort will be considered when grading discussion postings.
This assignment is worth 100 points total.



Correcting Poor Work Case Study



Week 4 Written Assignments
In one Word document, complete the following:


View the “Correcting Poor Work” case study. The link is located above.


Once you view all three scenarios, discuss which scenario did you see Joel properly correcting Tim’s poor work? Why did you pick that scenario?


What were Joel’s behaviors? Please give your opinion of how correcting poor work should be taken care of as well as how you would approach correcting a subordinate’s poor work. 


If you have encountered this type of situation, please relate this in your work.


Reminders: Students are required to submit assignments with a name, course name/number and page numbers on your assignments. Please double space your work, and re-state the question. Grading is facilitated when the assignment submission is well structured, and the questions (opposed to your answers) have been bolded. File Naming Convention: Students are required to submit assignments with their last name, followed by the week’s assignment; e.g. smith1.2. Microsoft Word documents only. Late submitters will be penalized.


Weekly written assignments will be due by 11:59 p.m. on Sunday at the end of each week. Specific assignments will be posted each week throughout the course. Your grade will be predicated on the quality of your thinking and writing - NOT the length of your writing. Too many words are usually a sign of poor editing, and too few words are a sign of poor analysis. 
This assignment is worth 100 points total.


Week 4 Journal
Each student will complete “weekly” entries into a well-organized journal that reflects how the weekly coursework (reading and assignment) and discussion has impacted their personal and professional lives. Essentially, the journal - akin to a personal diary, should capture the meaningful and significant aspects of the course which generated student analysis and thought. Your weekly journal entry will be due by 11:59 p.m. on Sunday at the end of each week. 
This assignment is worth 100 points total.





= = = = = = = = = = = = = = = = = = = = = = =

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Chicago, IL
United States of America




Post 009 - CYBR 510


Interview - Source: Microsoft Office Online Clip-art


Assignment Description:
On Week 3 Forum, post your response to one of the following items. While you must answer the questions, you don't have to do it in question-answer format. You can make it a narrative that includes the answers.
  • What is your opinion of pre-employment screening? How does pre-employment screening affect an organization? Discuss how pre-employment screening affects the process of recruiting employees.
  • Is it fair to perform Internet searches on applicants? What is allowed or not allowed for application Internet searches? Has this caused any issues that you know of or can find for applicants? 
  • How does personnel planning assist an organization in achieving the performance level that is needed for a successful organization? Why is it important to include security in the personnel planning and employment process?
  • How can the whole employment process “weed” out potential employees who may not be the right fit for an organization? How important is it to have a good fit for both the organization and the prospective employee?
Your answer should be 2-3 paragraphs in length with proper attention given to spelling and grammar. You can use the textbook and supplemental reading, but you should also include at least one Internet sites that provide information on your topic. Once you have submitted your initial post (by Friday night), read each of your classmates' initial posts and respond to at least four of them. In your response, provide your comments and any additional information you might have. Remember to cite your sources.

Directions: Each student must respond to a minimum of four other students’ threaded discussion postings in a “substantive and meaningful” manner. Do not simply agree or disagree – provide a quality response that reflects critical thinking. To foster learning, “professional and constructive” criticism is encouraged when responding to your classmates.

The weekly discussion questions, to allow time for students to respond, must be answered by 11:59 p.m. on Sunday of each week. Please see the discussion evaluation section in the syllabus for detailed expectations and directions of how your discussion board postings and overall participation is evaluated.

Reminders: Each student must respond to the weekly questions. Discussion postings should reflect some new or original information – do not just regurgitate data or opinion posted by previous students. The quality of your effort will be considered.


·       What is your opinion of pre-employment screening? How does pre-employment screening affect an organization? Discuss how pre-employment screening affects the process of recruiting employees.

Answer:
First, an organization should establish policies, guidelines, and regulations regarding its recruitment practices, especially those that are related to pre-employment screening.

Pre-employment screening usually takes four main forms:
1)   Character reference checks
2)   Completeness and accuracy check of the resume
3)   Confirmation and verification of educational and professional credentials
4)   Check against a passport or some other government-issued form of identification.
(Calder and Watkins, 2009).
Now that there are web services, companies also use third parties and also the hiring companies will do their own Google searches on candidates. 
(McCrie, 2007).



Q.  What is your opinion of pre-employment screening?

Answer:
I believe pre-employment it is a vital step in hiring the right candidate.  Without this type of screening, employers constantly subject themselves to the risks of hiring inferior candidates that might ot be qualified to fill the position to which they were applying.


= = = = = = = = = = = = = = = = = = = = = = = =
This is the questionnaire I created to screen E-Mail Server Technical Support candidates nearly five years ago:

(Please use as much space as you need to answer these questions.)

Describe a tough problem you had to troubleshoot on a production server or production network.

When setting up a mail server in DNS, what is the special type of record required to define the mail server?

If you have multiple Exchange Servers at a site, within a single domain, what is required when you replace the first Exchange Server at this site? (This was more applicable to Exchange 5.5…)

Describe a significant network or computer security issue you have had to deal with and solve.

What is the highest number of problem tickets you have ever resolved in a single day?

Besides what is on your resume, what other areas of IT and career skills do you work on?

= = = = = = = = = = = = = = = = = = = = = = = =



Q. How does pre-employment screening affect an organization?

Answer:

Pre-employment screen can improve the morale in an organization, because the employees will know that their new co-workers will be held to a high standard of being able to pass the pre-employment screening.

Pre-employment also helps an organization my improving the overall quality of the workforce and helping the security posture of the organization by reducing the inherent security risks associated with hiring an improperly vetted employee.
(McCrie, 2007).


Q. Discuss how pre-employment screening affects the process of recruiting employees.
Answer:
Pre-employment screening makes the process of hiring employees more efficient and thorough because it means that employees that get screened and interviewed as finalist candidates have already met rigorous requirements.  It also helps stop the wasting of the hiring manager’s precious time, because the hiring manager knows that he or she will only be screening candidates that are worth hiring.
(McCrie, 2007).

References:
Calder, A. and Watkins, S. (2009). IT Governance: A  Manager’s Guide to Data Security and ISO27001/ISO27002, 4th edition. London, U.K.: Kogan Page.
McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.
Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition: Indianapolis, IN: Course Technology.

Post 008 - CYBR 510










Assignment Description:
In one Word document, discuss the following:
View the “Polygraph Testing” case study module. The link for the module can be found in the “Week 3 Assignments” folder.
After viewing the case study, discuss how you feel the testing of Aldrich Ames was handled by the polygraph operators. What could have been done to eliminate the errors?  Explain why you think Ames “beat the system.”
Furthermore, discuss if you have ever been involved with a polygraph test and what occurred. Relate this to this case study. If you have not been involved in a polygraph test, discuss what you think it would be like.
Reminders: Students are required to submit assignments with a name, course name/number and page numbers on your assignments. Please double space your work, and re-state the question. Grading is facilitated when the assignment submission is well structured, and the questions (opposed to your answers) have been bolded. File Naming Convention: Students are required to submit assignments with their last name, followed by the week’s assignment; e.g. smith1.2. Microsoft Word documents only. Late submitters will be penalized.
Weekly written assignments will be due by 11:59 p.m. on Sunday at the end of each week. Specific assignments will be posted each week throughout the course. Your grade will be predicated on the quality of your thinking and writing - NOT the length of your writing. Too many words are usually a sign of poor editing, and too few words are a sign of poor analysis. (Submit for grading use the link below)
This assignment is worth 100 points total.









A Brief Analysis of the Aldrich Ames Polygraph Screening Case
This brief paper will present an analysis of Aldrich Ames Polygraph Screening Case.  Aldrich Ames was a CIA counterintelligence spy who was ultimately charged with selling top secret data to secret agents of Russia and the former Soviet Union during the Cold War.  This case initially appears that Aldrich beat a polygraph examination, because he was seen to have not passed the examination on the first attempt and then came back four days later and registered responses that indicated he was telling the truth (Bellevue University, 2011).

How Could Errors Have Been Avoided in the Aldrich Ames Polygraph Screening Case?
            According to the case study, the initial results of Mr. Ames’ polygraph examination indicated deceptive responses regarding his behavior related to his personal finances (Bellevue University, 2011).  Such behaviors related to large expenditures and unexplained affluence and assets can to point suspicious sources of income, especially sources such as income possibly gained from spying activities if an employee has access to secret data that could have been sold to foreign agents.
            In the McCrie text, there are two primary types of errors that can occur during polygraph examinations.  The first is the false negatives that are the false decisions made by the examiner that can occur when the person being examined is not speaking falsely, yet they are actually being deceptive.  The second is the false positives that can occur when examiner makes false decisions about the person being examined, yet the examinee is actually being truthful (McCrie,2007).
            However, if there are established procedures that require the complete submission of all data related to a polygraph examination and the examiner failed to follow those procedures, that allowed Mr. Ames to give the appearance that he had “beat the system” when in fact, it was Ames’ own, over confident and unusually friendly that probably caused the polygraph examiner to not be on guard and follow all his required procedures explicitly and to the letter.
            If the polygraph examiner who examined Mr. Ames had followed his training and required procedures explicitly and reported both sets of results it would have probably raised flags and required that Ames submit to a different set of polygraph examinations from an entirely new examiner.  I also think that the polygraph examiner who examined Mr. Ames was probably younger than Ames and not very experienced, or he would have not allowed Ames to engage him in the friendly conversation that preceded the exam, inquiring about the examiner’s background, experience and interested in that kind of work (Bellevue University, 2011).

How was Aldrich Ames Finally Caught by the FBI?
            Ames was finally caught after nine years of misleading investigators, because he exhibited suspicious, provocative behavior by speeding his sports car, and that warranted further investigation.  His demise is described in the passage below:
“But, in an inquiry that careered like a roller coaster, the F.B.I. got its first big break just a few days later. Ignoring the warnings of their superiors, agents pilfered Mr. Ames's household trash, switching refuse cans in a nighttime operation that yielded a decisive find: a torn-up draft of a note from the suspect to his Russian handlers.
A few weeks later, Federal agents broke into Mr. Ames's house and, in a search authorized by the Attorney General, found in his computer a wealth of incriminating data, including his procedures for secret communications with the Russians.
“F.B.I. officials, including senior investigators who supervised the inquiry and agents who ran it in the field, have previously been under strict orders not to discuss it. Now, almost a year after Mr. Ames's arrest, those officials, in response to numerous requests, have talked about the case in a series of interviews in recent days (Kidwell, 1995).”
            These activities resulted in the final conviction and incarceration of Ames where is serving a life sentence in a federal prison without any possibility of parole.  The secrets he sold to foreign agents reportedly compromised the operations of other CIA agents and resulted in irreparable harm to the U.S. Government.

My Own Experience Related to Polygraph Examinations
            From 1972 until 1977, I worked my way through the last year of high school and then four years of college as a retail clerk in a Kroger grocery store.  I started at one store in July 1972 and transferred to another store in July 1974 because it was closer to the campus of the university where I was working on my bachelor’s degree.  At the second store location, there was a management change less than six months after I arrived.  Within 12 months, the store was experiencing huge money losses that resulted from “inventory shrinkage” that represented truckloads of merchandise being stolen in short periods of time.  Even though I was afforded protections against polygraph examinations by the Retail Clerks Union to which I belong, during the investigation that resulted, I was strongly persuaded and agreed to take a polygraph examination.  Prior to the examiniation, I was briefed on the entire process and what they were trying to discover using the polygraph examination.  Though I was truthful regarding my own employee performance, when asked by the polygraph examiner about detailed knowledge of activities of other employees, I lied and did so intentionally.  I was not about to become an informant on my fellow employees.  These were fellow coworkers who had been manually ringing up cartons of cigarettes and six-packs of beer for one tenth the listed price.  The result was I completed the exam and was never called back for a discussion of the results.  I also never brought it up again either, and secretly I was angry at myself for unnecessarily subjecting myself to this unpleasant experience, when I had explicitly guaranteed union protection regarding this practive.  In my own set of values, I felt that I had subjected myself to the perils have my character questioned, when I did not have to submit to this situation voluntarily.
On another note, I noticed that the management and the polygraph examiner never called the process or the machine a “lie detector.”  That to me was very telling.  I was smart enough to realize two things:  1) the results are not admissible as evidence in a court of law; and 2) the management and the polygraph examiner intentionally avoided calling it a “lie detector” exam or a “lie detector machine” because they knew that “lie detector has a much more negative and emotional connotation than the sterile, scientific sounding term, “polygraph examination.”
            A few employees were visibly emotionally upset about this polygraph exam and said so.  Then they turned around and asked the examiner, and later other managers, “Did you catch me lying?”  Hearing these stories made me realize that I was working with some pretty stupid people, because the worst thing a person could do would be to act suspicious during or after the process, and act as if they were hiding information, and personally wondering if the polygraph machine had caught it.
The Management Team of the grocery store was transferred to other stores and rreplaced with a new Management Team, but no employees were ever fired as a result of these polygraph examinations and the related investigations.

Conclusion
            In 1975, when I went through a polygraph examination, I believed that no machine can accurately determine 100% of the time if and when a person is telling the truth and when they are lying.  As a result of my own experience and seeing the fallibility of the system as it requires imperfect people to administer it, I believed then and I believed today that a polygraph examination is a “mind game” that is played by people in authority to cause people to believe that the polygraph examiner knows conclusively if a person is being deceptive or telling the truth.  The fact that polygraph examinations are not admissible as evidence in a court of law shows that our judicial system in America also recognizes this truth.  Therefore, I think the polygraph examination is an outdated 20th century practice in law enforcement and investigations and that it should be discontinued.


References
Bellevue University. (2011). Polygraph Testing Case Study.  Retrieved from the web at http://idcontent.bellevue.edu/content/CIT/cyber/510/case3/  on December 18, 2011.
Kidwell, D. (1995).  How the F.B.I. Finally Caught Aldrich Ames.   A New York Times news article published on January 27, 1995.  Retrieved from the web at http://www.nytimes.com/1995/01/27/us/how-the-fbi-finally-caught-aldrich-ames.html?pagewanted=all  on December 18, 2011.
McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.


= = = = = = = = = = = = = = = = = = = = = = =

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Chicago, IL
United States of America






Thursday, December 15, 2011

Post 007 - CYBR 510







Week Three Assignments


  Week 3 Summary


Theme for the Week - Staffing to Meet Protective Goals


This week: 
Personnel planning
Recruitment and hiring
Prescreening
Polygraphs


Learning Objectives:
Differentiate and examine the special issues in security such as discipline and discharge; supporting and motivating; appraising and promoting; accounting controls and budgeting; staffing; training; operations; technology; and leadership.
Analyze different recruiting, hiring, and staffing practices to ensure adequate security.
Assess the personnel planning process.
Examine hiring and vetting processes as it relates to security.
  Readings
Week 3 Reading Assignments
Security Operations Management, Chapter 3
Security Operations Management, Appendix B- Code of Ethics
  Week 3 Discussion Post


On Week 3 Forum, post your response to one of the following items. While you must answer the questions, you don't have to do it in question-answer format. You can make it a narrative that includes the answers.


What is your opinion of pre-employment screening? How does pre-employment screening affect an organization? Discuss how pre-employment screening affects the process of recruiting employees.


Is it fair to perform Internet searches on applicants? What is allowed or not allowed for application Internet searches? Has this caused any issues that you know of or can find for applicants?  
How does personnel planning assist an organization in achieving the performance level that is needed for a successful organization? Why is it important to include security in the personnel planning and employment process?


How can the whole employment process “weed” out potential employees who may not be the right fit for an organization? How important is it to have a good fit for both the organization and the prospective employee?


Your answer should be 2-3 paragraphs in length with proper attention given to spelling and grammar. 


You can use the textbook and supplemental reading, but you should also include at least one Internet sites that provide information on your topic. Once you have submitted your initial post (by Friday night), read each of your classmates' initial posts and respond to at least four of them. In your response, provide your comments and any additional information you might have. Remember to cite your sources.


Directions: Each student must respond to a minimum of four other students’ threaded discussion postings in a “substantive and meaningful” manner. Do not simply agree or disagree – provide a quality response that reflects critical thinking. To foster learning, “professional and constructive” criticism is encouraged when responding to your classmates. 


The weekly discussion questions, to allow time for students to respond, must be answered by 11:59 p.m. on Sunday of each week. Please see the discussion evaluation section in the syllabus for detailed expectations and directions of how your discussion board postings and overall participation is evaluated. 


Reminders: Each student must respond to the weekly questions. Discussion postings should reflect some new or original information – do not just regurgitate data or opinion posted by previous students. The quality of your effort will be considered when grading discussion postings.
This assignment is worth 100 points total.


  Polygraph Testing Case Study
View this case study prior to completing the assignment below.


  Week 3 Written Assignments
In one Word document, discuss the following:


View the “Polygraph Testing” case study module. The link for the module can be found in the “Week 3 Assignments” folder.


After viewing the case study, discuss how you feel the testing of Aldrich Ames was handled by the polygraph operators. What could have been done to eliminate the errors?  Explain why you think Ames “beat the system.”


Furthermore, discuss if you have ever been involved with a polygraph test and what occurred. Relate this to this case study. If you have not been involved in a polygraph test, discuss what you think it would be like.


Reminders: Students are required to submit assignments with a name, course name/number and page numbers on your assignments. Please double space your work, and re-state the question. Grading is facilitated when the assignment submission is well structured, and the questions (opposed to your answers) have been bolded. File Naming Convention: Students are required to submit assignments with their last name, followed by the week’s assignment; e.g. smith1.2. Microsoft Word documents only. Late submitters will be penalized.


Weekly written assignments will be due by 11:59 p.m. on Sunday at the end of each week. Specific assignments will be posted each week throughout the course. Your grade will be predicated on the quality of your thinking and writing - NOT the length of your writing. Too many words are usually a sign of poor editing, and too few words are a sign of poor analysis. 
This assignment is worth 100 points total.




  Week 3 Journal
Each student will complete “weekly” entries into a well-organized journal that reflects how the weekly coursework (reading and assignment) and discussion has impacted their personal and professional lives. Essentially, the journal - akin to a personal diary, should capture the meaningful and significant aspects of the course which generated student analysis and thought. See the Journal Guidelines on the main Assignments page.Your weekly journal entry will be due by 11:59 p.m. on Sunday at the end of each week.  This assignment is worth 100 points total.



Sunday, December 11, 2011

Post 006 - CYBR 510


Week 2 Written Assignment

Week 2 Written Assignments

Your written assignment this week is to write a paper addressing both of the following:

• Discuss how the Rand Report (p. 32-33 of Security Operations Management textbook) has changed the security field and the law enforcement field.

• How has the modern protective industry grown in recent history? How does it compare with law enforcement today?

= = = = = = = = = = = = = = = = = = = = = = =


A Brief Analysis of the 1972 Kakalik and Wildhorn Rand Report and Its Impacts

This brief paper will present an analysis of a Rand Report titled Private Police in the United States: Findings and Recommendations, by James S. Kakalik and Sorrel Wildhorn, and its impacts on the security industry in the United States. This report was commissioned by the Law Enforcement Assistance Administration (LEAA). The chief objectives of this report were to accurately describe state of the situation that existed with private security police who were not employed by government entities, and to provide recommendations and a basis for the improvement of policies that would result in improvements in the quality of private security police (McCrie, 2007).

This Rand Report was seen as a scathing indictment of the state of private police in the U.S. The crux of the report can be seen in this passage:

“The typical security guard is an aging white male, poorly educated, usually untrained, and very poorly paid. Depending on where in the country he works, what type of employer he works for (contract guard agency, in-house firm, or government), and similar factors, he averages between 40 and 55 years of age, has had little education beyond the ninth grade, and has had few years of experience in private security… He often receives few fringe benefits; at best, fringe benefits may amount to 10 percent of wages. But since the turnover rate is high in contract agencies, many employees never work the 6 months or 1 year required to become eligible for certain of these benefits.” (sic) (McCrie, 2007).

Other factors that the Rand Report identified that were leading to the overall poor quality of these private police officers were: weak pre-employment screening, high-turnover in the industry, low hourly compensation, and a lack of meaningful licensing standards (McCrie, 2007). One could also surmise from this list that lack of adequate training was also a factor.


How the 1971 Rand Report Has Changed the Security Field and the Law Enforcement Field

Nearly 40 years later, the 1972 Rand Report by Kakalik and Wild Horn is still being researched and referenced to understand the linkage between substandard security employees and the factors that could contribute to the overall poor quality of security processionals. It is clear example of the worst that can and will happen when there is lack of policy and professional standards with which to create a staff of quality private police.

In 1976, the LEAA created the National Advisory Committee on Criminal Justice Standards and Goals. The purpose of this group was to undertake a number of detailed analytical reviews of issues related to criminal justice. One group that was created from this initiative was the Private Security Task Force (PSTF). The PSTF was comprised of law enforcement officials, corporate security directors, and executives from a major security services company. It released a report that was regarded as a response follow-on report and it identified 80 goals and standards for private security. While this report was not created to impact public policy that would influence governments and law enforcement professional standards, it was used as a good set of guidelines, though many have yet to be enacted (McCrie, 2007).

How Has the Modern Protective Industry Grown in Recent History?

Events since the September 11, 2001 terrorist attacks have underscored the importance of security as a priority in the eyes of the public and the eyes of our government leaders. The use of private security police is evident everywhere in large cities. Nearly every large public building in downtown Chicago has uniformed private security forces, and these are complemented by the use of other controls such as sign-in rosters, closed circuit television (CCTV) cameras with digital video recorders (DVR), pass card access, etc. When private police security guards serve in such capacities, they serve as a reminder that there is a human security element that can instantly react to security incidents, though to be sure, crime still occurs.

On October 24, 2006, my own dermatologist, Dr. David Cornbleet, was brutally murdered in his downtown Chicago office located in a high-rise office building on Michigan Avenue and evidence points to a disgruntled patient (Lohr, 2011). Ironically, the suspect was seen on CCTV and DVR entering and leavning the building within the window of the time of the crime, and there were private security guards on duty in the lobby of the building. Obviously, the killer exploited a vulnerability where the doctor was alone in his office and there were no witnesses to the crime. Nevertheless, despite the presence of private security guards, the crime was not deterred, and it was the CCTV and DVR that led to the best evidence of the identity of the primary suspect.

How Does It Compare with Law Enforcement Today?

Since the publication in 1972, and the publication the follow-on PSTF report in 1976, of the there have been several organizations created to promote professionalism, standards, and guidelines among private security police personnel. One such organization is the International Foundation for Protection Officers (IFPO, 2011).

Compared to the time in which the Rand Report was published the pay and standards for hiring are hiring are higher. But since nearly all uniformed police professionals who hired to the police forces of county, city, state, and federal levels all undergo much more intensive training, usually at some kind of academy, and they all have better pay, benefits, and usually pensions, usually the only comparisons is that both public security professionals and private security professionals are in security uniforms and carry a badge. The similarities usually end there.

Ultimately, the existence and effectiveness of private security personnel and their corresponding lower rate of compensation is directly related to the degree at which an organization or group of organizations is willing to expend resources to reduce risk. If the organization will not expend adequate resources to reduce risk, the probably of a risk event occurrence will increase as a result.


Conclusion

The Rand Report was clearly a turning point specifically in the security industry for private police, as well as the security industry as a whole. Since its publication in 1972, security professionals have researched and referenced this report as a started point. It is safe to say that while the security industry for private police did not immediately start to improve, the fact that this report was published by the Rand Corporation in 1972 as a factual document, and as a tool to promote policies for improvement, it achieved its objectives. It is also safe to say that because it was well researched and it came from the Rand Corporation, the quality, credibility, and relevance of this report to the security industry all explain why it is still being referenced and quoted almost 40years after its initial publication.


References

McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.

Gunter, W. and Kidwell, J. (2004). Law Enforcement and Private Security Liaison: Partnerships for Cooperation. An article published at the International Foundation of Protection Officers. Retrieved from the web at http://www.ifpo.org/articlebank/lawprivateliaison.html on December 11, 2011.

IFPO. (2011). Benefits of Membership in the International Foundation of Protection Officers. Retrieved from the web at http://www.ifpo.org/membership.html on December 11, 2011.

Kakalik, J. S. and Wildhorn, S. (1972). Private Police in the United States: Findings and Recommendations. A study commissioned by the Law Enforcement Assistance Administration and published by Rand Corporation. Retrieved from the web at http://www.rand.org/content/dam/rand/pubs/reports/2006/R869.pdf on December 11, 2011.

Lohr, D. (2011). Dr. David Cornbleet: Lost at the Hands of a Patient. A web article published at the Investigation Discovery website. Retrieved from the web at http://investigation.discovery.com/investigation/internet-cases/cornbleet/david-cornbleet.html on December 11, 2011.

Wildhorn, S. (1975). Issues in Private Security. A special report published by the Rand Corporation. Retrieved from the web at http://www.rand.org/pubs/papers/2008/P5422.pdf on December 11, 2011.


= = = = = = = = = = = = = = = = = = = = = = =

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
CYBR 510 Blog: http://cybr510.blogspot.com
http://billslater.com/career
Chicago, IL
United States of America

Friday, December 9, 2011

Post 005 - CYBR 510


Week 2 Discussion Question

Describe federal laws that have helped form security practices.
According to McCrie, in Security Operations Management, laws have impacted the formation and operation of security departments withing organizations (McCrie, 2007).
In a report, released by the White House in July 2009, the State on Cybersecurity and U.S. Policy was summarized.
This diagram above is from that report was in an appendix of the Cyberspace Policy Review report that was released by the Obama Administration in July 2009. The top half of the diagram shows major historical events that have occurred related to communications, computers and the Internet. The bottom half of the diagram shows the corresponding history of legislation, regulation, etc, that have affected security and privacy since 1900. What is particularly interesting about this diagram is that it begins in 1900. As the reader will see, there were some very important developments that affected the state of laws today.
The tables in the appendices show the following:
Appendix A - A timeline that shows U.S. laws related to privacy and security.
Appendix B - A comprehensive list of State Laws that are related to data privacy.
As a whole, all of these laws have in help to form and influence the composition and operation of security practices in organizations. For it is the consequences of non-compliance that is described within these various laws that gives the leadership of organizations a sense of urgency to meet the obligations to protect assets, data, and people.
Also, it is important to note that federal laws are influenced by state laws and vice versa. On May 12, 2011, President Obama’s administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.


References:

Ballard, Spahr, Andrews, Ingersoll, LLC. (2004) Privacy Law. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.virtualchase.com/resources/privacy.html.

Brancik, K. C. (2008). Insider Computer Fraud: An In-depth Framework for Detecting and Defending Against Insider IT Attacks. Boca Raton, FL: Auerbach Publications.

Davis, C.; Schiller, M.; and Wheeler, K. (2007). IT Auditing: Using Controls to Protect Information Assets. New York, NY: Osborne McGraw Hill.

Department of Homeland Security. (2009).  (U//FOUO) Rightwing Extremism:  Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment.   Retrieved from the web at
http://www.fas.org/irp/eprint/rightwing.pdf    on December 24, 2011.

Department of Justice (2004).  USA PATRIOT Act at Work.  Retrieved from the web at

Doyle, C. (2002).  USA PATRIOT Act: A sketch.  Retrieved from the web at http://www.fas.org/irp/crs/RS21203.pdf  on December 24, 2011.

Doyle, C. (2010).  National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments - a CRS Report Dated December 27, 2010.  Retrieved from the web at  http://www.fas.org/sgp/crs/intel/RS22406.pdf  on December 24, 2011.

Electronic Privacy and Information Center Resources about the USA PATRIOT Act http://epic.org/privacy/terrorism/usapatriot/ .

EPIC. (2011). Information Related to the USA PATRIOT Act. Retreived from the web at http://epic.org/privacy/terrorism/usapatriot/  on December 9, 2011.

Frackman, A., Martin, R., and Ray, C. (2002). Internet and Online Privacy: A Legal and Business Guide. New York: ALM Publishing.

Galik, D. (1998). Defense in Depth: Security for Network-Centric Warfare. [Electronic version] Retrieved from the web on May 11, 2004 from http://www.chips.navy.mil/archives/98_apr/Galik.htm.

Gaskin, J. (1997). Corporate Politics and the Internet: Connection Without Controversy. Upper Saddle River, NJ: Prentice Hall.

Herrmann, D. S. (2007). Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Boca Raton, FL: Auerbach Publications.

Hoffman, L. J. (1977). Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ: Prentice-Hall.

Icove, D., et al. (1995). Computer Crime: A Crimefighter’s Handbook. Sebastopol, CA: O’Reilly & Associates.

Jacobs, S. (2011). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. Piscataway, NJ: IEEE Press.

Landy, G. K. (2008). the IT/Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media, and IP Law.  Burlington, MA: Syngress.

Lane, C. A. (1997). Naked in Cyberspace. Wilton, CT: Pemberton, Press.

Legal Information Institute. (2004). Right of Privacy, An Overview. An article from Cornell Law School. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.law.cornell.edu/topics/privacy.html .

McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.

Miles, G., et al. (2004) Security Assessment: Case Studies for Implementing the NSA IAM. Burlington, MA: Syngress Publishing, Inc.

Olsen, J. E. (2003). Data Quality: The Accuracy Dimension. San Francisco, CA: Morgan Kaufmann Publishers.

Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.

Riggs, M. (2011).  Lee County Deputies Tied Suspect to a Chair, Gagged Him, and Pepper-Sprayed Him to Death.  An article published at Reason.com on December 23, 2011. Retrieved from the web at http://reason.com/blog/2011/12/23/lee-county-deputies-tied-suspect-to-a-ch on December  23, 2011.

Senft, A. and Gallegos, F. (2009). Information Technology Control and Audit. Bocan Raton, FL: CRC Press.

The White House. (2009). Cyberspace Policy Review. A document published by the Obama Administration. Retrieved from the web at http://info.publicintelligence.net/cyberspace_policy_review_final.pdf on December 9, 2011.

U.S. Congress. (1987). The Computer Security Act of 1987. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf on December 9, 2011.

U.S. Government. (2009). American Recovery and Reinvestment Act of 2009. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.opencongress.org/bill/111-s1/show on December 9, 2011.

U.S. Government.  (2001).  USA PATRIOT Act.  Retrieved from the web at  http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf   on December 24, 2011.

U.S. Government. (1776). The Declaration of Independence. Retrieved from the web at http://www.billslater.com/tj1776.htm  on November 6, 2011.

U.S. Government. (1791). U.S. Constitution. Retrieved from the web at

Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition: Indianapolis, IN: Course Technology.

Wikipedia. (2011). USA PATRIOT Act. A Wikipedia article retrieved from the web at





Appendix A - Federal Legislation that has Influenced Security Practices - From the Beginning to 2011-

Timeframe
Law
Author(s)
Comments
1788 – 1789
First Amendment to the U.S. Constitution – Freedom of Speech, Freedom of Assembly, Freedom of Worship.
James Madison, et al
1788 – 1789
Fourth Amendment to the U.S. Constitution – Freedom from unreasonable search and seizure.
James Madison, et al
1974
Privacy Act of 1974 (Public Law 93-579, 5 U.S. Code 552a). – sets limits on the collection and transfer of personal data by government agencies and lets citizens sue agencies that violate the act (Lane, 1997).
Congress of the U.S.
1984
“Computer Fraud and Abuse Act – originally enacted as part of the Crime Control Act and was the first statute to specifically address computer crime. In 1990, this was amended it “to coverall computers used in interstate commerce or communications” and to prohibit forms of computer abuse which arise in connection with, and have a significant effect upon, interstate or foreign commerce. (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
People were prohibited from accessing computers without authorization.
Timeframe
Law
Author(s)
Comments
1986
“Electronic Communications Privacy Act of 1986 – the most comprehensive piece of federal legislation dealing with the interception of and access to electronic communications such as e-mail and voice mail (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
“Enacted to amend Title III of the Omnibus Crime Control and Safe Streets Act of 1968. This act provided protection from traditional means of communication, such as the telephone, by placing restrictions on the wiretapping and eavesdropping of these means of communication. The ECPA modernized the 1968 Act to expand upon all forms of electronic communication. It exposes violators to civil penalties and sets out specific exceptions. However, employers have been able to circumvent any constraints imposed by the ECPA by obtaining consent of employees. Courts have uniformly upheld such consent of employees. (Frackman, Martin and Ray, 2002).”
1987
The Computer Security Act of 1987
101 STAT. 1724, Public Law 100-235, 100th Congress
This was the first federal law that was exclusively related to computer security.
1996
“Health Insurance Portability and Accountability Act (HIPAA) of 1996 – required the Department of Health and Human Services to promulgate regulations governing the disclosure of health information (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
1999
“Gramm-Leach-Bliley Act – for the purpose of implementing the congressional policy that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers to protect the security and confidentiality of those customers’ nonpublic personal information… (Frackman, Martin and Ray, 2002).”
Senators Gramm, Leach and Bliley
President Clinton was on record as being reluctant to sign this into law, because he didn’t believe it was a good law.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
Timeframe
Law
Author(s)
Comments
2001
USA PATRIOT Act, H.R. 3162
Frank James Sensenbrenner, Jr.
(EPIC, 2011)
The USA PATRIOT ACT essentially nullified 5 of the first 10 Amendments to the U.S. Constitution.
Many citizens feel strongly that the powers now granted to the Executive branch of government and its agents are in direct conflict with the 1st, 4th, 5th, 6th and 8th Amendments in the Bill of Rights to the U.S. Constitution (see Bill of Rights, below.). In other words, we now live in such times that many of the rights to privacy that we thought we were guaranteed under the U.S. Constitution, are now preempted, at least temporarily by the PATRIOT Act. In fact, the only way that the PATRIOT Act could be successfully passed in both chambers of Congress was to include a “Sunset Clause,” which caused many of the more far-reaching provisions of the Act to expire automatically, unless they were again reviewed and approved by both chambers of Congress. Though there was a “Sunset Clause" the PATRIOT Act has now been renewed TWICE, once under President Bush and once under President Obama.
Timeframe
Law
Author(s)
Comments
2005
H.R. 4127 – Data Acountability and Trust Act (DATA)
House of Representatives - By Rep. Clifford Stearns [R-FL
Never passed by the Senate. The goal of this legislation was to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information and to provide for nationwide notice in the event of a security breach.
2005 - 2011
Breach Notification Act(s)
Various State Legislatures
As of 2011, over 42 states in the U.S. have laws that protect the privacy of NPPI and PII.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
On May 12, 2011, President Obama’s   administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.
2009
HITECH Act
U.S. Congress
Passed as a provision of the American Recovery and Reinvestment Act of 2009. It imposes stiff penalties for HIPAA violations.
The ARRA is a bill to create jobs, restore economic growth, and strengthen America's middle class through measures that modernize the nation's infrastructure, enhance America's energy independence, expand educational opportunities, preserve and improve affordable health care, provide tax relief, and protect those in greatest need, and for other purposes. (U.S. Congress, 2009)


Appendix B – State Privacy Laws as of 2010

State
Legislation or State Law
Requires
Alaska
A.S. 45.48.010 (July 1, 2009)
Notice to consumers of breach in the security of unencrypted, unredacted personal information in physical or electronic form, or encrypted information where the encryption key may also have been compromised. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
Arizona
A.R.S. 44-7501 (December 31, 2006)
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. If entity complies with federal rules, then it is deemed to be in compliance with Arizona law.
Arkansas
Ark. Code Ann. 4-110-101 to 108 (March 31, 2005)
Notice to consumers of breach in the security of unencrypted, computerized personal information and medical information in electronic or physical form. Notice is not required if no reasonable likelihood of harm to consumers. If entity complies with state or federal law that provides greater protection, and at least as thorough disclosure and in compliance with the state or federal law, then it is deemed in compliance.
California
Civil Code Sec. 1798.80-1798.82 (July 1, 2003)
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted, computerized personal information held by a business or a government agency. If the person or business has own notification procedures consistent with timing requirements and provides notice in accordance with its policies or if the person or business abides by state or federal law provides greater protection and disclosure, then it is deemed in compliance.
Colorado
Co. Rev. Stat. 6-1-716(1)(a) (September 1, 2006)
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. Notice given unless investigation determines misuse of information has not occurred or is not reasonably likely to occur. If entity is regulated by state or federal law and maintains procedures pursuant to laws, rules, regulations or guidelines, it is deemed in compliance.
Connecticut
699 Gen. Stat. Conn. 36a-701 (January 1, 2006)
Notice of security breach by persons who conduct business in the state and have a breach of the security of unencrypted computerized data, electronic media or electronic files, containing personal information. Notice is not required if the breached entity determines in consultation with federal, state, and local law enforcement agencies that the breach will not likely result in harm to the individuals. Governmental entities not required to provide notice under this section. Entities are also deemed compliant if notification is in compliance with rules or guidelines established by the primary function of the regulator under the Gramm-Leach Bliley Act.
Delaware
Del. Code Ann. Title 6 Section 12B-101 to 12-B-106 (June 28, 2005)
Notice to consumers of breach in the security of unencrypted computerized personal information if the investigation determines that misuse of information about a Delaware resident has occurred or is reasonably likely to occur. If the entity is regulated by state or federal law and maintains procedures for a breach pursuant to the laws, rules, regulations, guidances or guidelines established by its primary or functional state or federal regulator, then it is deemed in compliance with this chapter provided it notifies affected residents in accordance with the maintained procedures when a breach occurs.
District of Columbia
DC Code Sec 28-3851 et seq. (January 1, 2007)
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted computerized or other electronic personal information held by a business or a government agency. This section does not pertain to person or entity subject to the Gramm-Leach Bliley Act. This section also does not apply to a person or business with its own notification procedures with consistent timing requirements in compliance with notification requirements of this section and the person or business provides notice in accordance with its policies and which is reasonably calculated to give actual notice.
Florida
Fla. Stat. Ann. 817.5681 et seq. (July 1, 2005)
Notice to consumers of breach in the security, confidentiality or integrity of computerized, unencrypted personal information held by a person who conducts business in the state. Notice not required if, after appropriate investigation or consultation with law enforcement, person reasonably determines breach has not and will not likely result in harm to individuals. Determination must be documented in writing and maintained for five years. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or “maintaining” notification procedures established by person’s primary or functional federal regulator.
Georgia
Ga. Code Ann. 10-1-910 et seq. (May 24, 2007. Covers “information brokers and data collectors”)
Notice of breach that compromises the security, confidentiality, or integrity of computerized personal information held by an info broker or data collector.
Hawaii
HRS Sec 487N-1 et seq. (January 1, 2007)
Notice when unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Notice under this section not required by a financial institution subject to Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Consumer Notice or by any health plan or healthcare provider under HIPAA.
Idaho
Id. Code Ann. 28-51-104 (July 1, 2006)
Notice to consumers of breach in the security of unencrypted, computerized personal information if after a reasonable investigation, the agency, individual or entity determines that misuse of information of Idaho resident has occurred or is reasonably likely to occur. Notice under this section not required by a person regulated by state or federal law and who complies with procedures under that law.
Illinois
ILCS Sec. 530/1 et seq. (January 1, 2006)
Notice to consumers of breach in the security, confidentiality, or integrity of personal information of the system data held by a person or a government agency. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act.
Indiana
Ind. Code Sec. 4-1-11 et seq. (June 30, 2006)
Notice to consumers of breach in the security, confidentiality, or integrity of computerized personal information held by a government agency.
Indiana
Ind. Code Sec. 24-2-9 et seq). (June 30, 2006)
Notice when a data collector knows, should know, or should have known that the unauthorized acquisition of computerized data, including computerized data that has been transferred to another medium, constituting the breach has resulted in or could result in identity deception, ID theft or fraud. Notice not required under this section if entity maintains own disclosure procedures, is under federal USA Patriot Act, Exec. Order 13224, FCRA, Financial Modernization Act, HIPAA or financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice.
Iowa
Iowa Code Chapter 2007-1154 (July 1, 2008)
Notice to consumers of breach in the security of unencrypted, unredacted personal information electronic form. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Exempted are those with own notification procedures or procedures under state or federal   law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
Kansas
Kansas Stat. 50-7a01, 50-7a02 (January 1, 2007)
Notice to consumers about a breach in the security of unencrypted, unredacted computerized personal information if investigation determines misuse has occurred or is reasonably likely occur.
Louisiana
La. Rev. State. Ann. Sec. 51 3071-3077 (January 1, 2006)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. No notice if, after a reasonable investigation, the data holder determines that there is no reasonable likelihood of harm to customers. Notice not required by financial institutions in compliance with federal guidance.
Maine
Me. Rev. Stat. Ann. 10-21-B-1346 to 1349 (January 31, 2006. Covers only information brokers)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information if the personal information has been or is reasonably believed to have been acquired by an unauthorized person. Notice under this section is not required by persons regulated by state or federal law and which complies with procedures under that law.
Massachusetts
201 CMR 17.00 (March 1, 2010)
Notice of a breach unauthorized acquisition of unencrypted data, or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or integrity of the personal information that creates a significant risk of identity theft or fraud.
Michigan
2006-PA-0566 (July 2, 2007)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Notice under this section required unless person/agency determines security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft. Does not apply to financial institutions or HIPAA entities.
Minnesota
Minn. Stat. 324E.61 et seq. (January 1, 2006)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Does not apply to financial institutions or HIPAA entities.
Montana
Mont. Code Ann.   31-3-115 (March 1, 2006)
Notice to consumers of breach in security, confidentiality, or integrity of computerized personal information held by a person or business if the breach causes or is reasonably believed to have caused loss or injury to a Montana resident. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Nebraska
Neb. Rev. Stat.   87-801 et seq. (July 16, 2006)
Notice to consumers of a breach in the security of unencrypted, computerized personal information if an investigation determines use of information has occurred or is reasonably likely to occur. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or if notification procedures established by person’s primary or functional federal regulator.
Nevada
Nev. Rev. Stat. 607A.010 et seq. (January 1, 2006)
Notice of breach of the security, confidentiality, or integrity of unencrypted computerized personal information by data collectors, which are defined to include government, business entities and associations who handle, collect, disseminate or otherwise deal with nonpublic personal information. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or is subject to compliance with the Gramm-Leach-Bliley Act.
New Hampshire
NH RS 359-C: 19 et seq. (January 1, 2007)
Notice of unauthorized acquisition if determined likelihood information has been or will be misused. Notice must be given if there is a determination that misuse of information has occurred or is reasonably likely to occur or if a determination cannot be made. Notice under this section not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section or if the entity is a person engaged in trade or commerce under RSA 358-A:3 and maintains notification procedures established by its primary or functional regulator.
New Jersey
NJ Stat 56:8-163 (July 2, 2006)
Notice of breach of security of unencrypted computerized personal information held by a business or public entity. No notice if a thorough investigation finds misuse of the information is not reasonably possible. Written documentation of the investigation must be kept for 5 years. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
New York
NY Bus. Law Sec. 899-aa. (December 8, 2005)
Notice of breach of security of computerized unencrypted, or encrypted with acquired encryption key, personal information held by both public and private entities.
North Carolina
N.C. Gen. Stat. 75-65 (December 1, 2005)
Notice of breach of security of unencrypted and unredacted written, drawn, spoken, visual or electromagnetic personal information, and encrypted personal information with the confidential process or key held by a private business if the breach causes, is reasonably likely to cause, or creates a material   risk of harm to residents of North Carolina. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
North Dakota
N.D. Cent. Code 51-30 (June 1, 2005)
Notice of a breach of the security of unencrypted, computerized, personal information by persons doing business in the state. Includes an expanded list of sensitive personal information, including date of birth, mother’s maiden name, employee ID number, and electronic signature. Exception for those financial institutions which are in compliance with federal guidance.
Ohio
O.R.C. Ann. 1349.19 et seq. (February 17, 2006)
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business where reasonably believed it will cause a material risk of identity theft or fraud to a person or property of a resident of Ohio. Notice under this section is not required by financial institutions, trust companies or credit unions or any affiliate required by federal law to notify customers of information security breach and who is in compliance with federal law.
Oklahoma
Okla. Stat. 74-3113.1 (June 8, 2006)
Requires state government agencies to give notice of breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Oklahoma whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice is not required under this section by a state agency, board, commission, or unit or subdivision of government if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Oregon
O.R.S. 646A.604 (October 1, 2007)
Notice when unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. Notice not required if after an appropriate investigation or after consultation with federal, state or local agencies responsible for law enforcement, the person determines no reasonable likelihood of harm to consumers whose personal info has been acquired has resulted or will result from the breach. Determination must be in writing and kept for 5 years. Exempted are those with own notification procedures under state or federal law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws, and financial institutions which are in compliance with federal guidance.
Pennsylvania
73 Pa. Cons. Stat. 2303 (June 30, 2006)
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business and is reasonably believed to have been accessed or acquired by an unauthorized person. Notice under this section not required if entity maintains its own   notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Puerto Rico
10 L.P.R.A. 4051 et seq. (January 5, 2006)
Notice of breach of the security, confidentiality and integrity of unencrypted personal information, where access has been permitted to unauthorized persons or it is known or reasonably suspected that authorized persons have accessed the information with intent to use it for illegal purposes.
Rhode Island
RI Gen. Law 11-49.2-3 to 11.49.2-7 (March 1, 2006)
Notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons and by state agencies if breach poses significant risk of identity theft when unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. No notice is required if after an appropriate investigation or after consultation with relevant federal, state, and local law enforcement agencies, determine the breach has not and will not likely result in harm to individuals. Does not apply to HIPAA entities or financial institutions in compliance with Federal Interagency Guidelines. Entities covered by another state or federal law are exempt only if that other law provides greater protection to consumers.
South Carolina
SC Code §1-11-490 et seq. (January 1, 2009)
Notice of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a "material risk of harm" to the consumer. Notice under this section is not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise   consistent with the timing requirements of this section.
Tennessee
Tenn. Code. Ann. 47-18-21 (July 1, 2005)
Notice of the unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information. Does not apply to persons subject to Title V of the Gramm-Leach-Bliley Act.
Texas
Tex. Bus & Com. Code Ann. 4-48-103 (September 1, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons who conduct businesses in the state. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Utah
Utah Code 13-44-101 et seq. (January 1, 2007)
Notice of a breach of the security of computerized personal information that is not protected by a method that makes the information unusable. Entities covered by another state or federal law are exempt if the person notifies each affected Utah   resident in accordance with law.
Vermont
Vt. Stat. Tit 9 Sec. 2435 (January 1, 2007)
Notice if investigation reveals misuse of personal information for identity theft or fraud has occurred, or is reasonably likely to occur. Notice is not required if the data collector establishes that misuse of personal information is not reasonably possible. Must provide notice and explanation to the Attorney General or department of banking, insurance, securities and health care administration in the event data collector is a person/entity licensed with that department. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Virgin Islands
14 V.I.C. 2208 et seq. (October 17, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information reasonably believed to have been acquired by unauthorized persons. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Virginia
VA Code 18.2-186.6 (July 1, 2008)
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, if an individual or entity reasonably believes such information has been accessed and acquired by an unauthorized person and has caused or will cause identity theft or other fraud. Notice under this section is not required if an entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or if the entity has notification procedures established by a federal regulator. This section does not apply to any entity that is subject to compliance with the Gramm-Leach-Bliley Act.
Washington
RCW 42.17 et seq. (July 24, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons, businesses and government agencies. Notice is not required when there is a technical breach of the security of the system which does not seem reasonably likely to subject customers to a risk of criminal activity. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
West Virginia
WV Code 46A-2A-101 et seq. (June 26, 2008)
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, reasonably believed to have been accessed and acquired by an unauthorized person and has caused, or will cause, identity theft or other fraud. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Wisconsin
Wis. Stat. 895.507 (March 16, 2006)
Notice to the consumer when personal information is taken in a security breach that is not encrypted, redacted or altered in any manner rendering the information unreadable. This includes DNA and biometric data. Notice not required if the acquisition of personal information does not create a material risk of ID theft or fraud.
Wyoming
W.S. 40-12-501 to 509 (July 1, 2007)
Notice of the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information of an investigation determines misuse of the personal identifying information has occurred or is reasonably likely to occur. Financial institutions subject to the Gramm-Leach-Bliley Act or credit unions under 12 USC §1752 are exempt from providing notice under this section.

(Jacobs, 2011)


= = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and Personnel Security

Career

Certifications

Credentials

ISO 27001

Chicago, IL
United States of America