200 word response 1 reference due 6/8/2024
Franco
2-1: Aligning an IT Security Assessment
The Gramm-Leach-Bliley Act (GLBA) was established in 1999 and was enacted to assist reform the financial industry and address consumer financial privacy concerns (Federal Trade Commission, 2023). GLBA possesses requirements for the Federal Trade Commission and other government entities associated with financial regulation to carry out the provisions within the act. The act expected for all required businesses to fully comply by July, 2001 (Federal Trade Commission, 2023). Today, financial companies are fully expected to competently explain their information-sharing practices to their clients and proper safeguards to increase the cybersecurity posture of critical data. In addition, financial institutions must notify their customers about their information-sharing instruments and provide an non-intrusive method to opt-out if the customer decides not to participate in information sharing. The Privacy rule is one of the main provisions that safeguards consumer’s privacy. The Federal Trade Commission (2023) explained how the rule protects a customer’s “nonpublic personal information”. An NPI is any personally identifiable financial information that an institution collects during the process of providing a financial instrument service. Examples of NPI can be name, address, income, Social Security Number, and other pertinent information (Federal Trade Commission, 2023). The GLBA possesses security rules to better secure NPI and strengthen the confidentiality and availability of such data. In the current era of complex technologies and networks, IT security and compliance is important to protect data and prevent critical security events. Customers may be instilled confidence if their chosen financial institution is strongly secured and transparent with their intentions. Lastly, financial institutions that are publicly traded must comply to the Sarbanes-Oxley Act of 2002. The act aims to discourage financial fraud and protect the integrity of financial statements as a result of Enron’s collapse. Sarbanes-Oxley also possesses IT security provisions to secure data and the requirements can be reached with the help of cybersecurity teams and IT auditors.
2-4: Compliance Within the User Domain: Training
Phishing is a cybercrime in which a victim or multiple victims are contacted through email, telephone, or text by a threat actor posing as a legitimate institution to lure targets into providing sensitive data like passwords or credit card numbers (Phishing, 2024). Unfortunately, if that information is obtained it can result in grand loss and potential identity theft. Sourced information may be sold to other threat actors on the dark web and other illicit forums. Phishing attacks may have many common denominators. Some typical features can be the “Too Good to Be True”, which contains lucrative offers and eye-catching titles to entice the victim to indulge. It could be a free item or lottery ticket (Phishing, 2024). The Sense of Urgency tactic is used by threat actors to coerce information by facilitating a time sensitive transaction. Reliable organizations will never solicit information from their clients. Hyperlinks are very common and will show a real URL with a letter modified to trick the user. Lastly, Attachments are dangerous because they may possess payloads such as ransomware after clicking or downloading the file (Phishing, 2024). Phishing (2024) explained prevention methods such as spam filters and protective browser settings to be toggled on. Financial institutions use phishing monitoring systems to help curb attacks and possess hotlines to report phishing attacks and fraudulent websites. A strategy to communicate social engineering techniques is to create a phishing exercise in an organization. If the users fail, they can become educated with phishing presentations and modules to learn how to identify signs in the future and help maintain the cybersecurity integrity of the organization by operating in good faith.
