1.What is the difference between privacy law and information systems security? How are they related?

2. Was the employee justified in taking home official data? Why or why not?

3. What are the possible consequences associated with the data loss?

4. Regarding the loss of privacy data, was there any data containing protected health information (PHI) making this a

Health Insurance Portability and Accountability Act (HIPAA) compliance violation?

5. What action can the agency take against the employee concerned?

7. Why were the VA data analyst’s two supervisors reprimanded and demoted by the VA secretary?

Do you think this was justified? Why or why not?

8. What was violated in this data breach?

9. If the database had been encrypted because of VA policy, would this data loss issue even have been an issue? Why

or why not?

10. What risk mitigation or security control recommendations would you suggest to prevent this from

occurring again?

11. What information systems security and privacy security policies do you think would help mitigate

this breach and loss of privacy data?

12. What or who was the weakest link in this chain of security and protection of privacy data?

13. If the VA had performed a security and information assurance audit for compliance, what could

the VA do on an annual basis to help mitigate this type of loose policy conformance?

14. Which organization in the U.S. federal government is responsible for performing audits on other

U.S. federal government agencies? (Hint: It is also known as the “Congressional Watchdog.”)

Note:

Text Book Reference: Grama, Joanna Lyn. Legal Issues in Information Security, 2nd ed. Burlington, MA: Jones & Bartlett

Learning, 2015

Please check plagarism