View
212
Download
0
Tags:
Embed Size (px)
Citation preview
Office of the Chief Information Officer
Preparing for a Data Compromise:
what to do when a security breach exposes
sensitive data Charles R. Morrow-JonesDirector, Cyber-Security
Cathy BindewaldDirector, Communications, Marketing and Planning
Office of the Chief Information OfficerThe Ohio State University
Office of the Chief Information Officer
Acknowledgements
• This presentation has benefited greatly from conversations with: – Mary Ann Blair, Director of Information Security,
Computing Services, Carnegie Mellon University– Tim Keller, Director, Fraud and Identity
Management Solutions, TransUnion LLC– Steve Schuster, Director of IT Security, Cornell
University• Educause has supplied valuable material on
this topic
Office of the Chief Information Officer
Agenda • Introduction
• What is sensitive data?
• Why do we need a disclosure response plan?– Legal requirements – FERPA, HIPAA, Ohio HB 104,….– Ethical considerations
• Developing an enterprise disclosure response plan – creation of an intra-institutional response team – insuring that the response team is appropriately prepared – creation of advisory chains within the institution – processes for the notification of affected individuals– dealing with the news media– appropriate remediation
Office of the Chief Information Officer
What is Sensitive Data?
Data that are legally or customarily protected from disclosure. Examples of legal protections include:
• FERPA - Requires the safeguarding and protection of privacy for educational records
• HIPAA – Protects the privacy of medical records
• Ohio House Bill 104 – requires notification if “Personal Information” is exposed
Office of the Chief Information Officer
Examples of Sensitive Data• Name• Address• SSN• Telephone Number• Driver’s License
Number
• Account Number• PIN• Email Address• Password• Other personal
Information
Office of the Chief Information Officer
Ohio House Bill 104Personal Information
• Personal Information - a person’s name linked with any one of the following (when data elements are not encrypted, redacted or altered): SSN, driver’s license number, debit card or account number linked with a security code or password
Office of the Chief Information OfficerHouse Bill 104
Requirements• Effective February 17, 2006• Requires state agencies, persons and
businesses to contact individuals if unencrypted personal information maintained on computers is obtained by unauthorized persons (breach of security) and access causes or is believed to cause risk of identity theft or other fraud
• Notice of breach must occur within 45 days of the discovery
Office of the Chief Information Officer
House Bill 104Definition of a Security Breach
• Breach of Security - unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a state agency or an agency of a political subdivision and that causes or is believed to cause risk of identity theft or other fraud
Office of the Chief Information Officer
House Bill 104Exclusions
• Exclusions - personal information publicly available information that is lawfully made available to the general public from federal, state or local government records; any published news, editorial or advertising statement
Office of the Chief Information Officer
House Bill 104Notification Requirements
• Notice/disclosure of breach may be given in the following ways– Written– Electronic– Telephone– Substitute notice - email, posting on agency
website, media outlets - may be given if the agency does not have sufficient information on the residents or the cost of providing notice exceeds $250,000 or the number of those to be notified exceeds 500,000
Office of the Chief Information Officer
House Bill 104Inform National Credit Bureaus• Credit Reporting - If more than 1,000 residents are involved in a single occurrence of a breach of security, the state agency or agency of a political subdivision shall notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure
Office of the Chief Information Officer
House Bill 104Failure to Comply
• Requires court to determine if there was bad faith in the failure to comply and if the failure to comply was intentional or reckless
• Civil penalties– $1,000 per day for the first 60 days– Up to $5,000 per day for days 61-90– Up to $10,000 per day beginning the 91st day
Office of the Chief Information Officer
The Disclosure Response Plan
Office of the Chief Information Officer
Creating an Intra-institutional Compromise Response Team
• Purpose:– For each situation involving a possible data
compromise, determine whether notification is required
• To be successful:– Team structure must match the decision making
culture of the organization– Authorization to make the notification decision
must be delegated to the team– All incidents must be referred to the team
Office of the Chief Information Officer Response Team Membership
(Cornell DIRT Example)
Core Team:
CIO
Director, IT Policy
Director, IT Security
University Audit
University Council
University Police
University Communication
Risk Management
Incident Specific Additions:
Data Steward
Unit Head
Local IT Support
Security Liaison
ITMC member
Office of the Chief Information Officer Response Team Membership
(Possible Additional Membership)
Core Team:
CIODirector, IT PolicyDirector, IT SecurityUniversity AuditUniversity Council University PoliceUniversity CommunicationRisk ManagementLeader, Help Desk
Incident Specific Additions:
Data Steward
Division Head (e.g. Dean)
Unit Head (e.g. Chair)
Local IT Support
Security Liaison
ITMC member
Office of Human Resources
IT Security Technicians
Office of the Chief Information Officer
Preparing the Response Team
• Convene the Response Team– Introduce members, promote interaction
• Conduct Table Top Exercises– Exercises can readily be developed using
the Educause material listed on the Resources slide
Office of the Chief Information Officer
Create Advisory Chains
• Who needs to know?
• Define advisory chains before an incident happens
• Utilize your response team as initiators
CIO Provost President
Media RelationsLocal NewspaperLocal TV
Office of the Chief Information OfficerCreate a Generic Identity
Theft Website• Create a generic identity theft website as a
public service announcement to your institution’s community. Possible content:– What is identity theft?– How to protect yourself from identity theft– Steps to take if your data becomes compromised
or stolen– Information about how to contact credit reporting
agencies; Social Security administration; ID theft clearinghouse; local law enforcement
– Other resources
Office of the Chief Information Officer
In the Event of an Event…
• Alert the team – if possible, give a preliminary assessment
• Initiate communication with advisory chains.• Assemble and assess evidence of disclosure• Convene team, reach notification decision• Transmit decision via advisory chains• If decision is to notify, begin notification
processes appropriate to scale of incident.
Office of the Chief Information OfficerReaching the Decision to Notify
“Reasonable Belief”Increasing need to notify
Confirmation that sensitive data were not acquired
Confirmation that sensitive data were acquired
No meta-data available for analysis
Reasonable belief that data were acquired
Reasonable belief that data were not acquired
Office of the Chief Information OfficerTypical Components of a Notification Plan
Written notificationWritten notification
Dedicated telephone Dedicated telephone assistanceassistance
Dedicated Web siteDedicated Web site
Features
Maintain University Maintain University reputationreputation
Increase ‘customer’ Increase ‘customer’ confidenceconfidence
Benefits
Reduce potential Reduce potential damagedamage
(Credit file (Credit file monitoring)monitoring)
Press release(s)Press release(s) Reduce potential for Reduce potential for litigation?litigation?
Office of the Chief Information Officer
Construct a Press Release
A good press release includes:• Who is affected/not affected?• What specific types of personal information were
exposed?• What are the (brief) details of the incident?• “No evidence that the data have been misused” or
what misuse the evidence points to• Expression of regret and concrete steps the
institution is taking to prevent a reoccurrence • Contact point for more information
Office of the Chief Information Officer
Notifying the Affected Individuals
• Who needs to be notified? How? When?– Legal requirements about who, how and when– It may be appropriate to delay notification if law
enforcement is involved and approves delay– Sending letters vs. sending e-mail
• Studies have shown that personal is better than impersonal
– Going beyond basic requirements• Offering to pay for credit report monitoring
Office of the Chief Information Officer
Contents of the Notification Letter• Press Release plus:• The next steps individuals should take• Next steps by the University (in addition
to those in the press release)• Contact information, including telephone
number, dedicated e-mail address and dedicated website
• Signature
Office of the Chief Information Officer
Contents of the Incident Specific Website
– Most Recent Update section at the top of the page– < Replicate the notification letter components,
suitably modified for a larger, more general audience>
– Reiterate actions taken to ensure improved security in future
– Links to identity theft & credit agency websites– FAQ’s– Toll-free contact number– url: www.universityname.edu/datatheft
Office of the Chief Information Officer
Dedicated Telephone Assistance
• This should be a toll-free number, dedicated to this incident
• Staff answering the assistance line should be individuals familiar with and focused on the situation (i.e., probably not staffed from a generic help desk)
• Number and staffing should remain in place until call volume drops to zero
Office of the Chief Information Officer
Dealing with the News Media
• Speak with a single voice -identify a spokesperson for the institution
• Be sure the spokesperson is well briefed – ideally, she/he will be part of the response team
• Inform everyone involved of the identity of the spokesperson, and ask that all inquiries be referred to him/her.
Office of the Chief Information Officer
Remediation
• Be sure that the exposure has been identified and removed.– Your system administrators/computer
security staff should be charged with doing this
– Law enforcement’s needs for evidence takes priority over clean-up
Office of the Chief Information Officer
Resources
• Blair, Mitrano and Schuster, “Data Incident Notification Policies and Procedures”, Presented to the Educause/Internet2 Security
Professionals Conference, April, 2006 • Educause, “Data Incident Notification Toolkit”,
http://www.educause.edu/DataIncidentNotificationToolkit/9320• Educause, “Data Incident Notification Templates”,
http://www.educause.edu/LibraryDetailPage/666?ID=CSD4237• Keller, “Managing a Data Compromise: Is Your Organization
Prepared?” Presented at the OSU Second Annual Security Day, October, 2005
http//cio.osu.edu/communications/community/2005/prepared.ppt • Petersen, “Security Breaches: Notification, Treatment and
Prevention”, EDUCAUSE Review (Volume 40, Number 4, July/August 2005)
Office of the Chief Information Officer
Questions for Another Time…• How do you discover disclosures?
– Device theft– Weak/stolen/poorly managed passwords– Poorly managed accounts– Improper/poorly managed access permissions– Use of email or IM to move information– Weak vulnerability detection/management– Inadequate host based defenses– HR risk / disgruntled employee / poor separation of duties– Process risks – inadequate security review of technical information systems– Process risks – inadequate process controls for publicly accessible
information• How do you know which machines house sensitive data?
Office of the Chief Information Officer
Author Contact Information
• Cathy [email protected]
614.247.6980
• Charles [email protected]
614.292.1302