Preparing for a Data Compromise - The Ohio State University

Document Sample
Preparing for a Data Compromise - The Ohio State University Powered By Docstoc
					                                  Office of the Chief Information Officer




      Preparing for a Data
         Compromise:
what to do when a security breach exposes
             sensitive data
                Charles R. Morrow-Jones
                Director, Cyber-Security

                Cathy Bindewald
                Director, Communications, Marketing and Planning

                Office of the Chief Information Officer
                The Ohio State University
                                     Office of the Chief Information Officer


         Acknowledgements
• This presentation has benefited greatly from
  conversations with:
  – Mary Ann Blair, Director of Information Security,
    Computing Services, Carnegie Mellon University
  – Tim Keller, Director, Fraud and Identity
    Management Solutions, TransUnion LLC
  – Steve Schuster, Director of IT Security, Cornell
    University
• Educause has supplied valuable material on
  this topic
                                                                 Office of the Chief Information Officer


                                   Agenda
•   Introduction

•   What is sensitive data?

•   Why do we need a disclosure response plan?
     –   Legal requirements – FERPA, HIPAA, Ohio HB 104,….
     –   Ethical considerations

•   Developing an enterprise disclosure response plan
     –   creation of an intra-institutional response team
     –   insuring that the response team is appropriately prepared
     –   creation of advisory chains within the institution
     –   processes for the notification of affected individuals
     –   dealing with the news media
     –   appropriate remediation
                                  Office of the Chief Information Officer


     What is Sensitive Data?
Data that are legally or customarily protected
  from disclosure. Examples of legal
  protections include:
• FERPA - Requires the safeguarding and
  protection of privacy for educational records
• HIPAA – Protects the privacy of medical
  records
• Ohio House Bill 104 – requires notification if
  “Personal Information” is exposed
                                Office of the Chief Information Officer




     Examples of Sensitive Data
•   Name               •   Account Number
•   Address            •   PIN
•   SSN                •   Email Address
•   Telephone Number   •   Password
•   Driver’s License   •   Other personal
    Number                 Information
                           Office of the Chief Information Officer


       Ohio House Bill 104
       Personal Information
• Personal Information - a person’s name
  linked with any one of the following
  (when data elements are not encrypted,
  redacted or altered): SSN, driver’s
  license number, debit card or account
  number linked with a security code or
  password
                                 Office of the Chief Information Officer

              House Bill 104
              Requirements
• Effective February 17, 2006
• Requires state agencies, persons and
  businesses to contact individuals if
  unencrypted personal information maintained
  on computers is obtained by unauthorized
  persons (breach of security) and access
  causes or is believed to cause risk of identity
  theft or other fraud
• Notice of breach must occur within 45 days of
  the discovery
                              Office of the Chief Information Officer


          House Bill 104
 Definition of a Security Breach
• Breach of Security - unauthorized
  access to and acquisition of
  computerized data that compromises
  the security or confidentiality of personal
  information owned or licensed by a
  state agency or an agency of a political
  subdivision and that causes or is
  believed to cause risk of identity theft or
  other fraud
                             Office of the Chief Information Officer


            House Bill 104
             Exclusions
• Exclusions - personal information
  publicly available information that is
  lawfully made available to the general
  public from federal, state or local
  government records; any published
  news, editorial or advertising statement
                                      Office of the Chief Information Officer

             House Bill 104
       Notification Requirements
• Notice/disclosure of breach may be given in
  the following ways
  –   Written
  –   Electronic
  –   Telephone
  –   Substitute notice - email, posting on agency
      website, media outlets - may be given if the
      agency does not have sufficient information on the
      residents or the cost of providing notice exceeds
      $250,000 or the number of those to be notified
      exceeds 500,000
                            Office of the Chief Information Officer


        House Bill 104
Inform National Credit Bureaus
• Credit Reporting - If more than 1,000
  residents are involved in a single
  occurrence of a breach of security, the
  state agency or agency of a political
  subdivision shall notify all consumer
  reporting agencies that compile and
  maintain files on consumers on a
  nationwide basis of the timing,
  distribution, and content of the
  disclosure
                                    Office of the Chief Information Officer

             House Bill 104
            Failure to Comply
• Requires court to determine if there was bad
  faith in the failure to comply and if the failure
  to comply was intentional or reckless
• Civil penalties
   – $1,000 per day for the first 60 days
   – Up to $5,000 per day for days 61-90
   – Up to $10,000 per day beginning the 91st day
                   Office of the Chief Information Officer




The Disclosure Response Plan
                                    Office of the Chief Information Officer

   Creating an Intra-institutional
   Compromise Response Team
• Purpose:
  – For each situation involving a possible data
    compromise, determine whether notification is
    required
• To be successful:
  – Team structure must match the decision making
    culture of the organization
  – Authorization to make the notification decision
    must be delegated to the team
  – All incidents must be referred to the team
                                     Office of the Chief Information Officer

   Response Team Membership
             (Cornell DIRT Example)
Core Team:                 Incident Specific Additions:
CIO                        Data Steward
Director, IT Policy        Unit Head
Director, IT Security      Local IT Support
University Audit           Security Liaison
University Council         ITMC member
University Police
University Communication
Risk Management
                                     Office of the Chief Information Officer

   Response Team Membership
     (Possible Additional Membership)
Core Team:                 Incident Specific Additions:
CIO                        Data Steward
Director, IT Policy        Division Head (e.g. Dean)
Director, IT Security      Unit Head (e.g. Chair)
University Audit
                           Local IT Support
University Council
                           Security Liaison
University Police
                           ITMC member
University Communication
Risk Management            Office of Human
                              Resources
Leader, Help Desk
                           IT Security Technicians
                               Office of the Chief Information Officer


 Preparing the Response Team

• Convene the Response Team
  – Introduce members, promote interaction
• Conduct Table Top Exercises
  – Exercises can readily be developed using
    the Educause material listed on the
    Resources slide
                                    Office of the Chief Information Officer


    Create Advisory Chains
• Who needs to know?
• Define advisory chains before an
  incident happens
• Utilize your response team as initiators
     CIO     Provost    President
                         Local Newspaper
      Media Relations    Local TV
                                     Office of the Chief Information Officer

     Create a Generic Identity
          Theft Website
• Create a generic identity theft website as a
  public service announcement to your
  institution’s community. Possible content:
  – What is identity theft?
  – How to protect yourself from identity theft
  – Steps to take if your data becomes compromised
    or stolen
  – Information about how to contact credit reporting
    agencies; Social Security administration; ID theft
    clearinghouse; local law enforcement
  – Other resources
                                  Office of the Chief Information Officer


   In the Event of an Event…
• Alert the team – if possible, give a preliminary
  assessment
• Initiate communication with advisory chains.
• Assemble and assess evidence of disclosure
• Convene team, reach notification decision
• Transmit decision via advisory chains
• If decision is to notify, begin notification
  processes appropriate to scale of incident.
                                                                    Office of the Chief Information Officer

                            Reaching the Decision to Notify
                                “Reasonable Belief”
                             Confirmation that sensitive data were acquired
Increasing need to notify




                                            Reasonable belief that data were acquired

                              No meta-data available for analysis

                                            Reasonable belief that data were not acquired


                              Confirmation that sensitive data were not acquired
                                     Office of the Chief Information Officer
        Typical Components of a Notification Plan

    Features                            Benefits

                                   Maintain University
Written notification
                                       reputation

Dedicated telephone                Increase ‘customer’
    assistance                         confidence


Dedicated Web site                  Reduce potential
                                       damage


  Press release(s)                 Reduce potential for
                                       litigation?
    (Credit file
    monitoring)
                                    Office of the Chief Information Officer


   Construct a Press Release
A good press release includes:
• Who is affected/not affected?
• What specific types of personal information were
  exposed?
• What are the (brief) details of the incident?
• “No evidence that the data have been misused” or
  what misuse the evidence points to
• Expression of regret and concrete steps the
  institution is taking to prevent a reoccurrence
• Contact point for more information
                                            Office of the Chief Information Officer




  Notifying the Affected Individuals
• Who needs to be notified? How? When?
  – Legal requirements about who, how and when
  – It may be appropriate to delay notification if law
    enforcement is involved and approves delay
  – Sending letters vs. sending e-mail
     • Studies have shown that personal is better than
       impersonal
  – Going beyond basic requirements
     • Offering to pay for credit report monitoring
                             Office of the Chief Information Officer




 Contents of the Notification Letter
• Press Release plus:
• The next steps individuals should take
• Next steps by the University (in addition
  to those in the press release)
• Contact information, including telephone
  number, dedicated e-mail address and
  dedicated website
• Signature
                                 Office of the Chief Information Officer


Contents of the Incident Specific Website
– Most Recent Update section at the top of the page
– < Replicate the notification letter components,
  suitably modified for a larger, more general
  audience>
– Reiterate actions taken to ensure improved
  security in future
– Links to identity theft & credit agency websites
– FAQ’s
– Toll-free contact number
– url: www.universityname.edu/datatheft
                            Office of the Chief Information Officer




Dedicated Telephone Assistance
• This should be a toll-free number,
  dedicated to this incident
• Staff answering the assistance line
  should be individuals familiar with and
  focused on the situation (i.e., probably
  not staffed from a generic help desk)
• Number and staffing should remain in
  place until call volume drops to zero
                              Office of the Chief Information Officer


 Dealing with the News Media
• Speak with a single voice -identify a
  spokesperson for the institution
• Be sure the spokesperson is well
  briefed – ideally, she/he will be part of
  the response team
• Inform everyone involved of the identity
  of the spokesperson, and ask that all
  inquiries be referred to him/her.
                                Office of the Chief Information Officer


             Remediation
• Be sure that the exposure has been
  identified and removed.
  – Your system administrators/computer
    security staff should be charged with doing
    this
  – Law enforcement’s needs for evidence
    takes priority over clean-up
                                               Office of the Chief Information Officer


                      Resources
• Blair, Mitrano and Schuster, “Data Incident Notification Policies
  and Procedures”, Presented to the Educause/Internet2 Security
  Professionals Conference, April, 2006
• Educause, “Data Incident Notification Toolkit”,
  http://www.educause.edu/DataIncidentNotificationToolkit/9320
• Educause, “Data Incident Notification Templates”,
  http://www.educause.edu/LibraryDetailPage/666?ID=CSD4237
• Keller, “Managing a Data Compromise: Is Your Organization
   Prepared?” Presented at the OSU Second Annual Security Day,
   October, 2005
   http//cio.osu.edu/communications/community/2005/prepared.ppt
• Petersen, “Security Breaches: Notification, Treatment and
  Prevention”, EDUCAUSE Review (Volume 40, Number 4,
  July/August 2005)
                                                        Office of the Chief Information Officer




  Questions for Another Time…
• How do you discover disclosures?
   –   Device theft
   –   Weak/stolen/poorly managed passwords
   –   Poorly managed accounts
   –   Improper/poorly managed access permissions
   –   Use of email or IM to move information
   –   Weak vulnerability detection/management
   –   Inadequate host based defenses
   –   HR risk / disgruntled employee / poor separation of duties
   –   Process risks – inadequate security review of technical information systems
   –   Process risks – inadequate process controls for publicly accessible
       information
• How do you know which machines house sensitive data?
                           Office of the Chief Information Officer


  Author Contact Information
• Cathy Bindewald
  Bindewald.2@osu.edu
  614.247.6980


• Charles Morrow-Jones
  Morrow-jones.2@osu.edu
  614.292.1302

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:6/25/2011
language:English
pages:32