Your SlideShare is downloading. ×

Incident Mgmt Nov 08


Published on

Presentation made at IAPP Toronto event concerning privacy incident and breach management in November 2008

Presentation made at IAPP Toronto event concerning privacy incident and breach management in November 2008

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Transcript

    • 1. Incident Management Michael Power eHealth Ontario IAPP KnowledgeNet Toronto, Ontario November 2008
    • 2. Notes
      • eHealth Ontario formed by regulation in September 2008.
      • The transition of SSHA into eHealth Ontario has commenced.
      • Comments today reflect experiences of SSHA only.
    • 3. What’s involved… > Identify, contain, triage & remedy incidents. > Short term: Contain damage; Restore normal operations. > Long term: Avoid problems in future.
    • 4. Privacy Incident : One or more events that may involve the unauthorized use, collection, disclosure, or disposal of personal or personal health information. Distinct from “breach”.
    • 5. Security Incident : One or more events that have a significant probability of compromising business operations or threatening an organization’s information security .
    • 6. Privacy Breach : One or more events confirmed to involve, or having a high probability of involving, the unauthorized use, collection, disclosure, or disposal of personal or personal health information.
    • 7. Not every event is an incident. Internal – High Client - All Missing Equipment All Un-authorized Use Medium Privacy Medium Network Attack High Malware Severity to Trigger ESPIM Incident Type
    • 8. Incident Management Framework
      • Strategy : Describes overall approach as well as operational and technical issues.
      • Concept of Operations : Describes the operational model.
      • Operating Directive : Describes IM-related practices.
      • Communications Plan : Describes IM-related communications: the “what”, “who” and “how”.
      • Procedures : Describes specific incident handling activities and steps with activities.
    • 9. Developing Tactical Incident Management Capabilities
      • Train Legal / CRM / HR / Communications/Ops SMEs.
      • Create / Update checklists.
      • Create a quick reference guide for IM IRTs.
      • Conduct Table Top Exercise (TTE) to assess how incident scenarios handled.
      • Rehearse communications plan.
      • Identify metrics & create dashboard to monitor the program.
      • Conduct awareness sessions for people managers.
      • Conduct TTE annually.
    • 10. Incident Management Initiation Process
      • Incident reported.
      • Incident triaged for seriousness and ESPIM criteria by Contact Centre.
      • Incident “ticket” transferred to ESPIM Program Manager.
      • Program Manager assesses incident category and type.
      • Program Manager designates IRT Lead/team members (e.g. ops/legal/communications/client liaisons) conducts briefing.
      • Program Manager transfers ticket to IRT Lead.
    • 11. Incident Management: Activities
        • Detection and classification
      Triage and Re-classification Analyze Cause Develop Workaround Service Recovery Root Cause Analysis Develop Solution Implement & Roll-out 1 2 3 4 5 6 7 8 Division Dept Responsible Consult Inform Accountable Helpdesk Help Desk Receives a call Operations Create RFC Test & implement Privacy & Security Investigate & diagnose Identify workaround, test and document details, risks and impact Implement workaround Determine root cause and escalate Security operations Re-classify the incident and escalate Common Activities – Communications
    • 12. Planning for Incident Management
    • 13. Developing an Incident Management Model
    • 14. EHealth Ontario ESPIM Team Structure
    • 15. Metrics
      • Quantitative Metrics:
      • Mean time to initiate response to incidents by category
      • Mean time to complete response to incidents by category
      • Number of incidents that require external reporting or notification
      • Trend reporting on incident resolution time, by incident type and severity levels
      • Trend reporting on time to close post-incident analysis action items, by activity custody holder
      • Statistical reporting of number of incidents handled, by incident type and severity levels
      • Statistical reporting on % of incidents requiring external notifications
      • Statistical reporting of number of alerts and advisories issued, by type
      • Qualitative Metrics:
      • Summary of incidents handled
      • Client level of satisfaction with incident handling
      • Reporting on business impacts of incidents, including losses (and costs where possible)
    • 16. Breach Communication Messages
      • The simplified facts.
      • What happened:
        • The Speed of discovery and reaction.
        • How we discovered it and what we did.
      • Triage and Containment Measures:
        • What we’re doing now.
      • Preventative Measures:
        • What we’re going to do to make sure this doesn’t happen again.
      • Contact/Communication details:
        • How you can get more information.
    • 17. Problem…People
      • No “ands, ifs or buts”
        • Some people get really upset.
        • Some people you can’t “manage”.
        • Some people won’t understand.
        • Simply give them an outlet:
        • Send them to Org. Privacy Officer or Privacy Commissioner.
    • 18. Service Providers
      • Outsourcing
        • May cause delay in response
        • Requires provider and client to be on same page
        • Need to anticipate responding to incidents
        • Need to coordinate media responses
        • Ensure outsourcing agreement addresses subject of incidents
      • Mandatory reporting of incidents
      • Right of audit
      • Prompt/periodic identification of subcontractors
    • 19. Lessons Learned
      • Conduct Requirements/Needs Analysis
      • Conduct Table Top Exercise
      • Test Communication Plan
      • Develop Test/Use Cases/Scenarios specifically for IM program
      • Develop Tools/Templates wherever possible
      • Develop Checklist/Quick Reference Guide
      • Ensure Single Point of Contact
      • Communicate….Communicate...Communicate
    • 20. Questions?
      • Michael Power
      • Vice President, Privacy and Security
      • eHealth Ontario
      • [email_address]