Incident Mgmt Nov 08


Published on

Presentation made at IAPP Toronto event concerning privacy incident and breach management in November 2008

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Incident Mgmt Nov 08

    1. 1. Incident Management Michael Power eHealth Ontario IAPP KnowledgeNet Toronto, Ontario November 2008
    2. 2. Notes <ul><li>eHealth Ontario formed by regulation in September 2008. </li></ul><ul><li>The transition of SSHA into eHealth Ontario has commenced. </li></ul><ul><li>Comments today reflect experiences of SSHA only. </li></ul>
    3. 3. What’s involved… > Identify, contain, triage & remedy incidents. > Short term: Contain damage; Restore normal operations. > Long term: Avoid problems in future.
    4. 4. Privacy Incident : One or more events that may involve the unauthorized use, collection, disclosure, or disposal of personal or personal health information. Distinct from “breach”.
    5. 5. Security Incident : One or more events that have a significant probability of compromising business operations or threatening an organization’s information security .
    6. 6. Privacy Breach : One or more events confirmed to involve, or having a high probability of involving, the unauthorized use, collection, disclosure, or disposal of personal or personal health information.
    7. 7. Not every event is an incident. Internal – High Client - All Missing Equipment All Un-authorized Use Medium Privacy Medium Network Attack High Malware Severity to Trigger ESPIM Incident Type
    8. 8. Incident Management Framework <ul><li>Strategy : Describes overall approach as well as operational and technical issues. </li></ul><ul><li>Concept of Operations : Describes the operational model. </li></ul><ul><li>Operating Directive : Describes IM-related practices. </li></ul><ul><li>Communications Plan : Describes IM-related communications: the “what”, “who” and “how”. </li></ul><ul><li>Procedures : Describes specific incident handling activities and steps with activities. </li></ul>
    9. 9. Developing Tactical Incident Management Capabilities <ul><li>Train Legal / CRM / HR / Communications/Ops SMEs. </li></ul><ul><li>Create / Update checklists. </li></ul><ul><li>Create a quick reference guide for IM IRTs. </li></ul><ul><li>Conduct Table Top Exercise (TTE) to assess how incident scenarios handled. </li></ul><ul><li>Rehearse communications plan. </li></ul><ul><li>Identify metrics & create dashboard to monitor the program. </li></ul><ul><li>Conduct awareness sessions for people managers. </li></ul><ul><li>Conduct TTE annually. </li></ul>
    10. 10. Incident Management Initiation Process <ul><li>Incident reported. </li></ul><ul><li>Incident triaged for seriousness and ESPIM criteria by Contact Centre. </li></ul><ul><li>Incident “ticket” transferred to ESPIM Program Manager. </li></ul><ul><li>Program Manager assesses incident category and type. </li></ul><ul><li>Program Manager designates IRT Lead/team members (e.g. ops/legal/communications/client liaisons) conducts briefing. </li></ul><ul><li>Program Manager transfers ticket to IRT Lead. </li></ul>
    11. 11. Incident Management: Activities <ul><ul><li>Detection and classification </li></ul></ul>Triage and Re-classification Analyze Cause Develop Workaround Service Recovery Root Cause Analysis Develop Solution Implement & Roll-out 1 2 3 4 5 6 7 8 Division Dept Responsible Consult Inform Accountable Helpdesk Help Desk Receives a call Operations Create RFC Test & implement Privacy & Security Investigate & diagnose Identify workaround, test and document details, risks and impact Implement workaround Determine root cause and escalate Security operations Re-classify the incident and escalate Common Activities – Communications
    12. 12. Planning for Incident Management
    13. 13. Developing an Incident Management Model
    14. 14. EHealth Ontario ESPIM Team Structure
    15. 15. Metrics <ul><li>Quantitative Metrics: </li></ul><ul><li>Mean time to initiate response to incidents by category </li></ul><ul><li>Mean time to complete response to incidents by category </li></ul><ul><li>Number of incidents that require external reporting or notification </li></ul><ul><li>Trend reporting on incident resolution time, by incident type and severity levels </li></ul><ul><li>Trend reporting on time to close post-incident analysis action items, by activity custody holder </li></ul><ul><li>Statistical reporting of number of incidents handled, by incident type and severity levels </li></ul><ul><li>Statistical reporting on % of incidents requiring external notifications </li></ul><ul><li>Statistical reporting of number of alerts and advisories issued, by type </li></ul><ul><li>Qualitative Metrics: </li></ul><ul><li>Summary of incidents handled </li></ul><ul><li>Client level of satisfaction with incident handling </li></ul><ul><li>Reporting on business impacts of incidents, including losses (and costs where possible) </li></ul>
    16. 16. Breach Communication Messages <ul><li>The simplified facts. </li></ul><ul><li>What happened: </li></ul><ul><ul><li>The Speed of discovery and reaction. </li></ul></ul><ul><ul><li>How we discovered it and what we did. </li></ul></ul><ul><li>Triage and Containment Measures: </li></ul><ul><ul><li>What we’re doing now. </li></ul></ul><ul><li>Preventative Measures: </li></ul><ul><ul><li>What we’re going to do to make sure this doesn’t happen again. </li></ul></ul><ul><li>Contact/Communication details: </li></ul><ul><ul><li>How you can get more information. </li></ul></ul>
    17. 17. Problem…People <ul><li>No “ands, ifs or buts” </li></ul><ul><ul><li>Some people get really upset. </li></ul></ul><ul><ul><li>Some people you can’t “manage”. </li></ul></ul><ul><ul><li>Some people won’t understand. </li></ul></ul><ul><ul><li>Simply give them an outlet: </li></ul></ul><ul><ul><li>Send them to Org. Privacy Officer or Privacy Commissioner. </li></ul></ul>
    18. 18. Service Providers <ul><li>Outsourcing </li></ul><ul><ul><li>May cause delay in response </li></ul></ul><ul><ul><li>Requires provider and client to be on same page </li></ul></ul><ul><ul><li>Need to anticipate responding to incidents </li></ul></ul><ul><ul><li>Need to coordinate media responses </li></ul></ul><ul><ul><li>Ensure outsourcing agreement addresses subject of incidents </li></ul></ul><ul><li>Mandatory reporting of incidents </li></ul><ul><li>Right of audit </li></ul><ul><li>Prompt/periodic identification of subcontractors </li></ul>
    19. 19. Lessons Learned <ul><li>Conduct Requirements/Needs Analysis </li></ul><ul><li>Conduct Table Top Exercise </li></ul><ul><li>Test Communication Plan </li></ul><ul><li>Develop Test/Use Cases/Scenarios specifically for IM program </li></ul><ul><li>Develop Tools/Templates wherever possible </li></ul><ul><li>Develop Checklist/Quick Reference Guide </li></ul><ul><li>Ensure Single Point of Contact </li></ul><ul><li>Communicate….Communicate...Communicate </li></ul>
    20. 20. Questions? <ul><li>Michael Power </li></ul><ul><li>Vice President, Privacy and Security </li></ul><ul><li>eHealth Ontario </li></ul><ul><li>[email_address] </li></ul>