Data Incident Notification Policies and Procedures


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Incident Notification Policies and Procedures

  1. 1. Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006
  2. 2. Background/Headlines
  3. 3. Background/Headlines
  4. 4. Background/Headlines  For other examples, see:  You are not immune.  Your campus will have to deal with incidents, and depending on the severity, may be required to notify affected users
  5. 5. The Need to Notify July 2003 - California SB 1386 December 18, 2005 - New York A04254A December 22, 2005 – Pennsylvania SB 712 In the future (?) S. 1408: Identity Theft Protection Act (109th Congress) H.R. 4172: Data Accountability and Trust Act S. 1332: Personal Data Privacy and Security Act
  6. 6. Data Breaches  104 publicized data breaches in 2005  50 breaches in colleges/universities  50 million people affected (2 million from colleges/universities) Sources: ID Analytics , Privacy Rights Clearinghouse
  7. 7. Identity Theft  ~10 Million victims last three years  Out of pocket cost to victims $500 – $1,500  Time spent by victims 30 – several hundred hours  In 2002, cost to business $50 - $279 billion, based on average victim loss of $4,800 – $92,000  Cost is significantly lower if discovered quickly Sources: Javelin Research, Federal Trade Commission, Identify Theft Resource Center
  8. 8. Incident Decision Making, Tools and Analysis
  9. 9. Questions That Need to Be Answered  How are university decisions made?  Who within your organization determines notification is necessary?  How does a security organization scale to meet the number of incidents we see?  How do we define “reasonable belief?  How much incident analysis is necessary?
  10. 10. How are university decisions made? Answering this question is probably the most important but may seem impossible Strategy Ensure everyone who has a some skin in this decision is included Who should be included?
  11. 11. Cornell’s Decision Making Data Incident Response Team (DIRT) DIRT meets for every incident involving critical data DIRT objectives Thoroughly understand each incident Guide immediate required response Determine requirement to notify
  12. 12. DIRT Members  Core Tam  Incident Specific  University Audit  Data Steward  Risk Management  Unit Head  University Police  Local IT support  University Counsel  Security Liaison  University  ITMC member Communication  CIO  Director, IT Policy  Director, IT Security
  13. 13. Scaling Security What is the mission of this office?
  14. 14. Scaling Security  Two broad components  Security operations  Security architecture development  We need to recognize these demands are often at odds  We must focus on operational efficiencies  Quicker identification  Immediate response  Selective analysis  If the computer does not contain sensitive data I don’t care to do analysis
  15. 15. “Reasonable Belief” “… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.” What does this mean?
  16. 16. Performing the Analysis Data sources System data Network data What questions need to be answered for each data source? System data Network data
  17. 17. Reasonable Belief Access to Data Confirmed Reasonable Belief Data Were Occurred Need to Notify No Data Available for Analysis Reasonable Belief Data Were Not Acquired Confirmed Data Were Not Acquired
  18. 18. Reasonable Belief Access to Data Confirmed Reasonable Belief Data Were Occurred Need to Notify No Data Available for Analysis Reasonable Belief Data Were Not Acquired Confirmed Data Were Not Acquired
  19. 19. Reasonable Belief  Reasonable belief data  Reasonable belief data were acquired were NOT acquired  System compromise  Compromise identified occurred a significant time quickly ago  File MAC times  File MAC times after consistently before compromise and not tied compromise down to support  Limited or no network application download  Significant remote access  More benign hacker tools and download  Benign system use  More sophisticated hacker characteristics tools  Etc.  Etc.
  20. 20. Reasonable Belief Access to Data Confirmed Reasonable Belief Data Were Occurred Need to Notify No Data Available for Analysis Reasonable Belief Data Were Not Acquired Confirmed Data Were Not Acquired
  21. 21. Performing the Analysis
  22. 22. Performing the Analysis
  23. 23. Performing the Analysis
  24. 24. The Bottom Line Build a mechanism to address the tough question Be prepared to make judgment alls Someone’s going to have to get their hands dirty
  25. 25. Legal and Policy Framework
  26. 26. Law Internet Market & Norms IT Policy Architecture
  27. 27. Big “P” and Little “p” Policy Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright. USA-Patriot Act  Digital Copyright  Privacy in the Electronic Realm  CALEA: Communications Law Enforcement Assistance Act 
  28. 28. Little “p” Policy Little “p” policy is institutional policy. Preservation and protection of institutional interests and assets If your policy does not stand up to this test, best to rethink Cornell Model Centralized University Policy Office  Famous “policy on policies!”  Balance of statement and procedure  At the institutional level of procedure, but not backline
  29. 29. Cornell Model…  Is not the model for every institution!  Policy is part and parcel of the culture, traditions and structure of each institution.  Observed irony  The more decentralized the institution, the more in need of centralized policy process to routinize compliance and practices around the college or university.  The less decentralized, the more likely that policy occurs naturally within existing structure.  Size does not always determine: Georgetown as counter-example to Cornell University.
  30. 30. Two Generalizations about Policy and Process: (1)  Critical to have a policy process…  Legal compliance primarily  Deference to the complex nature of higher education secondarily  Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society  …no matter what the particular culture or structure of your institution.
  31. 31. Two Generalizations about Process: (2)  It almost always does, or should, boil down to three essential steps:  Responsible office brings forward concept to a high level committee  Audit, Counsel, VPs, Dean of Faculty or even President and Provost  Mid-level review for implementation  The greater the representation of the campus community the better  Back to the high level for signoff and promulgation.
  32. 32.
  33. 33. Information Security of Institutional Data Policy Statement Every user of institutional data must manage responsibly Appendix A Roles and Responsibilities Appendix B Minimum Data Security Standards
  34. 34. Data Classification Cost/Benefit Analysis Costs (financial and administrative): Administrative burden Financial cost of new technologies New business practices Benefits (mitigating risk): Legal check list Policy decisions (prioritizing institutional data) Ethical considerations?
  35. 35. Legal Check List Type of Privacy Annual Notification Legislative Government Statutory Data Statement Notice Upon Private Enforcement Damages Breach Right of Action* Personally o o x O x x Identifiable Education x X o o x o Record Medical x o o x x x Record Banking x x o o x x Record
  36. 36. When Notifications are Required
  37. 37. Content of the Notice  Name of the individual whose information was the subject of the breach of security  The name of the “covered entity” that was the subject of the breach of security  A description of the categories of sensitive personal information of the individual that were the subject of the breach of security  The specific dates between the breach of security of the sensitive personal information of the individual and discovery  The toll-free numbers necessary to contact:  Each entity that was the subject of the breach of security  Each nationwide credit reporting agency  The Federal Trade Commission
  38. 38. Timing of the Notice  Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity  In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system  There is a provision for law enforcement and homeland security related delays
  39. 39. Data Incident Notification Toolkit*  Provide a tool that pulls from our collective experience.  A real-time aid for creating the various communications that form data breach notification.  An essential part of an incident response plan.  tificationToolkit/9320 * Hosted by EDUCAUSE
  40. 40. Notification Templates Outlines and content for  Press Releases  Notification Letters  Incident Specific Website  Incident Response FAQs  Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all