1 / 25

Data Incident Notification Policies and Procedures

Data Incident Notification Policies and Procedures. Tracy Mitrano Steve Schuster. Questions That Need to Be Answered. Does your institution have policies that protect data? Does your institution have processes to develop enforceable policy?

mairi
Download Presentation

Data Incident Notification Policies and Procedures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster

  2. Questions That Need to Be Answered • Does your institution have policies that protect data? • Does your institution have processes to develop enforceable policy? • Does your institution have a central IT security office and how should it function? • How do you know when you’ve had a security incident? • How do you know when you need to notify?

  3. Two Generalizations about Policy and Process: (1) • Critical to have a policy process… • Legal compliance primarily • Deference to the complex nature of higher education secondarily • Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society • …no matter what the particular culture or structure of your institution.

  4. Two Generalizations about Process: (2) • It almost always does, or should, boil down to three essential steps: • Responsible office brings forward concept to a high level committee • Audit, Counsel, VPs, Dean of Faculty or even President and Provost • Mid-level review for implementation • The greater the representation of the campus community the better • Back to the high level for signoff and promulgation.

  5. http://www.cit.cornell.edu/oit/policy/framework-chart.html

  6. Information Security of Institutional Data • Policy Statement • Every user of institutional data must manage responsibly • Appendix A • Roles and Responsibilities • Appendix B • Minimum Data Security Standards

  7. Data Classification • Cost/Benefit Analysis • Costs (financial and administrative): • Administrative burden • Financial cost of new technologies • New business practices • Benefits (mitigating risk): • Legal check list • Policy decisions (prioritizing institutional data) • Ethical considerations?

  8. Legal Check List

  9. Does Your Institution have a central IT security office and how should it function? • How many have a dedicated security office? • Several benefits • Identified individual to consistently address and respond to security concerns • Not responsible for delivering services that may conflict with security • Tasked with developing incident response and remediation process • Some common functions • Incident response • Security infrastructure development • Awareness • Governance

  10. How you know when you’ve had an incident? • An indication of potential compromise can come from anywhere • External indications • SPAM complaint • Scanning complaint

  11. How you know when you’ve had an incident? • Internal indications • Network monitoring • IDS/IPS alerts • Internal scanning • Local identification

  12. How do you know when you’ve had an incident? You are owned!

  13. How do you know when you’ve had an incident • Everyone has incidents but what matters is the type of data stored on the computer • The following data means significantly more work • Social security numbers • Credit card numbers • Drivers license numbers • Other protected data

  14. How do you know when you need to notify? • Establishing reasonable belief of unauthorized data access is not an exact science • Institution-wide decision making is imperative • Thorough computer and network analysis is required

  15. Institution-Wide Decision Making • Data Incident Response Team (DIRT) • DIRT meets for every incident involving critical data • DIRT objectives • Thoroughly understand each incident • Guide immediate required response • Determine requirement to notify

  16. Core Tam University Audit Risk Management University Police University Counsel University Communication CIO Director, IT Policy Director, IT Security Incident Specific Data Steward Unit Head Local IT support Security Liaison ITMC member DIRT Members

  17. Computer and Network Analysis • Data sources • System data • What data are on the computer • How are these data stored • When were they last accessed or modified • What was the method of compromise • Network data • Who has been accessing this system • What were the services used • What was the method of compromise • What was the amount of uploads and downloads

  18. Computer and Network Analysis

  19. Computer and Network Analysis

  20. Computer and Network Analysis

  21. How Do You Know when You Need to Notify? Access to Data Confirmed Reasonable Belief Data Were Occurred No Data Available for Analysis Need to Notify Reasonable Belief Data Were Not Acquired Confirmed Data Were Not Acquired

  22. How Do You Know when You Need to Notify? Access to Data Confirmed Reasonable Belief Data Were Occurred No Data Available for Analysis Need to Notify Reasonable Belief Data Were Not Acquired Confirmed Data Were Not Acquired

  23. Reasonable belief data were acquired System compromise occurred a significant time ago File MAC times after compromise and not tied down to support application Significant remote access and download More sophisticated hacker tools Etc. Reasonable belief data were NOT acquired Compromise identified quickly File MAC times consistently before compromise Limited or no network download More benign hacker tools Benign system use characteristics Etc. Likelihood of Unauthorized Access

  24. Data Incident Notification Toolkit* • Provide a tool that pulls from our collective experience. • A real-time aid for creating the various communications that form data breach notification. • An essential part of an incident response plan. • http://www.educause.edu/DataIncidentNotificationToolkit/9320 * Hosted by EDUCAUSE

  25. Notification Templates • Outlines and content for • Press Releases • Notification Letters • Incident Specific Website • Incident Response FAQs • Generic Identity Theft Web Site • Sample language from actual incidents • Food for thought – one size does not fit all

More Related