Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breach vs. Incident – a Guided Discussion

Published byDayton Petteys Modified over 9 years ago

Similar presentations

Presentation on theme: "Breach vs. Incident – a Guided Discussion"— Presentation transcript:

1 Breach vs. Incident – a Guided Discussion
Information Systems Security Association Portland, Oregon September 2010 Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Officer Chief Information Security Officer Portland State University Sharon open session intro herself, then point to Craig he can intro himself

2 Agenda Definitions - Incident vs. Breach Scenarios Discussion
Next Steps Sharon

3 Suspected Incident Is it an incident? Incidents require mitigation Incidents may or may not require notification Is it a breach? Breaches require mitigation Breaches require notification All breaches are incidents but not all incidents are breaches Craig

4 What is a Breach? A (reportable) breach is the unauthorized acquisition, access, use, or disclosure of PII in a manner not permitted by law or regulation and which compromises the security and privacy of the PII. Paraphrased from a PHI breach definition by Pepper Hamilton, LLP We are using the term breach to describe all incidents that legally require notification to damaged parties. Craig

5 Relevant Law or Regulation
FERPA: protection of student data FACTA Red Flag Rules: finance Payment Card Industry Data Security Standard: credit cards Gramm-Leach-Bliley (GLB) Act: financial consumers USA Patriot Act: data preservation and wiretapping requests Student and Exchange Visitor Information System (SEVIS): international students Higher Education Opportunity Act: record keeping, business processes, and reporting Health Insurance Portability and Accountability Act (HIPAA): health records HITECH Act – Private Health Information, breach notification and enforcement Digital Millennium Copyright Act (DMCA): protection of digital media Electronic discovery (E-discovery): also Rule 37 of the Federal Rules of Civil Procedure Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act): campus crime State law – e.g. Oregon Identity Theft Protection Act Personally Identifiable Information breach notification State law regarding disclosure of Faculty/Staff records PCI Standards– credit card and bank account information VISA PA-DSS Best Practices and Validated Applications list Others? Information covered by NDAs, Information protected by export law Sharon

6 Breach or Incident? Two methods for Determining if a breach occurred
By Definition By Risk of Harm Analysis How do you prove a negative? Sharon

7 What if there is no known Harm?
A compromise of the security and privacy of personal private information must pose a significant risk of financial, reputational, or other harm to the individual. Use a risk assessment to determine if harm exists. Pepper Hamilton LLP Webinar Not all disclosures will be breaches - it must cross the harm threshold. Overcoming access controls does not constitute a breach by itself. It must lead to a use and disclosure of PPI that is not permitted by law or regulation and it must also cross the “harm threshold.” Craig

8 Risk of Harm Questions Were the recipients obligated (by policy or regulation) to protect privacy and security of the information? Can the impact of the disclosure be mitigated? Pre-existing NDAs or other measure which assure no further disclosure Was it returned before improper use could occur? Did forensics investigation find any evidence of improper use, discovery, or distribution? What was disclosed and how much? Craig

9 No Breach? A Breach has not Occurred if:
PII is not stored in the cloud PII is “Secured” (encrypted*) There is Little Risk of Harm Pepper Hamilton, LLP * some states also exempt encoded data Craig The same is true for other protected information that requires reporting if disclosed.

10 Activity: Putting it in to practice
Questions: Is this a breach or incident? What process did you use to make your decision? Who needs to be notified? How? What mitigation may be necessary? Sharon

11 Scenarios Suspected incidents
A former student reports to you that, using Google, he has found his SSN on one of your systems. A professor reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers. A professor discovers that he can see other employee’s home directories. A staff person discovers advising files of current and former students available to view by all authenticated users on web accessible storage service A website hosted in the cloud is de-faced. Sharon

12 SSN found via Google Breach?
One of your former student reports to you that, using Google, he has found his SSN on one of your systems. Data, when stored (2004), was not considered sensitive Some data was not PII but was still sensitive Data was stored on a Listserv which Google crawled IN , some instances were removed from the Listserv But not from Google’s cache of the webpage! Sharon Breach?

13 SSN Breach-Response Discovery Short-term mitigation Notification
Searched for other, similar PII data Determine where other instances may have been cached (Internet Time Machine, Google, etc.) Short-term mitigation Known PII Data was taken down Google’s cache was flushed Listserv was reconfigured to change all lists to private Notification Met with General Counsel and HR Determined this was a breach (by definition and risk of harm analysis) Briefed executive level Drafted a letter to send to the potential victims For sensitive data not covered by law or regulation, the business owner was given the option to notify or not (subject to executive override) Long-term Mitigation Reviewed lists and deleted all lists that haven’t had activity in 2 years (time- bomb of unnecessary liability) Changed our process to make private the default listserv setting Awareness Discussed posting practices with listserv owner Documented and Responded to users questions from the notification Sharon

14 Student ID One of your professors reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers. Is it a breach by definition? According to the Dec 2008 FERPA revision, it depends. Craig

15 Student ID “we modified the rule to allow student ID numbers to be disclosed as directory information if they qualify as electronic identifiers” “The regulations will allow an educational agency or institution to disclose as directory information a student’s ID number, user ID or other electronic identifier so long as the identifier functions like a name; that is, it cannot be used without a PIN, password, or some other authentication factor to gain access to education records. This change will impose no costs and will provide benefits in the form of regulatory relief allowing agencies and institutions to use directory services in electronic communications systems without incurring the administrative costs associated with obtaining student consent for these disclosures.” Craig

16 Student ID "Directory Information", data that can be made public without *student* permission. Each college must decide, within certain limits, what it considers Directory Information, and must publish the list. Typically this includes things like name, phone number, address, graduation year, and major. According to FERPA Regulations, Directory Information is "information contained in an education record of a *student* that would not generally be considered harmful or an invasion of privacy if disclosed". Steven Worona In order to treat the student id as directory information, each college must officially declare it to be so and publish the new list of directory information. Craig

17 Exception However, parents and eligible students can opt out of directory information disclosures; those that do will not be able to participate in student services that are delivered in this manner. Which means you may have a student id related breach for a few students even after declaring student identification to be directory information. Craig

18 Student ID Breach-Response
Discovery Interviewed the Professor, determined there was only one instance of the lost data Short-term mitigation None Notification Met with General Counsel, Admissions, Records, and Registration (ARR) and HR Determined this was a breach (by definition) Briefed executive level Drafted a letter to send to the potential victims, by the Professor’s department Long-term Mitigation Pursue including student-id as directory information Awareness Gave presentations about student-ID as directory information. Began discussions with General Counsel and ARR Craig

19 Small Private College with Law School
An Information Technology staff person discovered advising files of 14 current and former students available to view by all authenticated users (only) on our web accessible storage service (Xythos). The files contained high school transcripts and College application materials for our first year advising program. These files contained personally identifying information (SSN and birthdate). Upon finding this information available, the IT staff person immediately made a “copy” of the environment for forensics purposes and then removed the permissions from the files to protect that sensitive information. It was determined that the files were accessible to all authenticated users (and not the general public) for one week. We were not able to determine if the files had been viewed by anyone during that time period. Sharon

20 Small Private College with Law School
General Counsel advised that we notify the affected 14 individuals per the Oregon notification legislation. The notification happened on September 2 through and certified postal mail, and offered a year of credit monitoring (for which no one took us up on). Post incident: We immediately suspended the first year advising application utilizing the web storage service until the sensitive information could be redacted from the scanned images. Going forward all personally identifying information will be redacted upon scanning. Sharon

21 College with Law School Response
Discovery IT staff member discovered sensitive files for 14 students were viewable by any authenticated user Short-term mitigation Copy of the environment made for forensics Removed permissions from the sensitive files Analyzed exposure (1 week), unable to determine if anyone viewed the files Suspended the application from using the web storage service until the sensitive information could be redacted from the scanned images Notification Can’t determine risk of harm Met with General Counsel, determined this was a breach Notified users via and postal mail. Offered 1 year of credit monitoring Long-term Mitigation Implement process to redact PII upon scanning. Awareness Additional training may be indicated Sharon 21

22 Missing Access Control
A University professor discovers that he can see other employee’s home directories. Craig 22

23 Access Controls Your staff discovers that six days ago the ACLs on your staff directories/folders were unintentionally modified for a vendor. Inheritance was turned off, which changed all lower level effective permissions. Directories normally protected by restrictive ACLs were modified to permit read-only access by anyone with an active account. Some of the folders definitely contain PII. Audit trail object access was not enabled. Craig 23 23

24 Access Controls Ran Spider (from Cornell University) to identify PII at risk One month to scan 10 volumes on the file server. Identified all files accessed during the exposure period. This significantly reduced the number of files at risk as 70.8% of all files were not accessed during the exposure period. Is this a breach or an incident? Regardless we need to mitigate the situation Craig 24 24

25 Access Control Incident-Response
Discovery Reported by University staff Root cause was analyzed Used Spider to scan affected volumes for PII Short-term mitigation Inheritance and permissions were fixed. Access dates for all files on affected volumes were analyzed to determine scope of risk All affected PII were identified. Notification Met with General Counsel, CIO, contacted Oregon Division of Finance and Corporate Securities Determined this was not a breach (by risk of harm analysis) Sent to users with PII Long-term Mitigation Legacy PII discovery effort Provide secure enterprise storage for future PII. Establish enterprise PKI for encryption infrastructure Publish procedures requiring the use of encryption. Awareness Presentations to HR admins, Executives admins, staff Presentations to technical admin about plans and timetables Craig 25

26 Website in the Cloud De-faced
A website of yours that is hosted in a cloud is defaced. Parts of this website can access sensitive data that is also stored in the Cloud. Craig 26

27 Website in the Cloud De-faced
In January 2010, shortly after President Obama finished his State of the Union address, the webpages of 49 Congressional members were defaced. All of the webpages were managed by GovTrends. GovTrends ironically had the phrase “You get what you pay for” on their website. In August 2009, 18 Congressional member websites, also managed by GovTrends, were defaced. Craig 27

28 Website in the Cloud De-faced
Following the August attack, Representative B sent a letter to the CAO (Chief Administrative Officer) of the House, asking for actual details of the attack and a plan for notification of these incidents in the future. Rep. B’s office contacted GovTrends and requested copies of the appropriate logs. GovTrends redirected him to HRIS. HRIS claimed they do not investigate or prosecute since there is no way to track down the criminals responsible for this act. Craig 28

29 Website in the Cloud De-faced
At a Cloud Law Summit Microsoft's head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts. "We're not an insurance company. What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering." Craig Cloud providers shrug off liability for security By Tom Espiner, ZDNet UK, 12 February, :30 29

30 Cloud Incident Response
Discovery Prevented by Vendor refusal to cooperate Short-term mitigation Undetermined - experts claim vendors explanation makes no sense Notification Can’t determine risk of harm. Long-term Mitigation Nothing in the press about it. Awareness Articles on the web Craig 30

31 Breach Response for Clouds
Unlike in-house repositories of information, you cannot assume that you have the right and the authorization to investigate breaches in Clouds You must ensure that your contract with the Cloud vendor permits you this capability. If regulation requires that you protect your data from the Cloud provider then you must encrypt it and ensure that the contract does not contain a provision which would permit the vendor from investigating your content. If the data that you store in the cloud includes FERPA protected data, then the cloud provider must agree to act as a FERPA agent for the university and to protect it as such. Your contract should bind the cloud vendor to meet any regulatory and legal requirements that you are required to meet. Be aware that Law Enforcement may approach your Cloud vendor and demand access to your data even if you have legal reservations about the legality of their request. Surrendering your data to a third party weakens your position that the data is valuable unless you have taken measures to affirm it’s value despite the transfer. These measures might include encrypting the data or contractually binding the cloud vendor to protect the data in accordance with its value or sensitivity. Your contract should explicitly grant your security and administrators the rights that you require regarding monitoring and investigations. For any Cloud user interface, the user should be informed that they should have no expectation of privacy except that required by explicit law or regulation. They should have the user agree that use of the Cloud constitutes consent to monitoring. This would need to be spelled out contractually with your Cloud vendor. Craig 31 31

32 Breach Prevention for Clouds
You can avoid a breach in the cloud by requiring all data in the cloud to be encrypted. You encrypt the data before storing it You contract the Cloud provider to encrypt your data Full Cloud encryption Individually accountable encryption with a corporate escrow Must gather assurances that the Cloud hosts have sufficient security (SAAP) SAS-70 Must gather assurances that the Cloud application has sufficient security (SAAI) Systrust or SAS-70 Must gather assurances that the Cloud based web application has sufficient security (SAAS) Webtrust, SAS-70, vulnerability assessments or penetration Craig 32 32

33 Sample Incident Response Plan
Review the exposed material and determine the scope and nature of the incident. Number of unique disclosures or opportunities for disclosure To the best of our ability determine if there is any evidence that the exposed information was accessed. Take actions to limit or eliminate the exposure Arrange a meeting with General Counsel, CIO, and the list owner. Describe the incident, disclosures and the data found during the review. Determine whether the disclosure (or potential disclosure) meets the criteria in the FERPA, GLBA, FISMA, HIPAA, PCI standards, state law or regulation such as the Oregon ID Theft Protection Act. If yes, If no clear evidence of disclosure, determine potential risk of harm Draft and send a response to the individual that identified the disclosure Draft a response to the individuals whose personally identifying information was exposed. Determine the cause of the exposure. Determine permanent solution and implement. Sharon

34 Next Steps? Craig Acquire tools to search through servers, workstations, and files to discover PII Design solutions for PII challenges Whole disk encryption File encryption Secure file server Require network storage Segregate workstations that work with PII No use of home computers. Convert home computer to secure dumb workstation Provide secure laptops for remote use No dual use workstations for sensitive data Search all servers, data bases, workstations for PII Create strategy to let users search for PII on existing home systems. Create Awareness campaign for PII removal campaign Establish a PII Incident Response team, including General Counsel, HR, Provost’s office, IT support. Determine Breach thresholds and Risk of Harm criteria

35 Design solutions for PII challenges
Whole disk encryption (pgpdisk) Enterprise supported file encryption (a PKI solution) Secure file server (Truecrypt) Personal file encryption (Winzip ) Require network storage Segregate workstations that work with PII No use of home computers. Convert home computer to secure dumb workstation Provide secure laptops for remote use No dual use workstations for sensitive data Search all servers, data bases, workstations for PII Create strategy to let users search for PII on existing home systems. Data Loss Prevention systems (Discovery, Prevention of loss, Protection of the data, Monitoring of PII use) Craig Acquire tools to search through servers, workstations, and files to discover PII Design solutions for PII challenges Whole disk encryption File encryption Secure file server Require network storage Segregate workstations that work with PII No use of home computers. Convert home computer to secure dumb workstation Provide secure laptops for remote use No dual use workstations for sensitive data Search all servers, data bases, workstations for PII Create strategy to let users search for PII on existing home systems. Create Awareness campaign for PII removal campaign Establish a PII Incident Response team, including General Counsel, HR, Provost’s office, IT support. Determine Breach thresholds and Risk of Harm criteria 35 35

36 Remaining Issues How do different states' breach notification laws apply? What is the threshold for victim notification? AG notification?   Is a breach insurance policy a good strategy?  Should Educause/CIOs pursue agreements for credit monitoring, post-breach forensics, or other services? Should Encryption be required? Sharon

37 Portland State University
Questions Sharon Blanton, PhD Chief Information Officer Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Security Officer Portland State University Sharon and Craig 37

Download ppt "Breach vs. Incident – a Guided Discussion"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
The Managing Authority –Keystone of the Control System

The Managing Authority –Keystone of the Control System
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Functional Areas & Positions

Functional Areas & Positions
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

Similar presentations

Ads by Google