Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Slides:

Advertisements

Similar presentations

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.

Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Red Flag Rules: What they are? & What you need to do

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Security Controls – What Works

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.

Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Incident Response Updated 03/20/2015

Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006.

Peer Information Security Policies: A Sampling Summer 2015.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

1. What is the DMCA? Digital Millennium Copyright Act. Signed into law in Provides the legal framework for copyright holders to claim copyright.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

2015 ANNUAL TRAINING By: Denise Goff

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.

Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.

Developing Plans and Procedures

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

Developing Policy and Procedure Management System إعداد برنامج سياسات وإجراءات العمل 8 Safar February 2007 HERA GENERAL HOSPITAL.

Note1 (Admi1) Overview of administering security.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Federal Legislation and Higher Education Digital Millennium Copyright Act Compliance and Education Networking 2003 Copyright 2003 Tracy Mitrano.

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Introduction to Information Security

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

1 Crisis Management and Communication Dr. Joy Smith and Ms. Robin Denny.

Protecting Yourself from Fraud including Identity Theft Advanced Level.

RISK MANAGEMENT FOR COMMUNITY EVENTS. Today’s Session Risk Management – why is it important? Risk Management and Risk Assessment concepts Steps in the.

2 United States Department of Education, Privacy Technical Assistance Center 1 Western Suffolk BOCES Data Breach Exercise.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Strategies in the Game of

Fusion Center ITS security and Privacy Operations Joe Thomas

Chapter # 1 Overview of Ethics

Red Flags Rule An Introduction County College of Morris

Securing and Protecting Citizens' Data

PLANNING A SECURE BASELINE INSTALLATION

Getting the Green Light on the Red Flags Rule

Presentation transcript:

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster

Questions That Need to Be Answered Does your institution have policies that protect data? Does your institution have processes to develop enforceable policy? Does your institution have a central IT security office and how should it function? How do you know when you’ve had a security incident? How do you know when you need to notify?

Two Generalizations about Policy and Process: (1) Critical to have a policy process… –Legal compliance primarily –Deference to the complex nature of higher education secondarily Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society …no matter what the particular culture or structure of your institution.

Two Generalizations about Process: (2) It almost always does, or should, boil down to three essential steps: –Responsible office brings forward concept to a high level committee Audit, Counsel, VPs, Dean of Faculty or even President and Provost –Mid-level review for implementation The greater the representation of the campus community the better –Back to the high level for signoff and promulgation.

Information Security of Institutional Data Policy Statement –Every user of institutional data must manage responsibly Appendix A –Roles and Responsibilities Appendix B –Minimum Data Security Standards

Data Classification Cost/Benefit Analysis Costs (financial and administrative): –Administrative burden –Financial cost of new technologies –New business practices Benefits (mitigating risk): –Legal check list –Policy decisions (prioritizing institutional data) –Ethical considerations?

Legal Check List Type of Data Privacy Statement Annual Notice Notification Upon Breach Legislative Private Right of Action* Government Enforcement Statutory Damages Personally Identifiable oox O xx Education Record x X ooxo Medical Record xooxxx Banking Record xxooxx

Does Your Institution have a central IT security office and how should it function? How many have a dedicated security office? Several benefits –Identified individual to consistently address and respond to security concerns –Not responsible for delivering services that may conflict with security –Tasked with developing incident response and remediation process Some common functions –Incident response –Security infrastructure development –Awareness –Governance

How you know when you’ve had an incident? An indication of potential compromise can come from anywhere External indications –SPAM complaint –Scanning complaint

How you know when you’ve had an incident? Internal indications –Network monitoring –IDS/IPS alerts –Internal scanning –Local identification

How do you know when you’ve had an incident?

How do you know when you’ve had an incident Everyone has incidents but what matters is the type of data stored on the computer The following data means significantly more work –Social security numbers –Credit card numbers –Drivers license numbers –Other protected data

How do you know when you need to notify? Establishing reasonable belief of unauthorized data access is not an exact science Institution-wide decision making is imperative Thorough computer and network analysis is required

Institution-Wide Decision Making Data Incident Response Team (DIRT) DIRT meets for every incident involving critical data DIRT objectives –Thoroughly understand each incident –Guide immediate required response –Determine requirement to notify

DIRT Members Core Tam –University Audit –Risk Management –University Police –University Counsel –University Communication –CIO –Director, IT Policy –Director, IT Security Incident Specific –Data Steward –Unit Head –Local IT support –Security Liaison –ITMC member

Computer and Network Analysis Data sources –System data What data are on the computer How are these data stored When were they last accessed or modified What was the method of compromise –Network data Who has been accessing this system What were the services used What was the method of compromise What was the amount of uploads and downloads

Computer and Network Analysis

How Do You Know when You Need to Notify? Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Were Occurred Access to Data Confirmed

How Do You Know when You Need to Notify? Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Were Occurred Access to Data Confirmed

Likelihood of Unauthorized Access Reasonable belief data were acquired –System compromise occurred a significant time ago –File MAC times after compromise and not tied down to support application –Significant remote access and download –More sophisticated hacker tools –Etc. Reasonable belief data were NOT acquired –Compromise identified quickly –File MAC times consistently before compromise –Limited or no network download –More benign hacker tools –Benign system use characteristics –Etc.

Data Incident Notification Toolkit* Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan. ationToolkit/9320http:// ationToolkit/9320 * Hosted by EDUCAUSE

Notification Templates Outlines and content for –Press Releases –Notification Letters –Incident Specific Website –Incident Response FAQs –Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all