Presentation is loading. Please wait.

Presentation is loading. Please wait.

19 November 2014 Pennsylvania Local School Districts: Regional Data Breach Exercise.

Published byAlexander Fletcher Modified over 8 years ago

Similar presentations

Presentation on theme: "19 November 2014 Pennsylvania Local School Districts: Regional Data Breach Exercise."— Presentation transcript:

1

2 19 November 2014 Pennsylvania Local School Districts: Regional Data Breach Exercise

3 2 Mike Tassey Technical Security Advisor Privacy Technical Assistance Center (PTAC) http://ptac.ed.gov/ E-mail: PrivacyTA@ed.govPrivacyTA@ed.gov Phone:855-249-3072

4 Interactive Data Breach Exercise Table top exercise that simulates a data breach within a complex organization Intended to provide an opportunity for attendees to put themselves in the shoes of the critical decision makers that have just experienced a data breach You will be divided into teams that each must react and respond to the scenario as if it were happening in real time Over time, the scenario will be more fully revealed as you discover more about what happened. Be prepared for the unexpected! 3

5 Suggestions Think about each of the roles needed in your organization (public information, data system leadership, attourney, auditors, etc.) Consider assigning these roles to individuals within the team to increase realism and make the decision making process more organized Use the chat functionality to ask any questions you may have and a PTAC navigator will respond to help clarify Things may seem murky at first, the full extent or impact of a data breach is rarely known up front. Do your best to anticipate what might happen but don’t get ahead of yourselves. 4

6 Interactive Data Breach Exercise 5 Each team will have (01:50:00) to complete the exercise and develop two key products: Response Plan – outline how your agency will approach the scenario and what resources you would mobilize. Describe who within the agency would comprise your response team and identify goals and a timeline for response activities. Public & Internal Communications / Messaging – develop the message you would deliver to your partners, customers, students & parents, the media, and the public* * During the event you may be asked to participate in press conferences about the scenario. Be prepared to respond to reporters and the media about what is happening and how your organization is responding

7 Interactive Data Breach Exercise 6 Background You are local school district with 8000 students Your organization provides centralized IT services and support for outlying K-12 schools as well as access to a centrally managed student information system The district has recently installed a new version of the state- wide SIS which provides the ability for users / administrators / faculty to log in individually through the browser and upload grades, attendance and assessment data The rollout has hit some snags integrating with legacy systems and managing roles and permissions, pushing the implementation of the new system to only a few test locations in the district

8 Interactive Data Breach Exercise 7 Scenario Yesterday a computer science teacher notified the district IT manager that some course grades appeared to have been changed in the system, apparently all the students in the course had their grades changed to reflect much better scores than they should Initial investigation shows that someone had logged on using the teacher’s login information and manually changed the grades Additionally, the logs indicate that reports were also downloaded which contained the private information of many of the school’s students and employees

9 Interactive Data Breach Exercise 8 Gather your teams and prepare to cogitate Go over the scenario carefully and begin to think about what you know and do not know Convene the group into an incident response team and read aloud the background and goals Begin building your response (we recommend electing a person to keep notes) During the scenario, you may receive additional information about the breach. Read each of these updates as the scenario unfolds We will occasionally pause to discuss where we are, and possibly even give a press release (This exercise works best if all parties approach it as they would a “murder mystery” dinner. The more the groups synthesize the information and role play, the better the effect and more useful the exercise becomes.)

10 Interactive Data Breach Exercise 9 Questions?

11 Interactive Data Breach Exercise 10 End 10 Minutes

12 Interactive Data Breach Exercise 11 Where are we? Have you begun to build a plan for response? Can you make any concrete conclusions? Has there really been a breach?

13 Interactive Data Breach Exercise 12 Scenario Update Logs indicate that the login occurred from the school’s WiFi network after school hours In addition to changing the grades in the system, several reports were accessed which revealed the private information (including SSNs) of the entire school district Reports have surfaced of students offering to change grades for money, no names have yet surfaced

14 Interactive Data Breach Exercise 13 End 10 Minutes

15 Interactive Data Breach Exercise 14 Where are we? Has the updated information changed your approach to the scenario? Does the fact that the breach includes SSNs change the way you approach response? Think about what controls you could put in place to avoid a scenario like this?

16 Interactive Data Breach Exercise 15 Scenario Update Two juniors who are in the original computer science class are rumored to be the culprits When questioned, they admit that they located a sticky note with the teacher’s username and password which they then used to log in from their car after school to change the grades They say that they also accessed some other school systems which included a database of employees (name, addresses, SSNs, employee numbers, etc)

17 Interactive Data Breach Exercise 16 End 10 Minutes

18 Interactive Data Breach Exercise 17 Scenario Update The data they accessed contains the personal private information from 3500 students and 110 employees Some of the data about school administrators and teachers has been published to the students’ Facebook pages and is thus available to the internet News of the breach has leaked out because you are starting to receive calls from parents asking if their child’s data was accessed and their grades changed Your legal counsel advises that State law requires the notification of victims of a data breach within 15 days

19 Interactive Data Breach Exercise 18 End 10 Minutes

20 Interactive Data Breach Exercise 19 Press Conference It’s out there, so you must now brief the press and the community Your spokesperson should now give a brief press conference to address the issue and take a few questions In the audience are reporters from local and national media, as well as parents, privacy advocates and activists

21 Interactive Data Breach Exercise 20 Where are we? How did it go? Was your message received well? Now that it is public, what do you say to your data sharing partners?

22 Interactive Data Breach Exercise 21 Scenario Update An employee of the school whose information was involved in the breach has her identity stolen, she claims it was a result of the Facebook posting of her private information Parents and community privacy advocates are criticizing the new SIS implementation and demanding answers on how this was able to occur As news of the breach spreads, other districts are receiving pushback from their communities against the implementation of the new system and the State Department of Education is pressing you to respond quickly to reassure the public

23 Interactive Data Breach Exercise 22 End 10 Minutes

24 Interactive Data Breach Exercise 23 Unveil Your Response Plan Take us through your response plan, include the who, what, when and how. What were the driving factors in your decision making process? Did your plan evolve as the scenario became more clear? How? In an actual data breach the legal and regulatory overhead can be large, how do you think your organizations can prepare in advance to enable the organization to react to a potential breach faster?

25 ED/PTAC Resources available FERPA Training FERPA 101 professional training video FERPA 201 (Data Sharing) professional training video FERPA 301 (Postsecondary) professional training video FERPA 101 For Parents and Students Data Security Data Security Checklist Data Governance Checklist Cloud Computing Identity Authentication Best Practices Data Breach Response Checklist 24

26 Contact Information Family Policy Compliance Office Telephone:(202) 260-3887 Email: FERPA@ed.govFERPA@ed.gov FAX:(202) 260-9001 Website: familypolicy.ed.govfamilypolicy.ed.gov Privacy Technical Assistance Center Telephone:(855) 249-3072 Email:privacyTA@ed.govprivacyTA@ed.gov FAX:(855) 249-3073 Website: www.ptac.ed.govwww.ptac.ed.gov 25

Download ppt "19 November 2014 Pennsylvania Local School Districts: Regional Data Breach Exercise."

Similar presentations

Individual Learning Plan for Kentucky. Background: Data Integration State-wide unique student identifiers are used to link information from a number of.

Individual Learning Plan for Kentucky. Background: Data Integration State-wide unique student identifiers are used to link information from a number of.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Promoting Your Business Through Twitter ©2009, All rights reserved Fox Coaching Associates. www.bizdevsuccess.com.

Promoting Your Business Through Twitter ©2009, All rights reserved Fox Coaching Associates.
The Importance of Social Media. Some facts and statistics: Nearly 1 out of every 5 minutes online is spent on social media Facebook reached 1.11 billion.

The Importance of Social Media. Some facts and statistics: Nearly 1 out of every 5 minutes online is spent on social media Facebook reached 1.11 billion.
Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Email Address 3.Course Syllabus 4.Major.

Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Address 3.Course Syllabus 4.Major.
Communication during outbreaks Preben Aavitsland.

Communication during outbreaks Preben Aavitsland.
Password District Data Breach Exercise [District Name] [Date] [Logo]

Password District Data Breach Exercise [District Name] [Date] [Logo]
Getting Started in Blackboard. You will need… A web browser, preferably Internet Explorer, version 4.0 or higher An email account and the knowledge of.

Getting Started in Blackboard. You will need… A web browser, preferably Internet Explorer, version 4.0 or higher An account and the knowledge of.
Data Privacy: Third Parties, Vendors, & Nonprofits Baron Rodriguez (PTAC), Michael Hawes (DoED), & Mike Tassey (PTAC)

Data Privacy: Third Parties, Vendors, & Nonprofits Baron Rodriguez (PTAC), Michael Hawes (DoED), & Mike Tassey (PTAC)
Are you being a safe and successful digital citizen?

Are you being a safe and successful digital citizen?
Student Assessment Inventory for School Districts Inventory Planning Training.

Student Assessment Inventory for School Districts Inventory Planning Training.
EPR-Public Communications L-05

EPR-Public Communications L-05
Presented by Margaret Shandorf

Presented by Margaret Shandorf
A Guide for Getting Started

A Guide for Getting Started
CRISIS COMMUNICATIONS PLANNING A rehearsal for crisis Planning is key.

CRISIS COMMUNICATIONS PLANNING A rehearsal for crisis Planning is key.
INTERNET SAFETY Lynn W Zimmerman, PhD.  Hacking  Identity theft  Stolen passwords  Invasion of privacy POTENTIAL PROBLEMS  Stalking  Cyber-bullying.

INTERNET SAFETY Lynn W Zimmerman, PhD.  Hacking  Identity theft  Stolen passwords  Invasion of privacy POTENTIAL PROBLEMS  Stalking  Cyber-bullying.
IAEA International Atomic Energy Agency EPR-Public Communications L-011 Good Practices for PIOs.

IAEA International Atomic Energy Agency EPR-Public Communications L-011 Good Practices for PIOs.
Professional Development Plan Externship Contact Hours Tracking.

Professional Development Plan Externship Contact Hours Tracking.
Florida Catholic Conference Accreditation Program

Florida Catholic Conference Accreditation Program
PAR CONFERENCE Homeland Defense A Provider’s Perspective Lessons from TMI Dennis Felty November 15, 2001.

PAR CONFERENCE Homeland Defense A Provider’s Perspective Lessons from TMI Dennis Felty November 15, 2001.

Similar presentations

Ads by Google