Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response, Being Prepared

Published byLynne Riley Modified over 6 years ago

Similar presentations

Presentation on theme: "Incident Response, Being Prepared"— Presentation transcript:

1 Incident Response, Being Prepared
First in a series of webinars regarding Cybersecurity Today we will provide a brief overview of the Tips and Tools that have currently been shared with the Education community by the Data Security Advisory Committee For the last 3 years I have served as the Chief Information Security Officer at TEA 10 years as the Information Security Officer with Texas Secretary of State Office AT&T Legal division– Developing Polices and procedures to prevent unauthorized access to their infrastructure network. Additionally I headed up a forensics team when we a compromise was detected. To save everyone the trouble of googling to put a face with the voice, I included a snapshot of me presenting at a recent conference. We hope these will be informative. We will allow time at the end of the presentation for questions and answers. Should you have question during the presentation feel free to submit them and the they will get qued for the Q& A session Frosty Walker Chief Information Security Officer Texas Education Agency (512)

2 Family Educational Rights and Privacy Act (FERPA) (1974)
FERPA creates a right of privacy regarding grades, enrollment, and billing information. Specifically, this information may not be released without prior consent from the student. In addition to safeguarding individual student records, the law also governs how state agencies transmit testing data to federal agencies.

3 FERPA protected Information
Grades Test Scores I.D. Numbers or Social Security Numbers HIPAA information Financial Records Disciplinary Records Class Schedule

4 Personal Identifying Information (PII): as defined by the Texas Business and Commerce Code § (a)(1), “personal identifying information” means information that alone or in conjunction with other information identifies an individual, including an individual’s: name, social security number, date of birth, or government-issued identification number; mother’s maiden name; unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image; unique electronic identification number, address, or routing code; and telecommunication access device as defined by the Penal Code §32.51.

5 Sensitive Personal Information (SPI: as defined by the Texas Business and Commerce Code § (a)(2) means: An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and items are not encrypted: Social security number; Driver’s license number or government-issued identification number; or Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or Information that identifies an individual and relates to: The physical or mental health or condition of the individual; The provision of health care to the individual; or Payment for the provision of health care to the individual.

6 Breach Notice Criteria
Report any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person or to the data owner immediately if it was not encrypted.

7 Life Cycle of a Breach Discovery
Assemble Internal Response Team (potentially lead by 3rd party vendor) Internal Notification Investigate and Remediate (potentially lead by 3rd party vendor) Contact authorities on as need to know basis Employ vendors such as forensics, data breach resolution law and PR firms as needed (potentially lead by 3rd party vendor) Begin notification process, procure protection services for affected Notification to affected parties (potentially lead by 3rd party vendor depending on contract terms) Make public announcement with single point of contact (potentially lead by 3rd party vendor depending on contract terms) Respond to inquiries Resume business as usual

8 First 24 hour Check list Panicking won’t get you anywhere once you’ve discovered a data breach. Accept that it’s happened and immediately beginning following your documented process.

9 Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach. Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan. Secure the premises around the area where the data breach occurred to help preserve evidence. Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the computer until your forensics team arrives. Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.

10 Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation. Review protocols regarding disseminating information about the breach for everyone involved in this early stage. Assess priorities and risks based on what you know about the breach. Bring in your forensics firm to begin an in-depth investigation. Notify law enforcement, if needed, after consulting with legal counsel and upper management.

11 Third party vendor potential breach process
Review contract for potential steps as outlined in contract regarding notification. Information needed from third party: Root Cause Analysis including: What Happened and When How Discovered List of exposure Remediation process used to remediate Remediation completion date Verification process Verification completion date

12 Notification process Internal need to know Authorities
Exposure Notification to affected parties Make public announcement with single point of contact Respond to inquiries Resume business as usual

13

14 Incident Response Team Redbook
Glossary and Acronyms Incident Response Policy Privacy/Security Event Initial Triage Checklist Event Threat, Impact Analysis, and Escalation Criteria Breach Notice Criteria Post-Incident Checklist

15 Incident Response Team Templates
Title and Contact Information for Plan Sponsor/Owner IRT Charter IRT Membership by Roles IRT Meeting Minutes IRT Action List IRT State Government Contact Information

16 Additional Templates Identity Theft Protection Criteria
Internal Management Alert Template Notice to Individuals Affected by Incident Public (Media) Notice

17 External Contacts State of Texas Contacts Federal Contacts
Industry Contacts Press Contacts

18 Legal References Texas Laws and Regulations for Data Privacy and Security Federal Laws and Regulations for Data Privacy and Security

19 Privacy/Security Event Initial Triage Checklist
Incident Response Team: Assemble Incident Response Team (IRT) in response to an actual or suspect event/incident. Secure data: Secure data and confidential information and limit immediate consequences of the event. Suspend access and secure/image assets as appropriate. Data elements: Determine the types, owners, and amounts of confidential information that were possibly compromised. Data source: Identify each location where confidential information may have been compromised and the business owner of the confidential information. Scope and escalation: Confirm the level and degree of unauthorized use or disclosure (includes access) by the named or unidentified individuals or threats. Number of individuals impacted: Determine the number of individuals impacted. 7) Discovery date: Determine the date the agency or contractor knew or should have known about the event/incident.

20 Privacy/Security Event Initial Triage Checklist
8) Management alert: Advise appropriate internal management. 9) External communications, as required: Advise external contacts, such as legislative leadership, the Office of the Inspector General, the Office of the Attorney General, law enforcement, outside counsel, and regulatory authorities. 10) Investigate: a) Interview: Identify and interview personnel with relevant knowledge, e.g., determine whether and by whom access may have been approved, who discovered the risk, etc. b) Documents: Gather and review contracts and provisioning documents. c) Root Cause Analysis: Prepare RCA which describes why the event occurred, what business impact it had, and what will be done to prevent reoccurrence. d) Event and Threat Impact Analysis (see section on Event Threat and Impact Analysis below). 11) Mitigation: Revise policies, process, or business requirements, sanction workforce, enforce contracts, etc. to reduce the likelihood of event reoccurrence.

21 Texas Gateway https://www. texasgateway
Texas Gateway Cybersecurity Tips and Tools A recording of the webinars will be posted und Cyber Security Tips and Tools

22

23 Questions?

Download ppt "Incident Response, Being Prepared"

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
© Chery F. Kendrick & Kendrick Technical Services.

© Chery F. Kendrick & Kendrick Technical Services.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Privacy and Security Laws for Health Care Organizations www.ScottandScottllp.com Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Arkansas State Law Which Governs Sensitive Information…… Part 3B

Arkansas State Law Which Governs Sensitive Information…… Part 3B
Florida Information Protection Act of 2014 (FIPA).

Florida Information Protection Act of 2014 (FIPA).
R ed F lag R ule Training for the Medical Industry © Chery F. Kendrick & Kendrick Technical Services.

R ed F lag R ule Training for the Medical Industry © Chery F. Kendrick & Kendrick Technical Services.

Similar presentations

Ads by Google