Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Published byCrystal Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster."— Presentation transcript:

1 Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster

2 Questions That Need to Be Answered Does your institution have policies that protect data? Does your institution have processes to develop enforceable policy? Does your institution have a central IT security office and how should it function? How do you know when you’ve had a security incident? How do you know when you need to notify?

3 Two Generalizations about Policy and Process: (1) Critical to have a policy process… –Legal compliance primarily –Deference to the complex nature of higher education secondarily Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society …no matter what the particular culture or structure of your institution.

4 Two Generalizations about Process: (2) It almost always does, or should, boil down to three essential steps: –Responsible office brings forward concept to a high level committee Audit, Counsel, VPs, Dean of Faculty or even President and Provost –Mid-level review for implementation The greater the representation of the campus community the better –Back to the high level for signoff and promulgation.

5 http://www.cit.cornell.edu/oit/policy/framework-chart.html

6 Information Security of Institutional Data Policy Statement –Every user of institutional data must manage responsibly Appendix A –Roles and Responsibilities Appendix B –Minimum Data Security Standards

7 Data Classification Cost/Benefit Analysis Costs (financial and administrative): –Administrative burden –Financial cost of new technologies –New business practices Benefits (mitigating risk): –Legal check list –Policy decisions (prioritizing institutional data) –Ethical considerations?

8 Legal Check List Type of Data Privacy Statement Annual Notice Notification Upon Breach Legislative Private Right of Action* Government Enforcement Statutory Damages Personally Identifiable oox O xx Education Record x X ooxo Medical Record xooxxx Banking Record xxooxx

9 Does Your Institution have a central IT security office and how should it function? How many have a dedicated security office? Several benefits –Identified individual to consistently address and respond to security concerns –Not responsible for delivering services that may conflict with security –Tasked with developing incident response and remediation process Some common functions –Incident response –Security infrastructure development –Awareness –Governance

10 How you know when you’ve had an incident? An indication of potential compromise can come from anywhere External indications –SPAM complaint –Scanning complaint

11 How you know when you’ve had an incident? Internal indications –Network monitoring –IDS/IPS alerts –Internal scanning –Local identification

12 How do you know when you’ve had an incident?

13 How do you know when you’ve had an incident Everyone has incidents but what matters is the type of data stored on the computer The following data means significantly more work –Social security numbers –Credit card numbers –Drivers license numbers –Other protected data

14 How do you know when you need to notify? Establishing reasonable belief of unauthorized data access is not an exact science Institution-wide decision making is imperative Thorough computer and network analysis is required

15 Institution-Wide Decision Making Data Incident Response Team (DIRT) DIRT meets for every incident involving critical data DIRT objectives –Thoroughly understand each incident –Guide immediate required response –Determine requirement to notify

16 DIRT Members Core Tam –University Audit –Risk Management –University Police –University Counsel –University Communication –CIO –Director, IT Policy –Director, IT Security Incident Specific –Data Steward –Unit Head –Local IT support –Security Liaison –ITMC member

17 Computer and Network Analysis Data sources –System data What data are on the computer How are these data stored When were they last accessed or modified What was the method of compromise –Network data Who has been accessing this system What were the services used What was the method of compromise What was the amount of uploads and downloads

18 Computer and Network Analysis

19

20

21 How Do You Know when You Need to Notify? Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Were Occurred Access to Data Confirmed

22 How Do You Know when You Need to Notify? Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Were Occurred Access to Data Confirmed

23 Likelihood of Unauthorized Access Reasonable belief data were acquired –System compromise occurred a significant time ago –File MAC times after compromise and not tied down to support application –Significant remote access and download –More sophisticated hacker tools –Etc. Reasonable belief data were NOT acquired –Compromise identified quickly –File MAC times consistently before compromise –Limited or no network download –More benign hacker tools –Benign system use characteristics –Etc.

24 Data Incident Notification Toolkit* Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan. http://www.educause.edu/DataIncidentNotific ationToolkit/9320http://www.educause.edu/DataIncidentNotific ationToolkit/9320 * Hosted by EDUCAUSE

25 Notification Templates Outlines and content for –Press Releases –Notification Letters –Incident Specific Website –Incident Response FAQs –Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all

Download ppt "Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster."

Similar presentations

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.

Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.
Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars.

Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Similar presentations

Ads by Google