covits 2008 september 9, 2008 mike goetz city of lynchburg “playing safely in the cloud” lessons...
TRANSCRIPT
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
Mike GoetzMike Goetz
City of LynchburgCity of Lynchburg
““Playing Safely in the Cloud”Playing Safely in the Cloud”
Lessons Learned…Lessons Learned…
Mitigating a Data BreachMitigating a Data Breach
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
June 4, 2007… a Monday…June 4, 2007… a Monday…
Not a great way to start your week…Not a great way to start your week…
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
““Playing Safely in the Cloud”Playing Safely in the Cloud”
My SSN Wife’s SSN Wife’s birthday
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
Good to Know:Good to Know:
Data stored in Google cache is Data stored in Google cache is different from data stored in the indexdifferent from data stored in the index
Google Webmaster ToolsGoogle Webmaster Toolshttps://www.google.com/webmasters/tools/docs/en/about.htmlhttps://www.google.com/webmasters/tools/docs/en/about.html
• To remove data from cacheTo remove data from cache
• To limit the crawl of GooglebotTo limit the crawl of Googlebot
• To generally control how your site interacts with Google searchTo generally control how your site interacts with Google search
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
Suggested Actions Suggested Actions (the human element)(the human element)
Take responsibility!Take responsibility! Quantify the exposureQuantify the exposure Notify those affected, but…Notify those affected, but…
Trade-offs with first containing incidentTrade-offs with first containing incident
Admit and Apologize – multiple times!Admit and Apologize – multiple times! Meet face-to-face: those affected with those Meet face-to-face: those affected with those
highest in authorityhighest in authorityHave impartial, 3Have impartial, 3rdrd party support handy (CIO?) party support handy (CIO?)
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
Suggested Actions Suggested Actions (cont’d):(cont’d):
Disseminate information, lots of itDisseminate information, lots of it• What is “identify theft”, what it is notWhat is “identify theft”, what it is not• What to look out for (What to look out for (
http://www.ftc.gov/bcp/edu/microsites/idtheft/http://www.ftc.gov/bcp/edu/microsites/idtheft/))• Different levels of identify theft protectionDifferent levels of identify theft protection• Establish a web site, hotline, email address for questionsEstablish a web site, hotline, email address for questions
Buy credit monitoring service for those Buy credit monitoring service for those affected – for one yearaffected – for one year
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
Lessons Learned:Lessons Learned: No two incidents are identicalNo two incidents are identical Recognize & determine legal and ethical Recognize & determine legal and ethical
obligations immediately!obligations immediately! Leverage others in problem solving and in Leverage others in problem solving and in
determining how to managedetermining how to manage• VITA, Secretary of Technology OfficeVITA, Secretary of Technology Office
• UVa experienceUVa experience
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
Lessons Learned Lessons Learned (cont’d):(cont’d):
Go to the press – preemptive strikeGo to the press – preemptive strike If root cause is employee negligence, those If root cause is employee negligence, those
affected will be looking for punishment! affected will be looking for punishment! ((Involve Attorney, HR to know the law & appropriate action)Involve Attorney, HR to know the law & appropriate action)
Beware of ambulance chasersBeware of ambulance chasers (Consultants, lawyers ready to help with mitigation)(Consultants, lawyers ready to help with mitigation)
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
Lessons LearnedLessons Learned (cont’d):(cont’d):
In our zeal to serve… Be Aware!In our zeal to serve… Be Aware!• Of the info we have that is sensitiveOf the info we have that is sensitive
In our zeal to serve… Be Wary!In our zeal to serve… Be Wary!• Of the potential pitfalls & exposuresOf the potential pitfalls & exposures
Educate employeesEducate employees• A mindset of cautionA mindset of caution
• Take the time to be carefulTake the time to be careful
““Playing Safely in the Cloud”Playing Safely in the Cloud”
COVITS 2008COVITS 2008September 9, 2008September 9, 2008
May you never experience this joy…May you never experience this joy…
““Playing Safely in the Cloud”Playing Safely in the Cloud”