data incident notification policies and procedures tracy mitrano steve schuster
TRANSCRIPT
Data Incident Notification Policies and Procedures
Tracy Mitrano
Steve Schuster
Questions That Need to Be Answered
• Does your institution have policies that protect data?• Does your institution have processes to develop
enforceable policy?• Does your institution have a central IT security office
and how should it function?• How do you know when you’ve had a security
incident?• How do you know when you need to notify?
Two Generalizations about Policy and Process: (1)
• Critical to have a policy process…– Legal compliance primarily
– Deference to the complex nature of higher education secondarily
• Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society
• …no matter what the particular culture or structure of your institution.
Two Generalizations about Process: (2)
• It almost always does, or should, boil down to three essential steps:– Responsible office brings forward concept to a high level committee
• Audit, Counsel, VPs, Dean of Faculty or even President and Provost
– Mid-level review for implementation
• The greater the representation of the campus community the better
– Back to the high level for signoff and promulgation.
http://www.cit.cornell.edu/oit/policy/framework-chart.html
Information Security of Institutional Data
• Policy Statement– Every user of institutional data must manage
responsibly
• Appendix A– Roles and Responsibilities
• Appendix B– Minimum Data Security Standards
Data Classification
• Cost/Benefit Analysis• Costs (financial and administrative):
– Administrative burden– Financial cost of new technologies– New business practices
• Benefits (mitigating risk):– Legal check list– Policy decisions (prioritizing institutional data)– Ethical considerations?
Legal Check ListType of Data
Privacy Statement
AnnualNotice
NotificationUponBreach
Legislative PrivateRight ofAction*
GovernmentEnforcement
Statutory Damages
PersonallyIdentifiable
o o x O x x
EducationRecord
x X o o x o
MedicalRecord
x o o x x x
Banking Record
x x o o x x
Does Your Institution have a central IT security office and how should it function?
• How many have a dedicated security office?• Several benefits
– Identified individual to consistently address and respond to security concerns
– Not responsible for delivering services that may conflict with security
– Tasked with developing incident response and remediation process
• Some common functions– Incident response– Security infrastructure development– Awareness– Governance
How you know when you’ve had an incident?
• An indication of potential compromise can come from anywhere
• External indications– SPAM complaint– Scanning complaint
How you know when you’ve had an incident?
• Internal indications– Network monitoring– IDS/IPS alerts– Internal scanning– Local identification
How do you know when you’ve had an incident?
050818104944 [itsor ~] telnet 128.253.155.211 65534 Trying 128.253.155.211... Connected to 128.253.155.211. Escape character is '^]'. 220-... 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê =¨´.,+=- 220--=+=============================================================+=- 220--=+ +=- 220--=+ wlc0m +=- 220--=+ +=- 220--=+ Th0u $h4Ll Re$p3cT the rµLeZ +=- 220--=+ +=- 220--=+ Th0u $h4Ll n0t r3h4cK +=- 220--=+ Th0u $h4Ll n0t h4mMr +=- 220--=+ Th0u $h4Ll n0t Re$c4N +=- 220--=+ aNd n0w eNj0y :) +=- 220--=+ +=- 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,+=- 220--=+=============================================================+=- 220--=+ +=- 220--=+ server uptime: 2d 13h 20m 3s. +=- 220--=+ users since start: 2 +=- 220--=+ logged in: 6 total +=- 220--=+ users since last 24h: 6 +=- 220--=+ upload since start: 0 kb @ 0 file(s) +=- 220--=+ download since start: 0 kb @ 0 file(s) +=- 220--=+ average throughput: 0.000 kb/s +=- 220--=+ the current bandwidth use is 0.000 kb/s +=- 220--=+ your ip: 132.236.54.173 +=- 220--=+ free diskspace: 72608.19 MByte +=- 220--=+ +=- 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,+=- 220 -=+=============================================================+=- ^] telnet> quit Connection closed. 050818104944 [itsor ~]
How do you know when you’ve had an incident
• Everyone has incidents but what matters is the type of data stored on the computer
• The following data means significantly more work– Social security numbers– Credit card numbers– Drivers license numbers– Other protected data
How do you know when you need to notify?
• Establishing reasonable belief of unauthorized data access is not an exact science
• Institution-wide decision making is imperative• Thorough computer and network analysis is
required
Institution-Wide Decision Making
• Data Incident Response Team (DIRT)• DIRT meets for every incident involving critical data• DIRT objectives
– Thoroughly understand each incident– Guide immediate required response– Determine requirement to notify
DIRT Members
• Core Tam– University Audit– Risk Management– University Police– University Counsel– University
Communication– CIO– Director, IT Policy– Director, IT Security
• Incident Specific– Data Steward– Unit Head– Local IT support– Security Liaison– ITMC member
Computer and Network Analysis
• Data sources– System data
• What data are on the computer• How are these data stored• When were they last accessed or modified• What was the method of compromise
– Network data• Who has been accessing this system• What were the services used• What was the method of compromise• What was the amount of uploads and downloads
Computer and Network Analysis
Computer and Network Analysis
Computer and Network Analysis
How Do You Know when You Need to Notify?
Nee
d t
o N
oti
fy
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Were Occurred
Access to Data Confirmed
How Do You Know when You Need to Notify?
Nee
d t
o N
oti
fy
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Were Occurred
Access to Data Confirmed
Likelihood of Unauthorized Access
• Reasonable belief data were acquired– System compromise
occurred a significant time ago
– File MAC times after compromise and not tied down to support application
– Significant remote access and download
– More sophisticated hacker tools
– Etc.
• Reasonable belief data were NOT acquired
– Compromise identified quickly– File MAC times consistently
before compromise– Limited or no network download– More benign hacker tools– Benign system use
characteristics– Etc.
Data Incident Notification Toolkit*
• Provide a tool that pulls from our collective experience.
• A real-time aid for creating the various communications that form data breach notification.
• An essential part of an incident response plan.• http://www.educause.edu/DataIncidentNotific
ationToolkit/9320
* Hosted by EDUCAUSE
Notification Templates• Outlines and content for
– Press Releases– Notification Letters– Incident Specific Website – Incident Response FAQs– Generic Identity Theft Web Site
• Sample language from actual incidents• Food for thought – one size does not fit all