Developing an Incidence Response Plan - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Developing an Incidence Response Plan

Description:

Account number, credit or debit card number, in combination with ... Equifax. Recommendations: Place a fraud alert on the credit report. Monitor credit reports ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 40
Provided by: jason329
Category:

less

Transcript and Presenter's Notes

Title: Developing an Incidence Response Plan


1
Developing an Incidence Response Plan
  • California State University, East Bay
  • Information Security Office
  • Richard S. Metz, Vice President of Administration
    and Business Affairs/Information Security Officer
  • Cheryl Washington, Chief Information Security
    Coordinator

2
California State University, East BayInformation
Security office
  • Responsible for protecting the confidentiality
    and security of data in the custody of the
    University and privacy rights of CSUEB students,
    faculty and staff.
  • Our Staff
  • Richard S. Metz, Vice President of Administration
    Business Affairs/Information Security Officer
  • Cheryl Washington, Chief Information Security
    Coordinator
  • Thomas Dixon, Information Security Specialist

3
Recent news reports
  • April 2005 106,000 individuals warned of a
    security breach.
  • University officials state that personal data
    stored on a server used for fund raising could
    have been compromised.
  • March 2005 98,000 individuals warned of a
    security breach.
  • A laptop containing personal information on
    students and applicants was stolen from a
    University department.
  • March 2005 59,000 individuals warned of a
    security breach.
  • Hackers broke into a system containing personal
    information on current, former, and prospective
    students, faculty and staff.

4
Computer threats are on the rise
  • Computer threats have become more numerous,
    damaging and disruptive.
  • Preventative measures (e.g., patch management
    policies) can help lower the number of incidents,
    but not all incidents can be prevented.
  • As the collection and storage of personal data
    moves further away from a central IT department,
    the likelihood that a security incident will
    occur on your campus will increase.

5
A Security Breach Can Happen to You
  • A security breach can happen to any institution
    at any time.
  • There are several trends that make Universities
    uniquely attractive to hackers
  • Openness of the University environment.
  • Use of the web and ERP systems have increased the
    size of our data repositories.
  • Continued and sometimes required use of SSNs as
    student and employee identification numbers.

6
Why is incident response planning important?
  • When a security incident occurs on your campus,
    you will need to respond appropriately.
  • An incident response plan can help you move
    quickly away from the initial panic phase ("We've
    been hacked!) into a set of well thought out
    activities designed to help you manage the event.

7
CSUEB has been breached!
  • Based on what we know, our campus experienced two
    security incidents in which personal data may
    have been compromised.
  • May 2004 Mailed notification letters to
    approximately 30 students whose personal
    information was inadvertently disclosed.
  • September 2004 Mailed notification letters to a
    little more than 2,000 students whose personal
    information may have been compromised.

8
How did we respond to the May 2004 breach?
  • Our incident response plan was not well defined
    nor well understood by the campus community.
  • The Information Security Office was not made
    aware of the security incident until nearly 2
    months after the incident occurred.
  • We knew that we needed a better plan!

9
Our response to the September 2004 breach
  • The Security Office was quickly notified of the
    breach.
  • We were able to react swiftly and sent
    notification letters to affected individuals
    within 10 days.
  • However, we made mistakes. We neglected to
    preserve evidence. Essentially, losing valuable
    information.
  • We recognized that our plan needed improvement!

10
What did we learn from our incidents?
  • Our incident response plan needed to be updated.
  • Our plan needed to identify individuals who can
    be dispatched to a security event quickly.
  • The incident response plan needed to be
    communicated to the campus community.

11
What our plan does
  • Defines key terms (e.g., "security incident",
    "personal information").
  • Establishes roles and responsibilities.
  • Describes guidelines for investigating an
    incident.
  • Provides guidelines for internal and external
    communication.
  • Establishes a checklist of what needs to be done,
    by whom and when.

12
Framework for our plan
  • State of California's "security breach
    notification" law (aka SB 1386).
  • Other factors
  • Our definition of "directory information" under
    FERPA.
  • Federal and state laws and regulations that apply
    to the University (e.g., HIPAA)
  • Opinions from our Human Resources department and
    legal counsel.

13
What is SB 1386?
  • Often referred to as "California's notification
    or disclosure law".
  • Signed into law in September 2002.
  • Part of CA Civil Code 1798.29 and 1798.82
  • 1798.29 addresses the responsibilities of state
    agencies
  • 1798.82 addresses the responsibilities of
    individuals and business that conduct business in
    California.

14
What does SB 1386 say about security incidents?
  • An agency, individual or business that "... owns
    or licenses computerized data that includes
    personal information, shall disclose any breach
    of the security of the system following discovery
    or notification of the breach in the security of
    the data to any resident of California whose
    unencrypted personal information was, or is
    reasonably believed to have been, acquired by an
    unauthorized person..."

15
SB 1386's definition of personal data
  • Individual's first name or first initial and last
    name in combination with any one of the following
    data elements when either the name or the data
    element are not encrypted
  • Social security number
  • Driver's license number or CA Identification Card
    number
  • Account number, credit or debit card number, in
    combination with any required security code,
    access code, or password that would permit access
    to an individual's financial account.

16
Your state may have a similar law
  • Other states and the federal government are
    considering enacting legislation pattered after
    SB 1386.
  • According to the National Conference of State
    Legislatures web site (May 31, 2005)
  • Disclosure laws have been introduced in at least
    34 states in 2005.
  • Six states (Arkansas, Georgia, Indiana, Montana,
    North Dakota and Washington) enacted a disclosure
    law in 2005.
  • California senator Diane Feinstein recently
    introduced federal legislation that will create a
    federal disclosure law (S.115 introduced in
    January 2005)

17
CSUEB Incident Response Plan Definition of
Personal Information
  • Goes beyond what is required under CA law. We
    added
  • Last 4 digits of SSN with DOB.
  • Passport number or any other unique
    identification number that has not been defined
    as "directory information" under FERPA.
  • Personal medical information.

18
CSUEB Incident Response Plan Methods by which
unauthorized data can be acquired
  • Equipment Lost or stolen electronic equipment
    (e.g., PDAs, laptops, desktop computer, and USB
    storage devices).
  • Hacking incidents A successful intrusion of
    computer systems.
  • Unauthorized Data Access Includes situations
    where someone has received unauthorized access to
    data, incorrect computer access settings, or
    non-hacking incidents.

19
CSUEB Incident Response Plan Definition of a
Reportable Security Incident
  • A security incident is reportable, if unencrypted
    personal information is (or we reasonably suspect
    has been) acquired by an unauthorized person who
    obtained lost or stolen equipment, hacked into
    our systems or network, or gained unauthorized
    access to data.

20
CSUEB Incident Response Plan Roles and
Responsibilities
  • Several individuals participate in the incident
    response process
  • President of the University
  • Information Security Officer
  • Chief Information Security Coordinator
  • Incident Response Team (includes the ISO and
    Coordinator)
  • Deputy Provost, Academic Affairs
  • Associate Vice President, Information Technology
  • Assistant Vice President, Human Resources
  • Assistant Vice President, Student Affairs
  • Chief of Police
  • Director of Public Affairs

21
CSUEB Incident Response Plan Roles and
Responsibilities (cont.)
  • Campus Network Security Group
  • Staff (including the management officer) from the
    department where the breach occurred
  • General counsel
  • Staff from the CSU Chancellor's office
  • State of California Office of Privacy Protection

22
CSUEB Incident Response Plan Overview
  • Step 1 - Information Security office is notified
    that a potential or actual breach has occurred.
  • Step 2 - Coordinator meets with department to
    discuss issue.
  • Step 3 - If necessary Coordinator brings in IT
    experts to mitigate the problem and collect
    evidence.
  • Step 4 - Coordinator submits preliminary report
    to ISO and AVP IT
  • Step 5 - If it is determined that the event is a
    reportable security breach and law enforcement is
    not involved, the notification process begins.

23
CSUEB Incident Response Plan Interviewing the
Department
  • Every incident will be different. However, the
    Coordinator will ask several basic questions
    during the initial interview
  • What happened?
  • Was personal information lost or stolen? If yes,
    what?
  • How was the information acquired?
  • What systems, devices, etc., were compromised?
  • How was the system or device configured? What
    are the maintenance procedures? Do log files
    exist?
  • Who was affected by the breach?

24
CSUEB Incident Response Plan Preserving
Evidence
  • The preservation of evidence is important if you
    intend to
  • Continue to analyze the problem after the
    notification process has ended.
  • File criminal charges.
  • Involve law enforcement.
  • As our plan evolves, we will be developing
    standard methods to preserve evidence.

25
CSUEB Incident Response Plan Internal
Communication Procedures
  • Once the ISO determines that the incident
    requires notification, the ISO informs the
    President .
  • The Coordinator
  • Assembles the Incident Response Team to discuss
    the incident and if law enforcement is not
    involved, begin the notification process.
  • Notifies general counsel, the Chancellor's
    office, and the director of CA Office of Privacy
    Protection.
  • Informs the department's management team that the
    ISO has determine the incident is reportable
    under CA law.
  • If necessary, contacts the police department to
    file a police report.

26
CSUEB Incident Response Plan External
Communication Procedures
  • The notification letter, press materials and
    other external communications are written by the
    Coordinator and Security Incident Response team.

27
CSUEB Incident Response Plan Contents of The
Notification Letter
  • The notification letter contains the following
    pieces of information
  • Description of the breach.
  • Contact information for the major credit
    reporting agencies
  • Trans Union
  • Experian
  • Equifax
  • Recommendations
  • Place a fraud alert on the credit report
  • Monitor credit reports
  • University contact information

28
CSUEB Incident Response Plan Distributing the
notice of a breach
  • Notifications are sent to individuals in one of
    two ways
  • If 50,000 or fewer individuals
  • Send a letter to each individual on University
    letterhead via first class mail.
  • If more than 50,000 individuals
  • Send notification to a last known email address
  • Conspicuously post a "Notice of Breach" on the
    campus web site
  • Notify statewide media including television,
    radio and print media

29
CSUEB Incident Response Plan Responding to
Inquiries
  • During the September 2004, we found ourselves
    responding to inquiries from many individuals who
    were not directly affected by the breach
  • Parents
  • Spouses
  • Friends
  • The media
  • Individuals who did not receive a letter but
    wonder if their information was compromised
  • Vendors
  • The Incident Response plan includes a strategy
    for responding to inquiries from a variety of
    individuals.

30
CSUEB Incident Response Plan Responding to
Inquiries (cont.)
  • The breached department is responsible for
    responding to inquiries regarding the breach.
  • The Coordinator and Director of Public Affairs
    are responsible for training staff to respond
    appropriately.

31
CSUEB Incident Response Plan Training Staff to
Respond to Inquiries
  • Staff will be trained to answer several basic
    questions
  • What happened?
  • Who attacked you?
  • When did it happen?
  • How did they breach your security?
  • How widespread is the breach?
  • What steps are you taking to determine what
    happened?
  • What steps are you taking to prevent this from
    happening again?
  • What is the estimated monetary cost of this
    incident?

32
CSUEB Incident Response Plan Training Staff to
Respond to Inquiries (cont.)
  • During training, staff will be instructed to do
    the following
  • Do not offer unsolicited information or comments
    to inquirers.
  • Advise the inquirer that the incident is under
    investigation (if this is the case).
  • Direct the inquirer to a web site, if one is
    available.
  • Direct inquiries from law enforcement to the
    University Police department.
  • Direct inquiries from the media to the Director
    of Public Affairs.
  • Direct inquiries from vendors to the Information
    Security Office.

33
CSUEB Incident Response Plan Other Procedures
  • Our plan also includes procedures for
  • Documenting the incident as it happens.
  • Maintaining an accounting of the costs associated
    with the incident.

34
CSUEB Incident Response Plan Post-Mortem
  • It is important to establish a date and time when
    individuals involved in the incident response
    process can meet to discuss any lessons learned
    from the event.

35
CSUEB September 2004 Incident Post-Mortem
  • Actions taken after our Sept. 2004 incident
  • Removed personal data from the breached server.
  • Reassigned responsibility for managing the server
    to a more experienced team of IT specialists.
  • After a follow-up meeting, department decided to
    reduce the amount of personal data they collect.

36
Benefits of an Incident Response Plan
  • Respond to incidents systematically so that
    appropriate actions are taken.
  • Help the University recover quickly and
    efficiently and minimize loss and disruption of
    services.
  • Use recommendations gathers from the post-mortem
    meeting to better prepare for future incidents
    and provide stronger protections for University
    data and assets.
  • Deal properly with legal issues.

37
Summary
  • Partner with individuals on your campus to
    develop an incident response plan.
  • Periodically, review and update your plan.
  • Review contracts with vendors to ensure that
    incident response handling is covered in your
    agreements.
  • Learn from the experiences of others.
  • Most importantly, educate your staff, faculty and
    students about your incident response plan.

38
Thank You
  • Richard S. Metz
  • dick.metz_at_csueastbay.edu
  • Cheryl Washington
  • cheryl.washington_at_csueastbay.edu

39
Questions?
Write a Comment
User Comments (0)
About PowerShow.com