Developing an Incidence Response Plan

1
Developing an Incidence Response Plan

• California State University, East Bay
• Information Security Office
• Richard S. Metz, Vice President of Administration
  and Business Affairs/Information Security Officer
• Cheryl Washington, Chief Information Security
  Coordinator

2
California State University, East BayInformation
Security office

• Responsible for protecting the confidentiality
  and security of data in the custody of the
  University and privacy rights of CSUEB students,
  faculty and staff.
• Our Staff
• Richard S. Metz, Vice President of Administration
  Business Affairs/Information Security Officer
• Cheryl Washington, Chief Information Security
  Coordinator
• Thomas Dixon, Information Security Specialist

3
Recent news reports

• April 2005 106,000 individuals warned of a
  security breach.
• University officials state that personal data
  stored on a server used for fund raising could
  have been compromised.
• March 2005 98,000 individuals warned of a
  security breach.
• A laptop containing personal information on
  students and applicants was stolen from a
  University department.
• March 2005 59,000 individuals warned of a
  security breach.
• Hackers broke into a system containing personal
  information on current, former, and prospective
  students, faculty and staff.

4
Computer threats are on the rise

• Computer threats have become more numerous,
  damaging and disruptive.
• Preventative measures (e.g., patch management
  policies) can help lower the number of incidents,
  but not all incidents can be prevented.
• As the collection and storage of personal data
  moves further away from a central IT department,
  the likelihood that a security incident will
  occur on your campus will increase.

5
A Security Breach Can Happen to You

• A security breach can happen to any institution
  at any time.
• There are several trends that make Universities
  uniquely attractive to hackers
• Openness of the University environment.
• Use of the web and ERP systems have increased the
  size of our data repositories.
• Continued and sometimes required use of SSNs as
  student and employee identification numbers.

6
Why is incident response planning important?

• When a security incident occurs on your campus,
  you will need to respond appropriately.
• An incident response plan can help you move
  quickly away from the initial panic phase ("We've
  been hacked!) into a set of well thought out
  activities designed to help you manage the event.

7
CSUEB has been breached!

• Based on what we know, our campus experienced two
  security incidents in which personal data may
  have been compromised.
• May 2004 Mailed notification letters to
  approximately 30 students whose personal
  information was inadvertently disclosed.
• September 2004 Mailed notification letters to a
  little more than 2,000 students whose personal
  information may have been compromised.

8
How did we respond to the May 2004 breach?

• Our incident response plan was not well defined
  nor well understood by the campus community.
• The Information Security Office was not made
  aware of the security incident until nearly 2
  months after the incident occurred.
• We knew that we needed a better plan!

9
Our response to the September 2004 breach

• The Security Office was quickly notified of the
  breach.
• We were able to react swiftly and sent
  notification letters to affected individuals
  within 10 days.
• However, we made mistakes. We neglected to
  preserve evidence. Essentially, losing valuable
  information.
• We recognized that our plan needed improvement!

10
What did we learn from our incidents?

• Our incident response plan needed to be updated.
• Our plan needed to identify individuals who can
  be dispatched to a security event quickly.
• The incident response plan needed to be
  communicated to the campus community.

11
What our plan does

• Defines key terms (e.g., "security incident",
  "personal information").
• Establishes roles and responsibilities.
• Describes guidelines for investigating an
  incident.
• Provides guidelines for internal and external
  communication.
• Establishes a checklist of what needs to be done,
  by whom and when.

12
Framework for our plan

• State of California's "security breach
  notification" law (aka SB 1386).
• Other factors
• Our definition of "directory information" under
  FERPA.
• Federal and state laws and regulations that apply
  to the University (e.g., HIPAA)
• Opinions from our Human Resources department and
  legal counsel.

13
What is SB 1386?

• Often referred to as "California's notification
  or disclosure law".
• Signed into law in September 2002.
• Part of CA Civil Code 1798.29 and 1798.82
• 1798.29 addresses the responsibilities of state
  agencies
• 1798.82 addresses the responsibilities of
  individuals and business that conduct business in
  California.

14
What does SB 1386 say about security incidents?

• An agency, individual or business that "... owns
  or licenses computerized data that includes
  personal information, shall disclose any breach
  of the security of the system following discovery
  or notification of the breach in the security of
  the data to any resident of California whose
  unencrypted personal information was, or is
  reasonably believed to have been, acquired by an
  unauthorized person..."

15
SB 1386's definition of personal data

• Individual's first name or first initial and last
  name in combination with any one of the following
  data elements when either the name or the data
  element are not encrypted
• Social security number
• Driver's license number or CA Identification Card
  number
• Account number, credit or debit card number, in
  combination with any required security code,
  access code, or password that would permit access
  to an individual's financial account.

16
Your state may have a similar law

• Other states and the federal government are
  considering enacting legislation pattered after
  SB 1386.
• According to the National Conference of State
  Legislatures web site (May 31, 2005)
• Disclosure laws have been introduced in at least
  34 states in 2005.
• Six states (Arkansas, Georgia, Indiana, Montana,
  North Dakota and Washington) enacted a disclosure
  law in 2005.
• California senator Diane Feinstein recently
  introduced federal legislation that will create a
  federal disclosure law (S.115 introduced in
  January 2005)

17
CSUEB Incident Response Plan Definition of
Personal Information

• Goes beyond what is required under CA law. We
  added
• Last 4 digits of SSN with DOB.
• Passport number or any other unique
  identification number that has not been defined
  as "directory information" under FERPA.
• Personal medical information.

18
CSUEB Incident Response Plan Methods by which
unauthorized data can be acquired

• Equipment Lost or stolen electronic equipment
  (e.g., PDAs, laptops, desktop computer, and USB
  storage devices).
• Hacking incidents A successful intrusion of
  computer systems.
• Unauthorized Data Access Includes situations
  where someone has received unauthorized access to
  data, incorrect computer access settings, or
  non-hacking incidents.

19
CSUEB Incident Response Plan Definition of a
Reportable Security Incident

• A security incident is reportable, if unencrypted
  personal information is (or we reasonably suspect
  has been) acquired by an unauthorized person who
  obtained lost or stolen equipment, hacked into
  our systems or network, or gained unauthorized
  access to data.

20
CSUEB Incident Response Plan Roles and
Responsibilities

• Several individuals participate in the incident
  response process
• President of the University
• Information Security Officer
• Chief Information Security Coordinator
• Incident Response Team (includes the ISO and
  Coordinator)
• Deputy Provost, Academic Affairs
• Associate Vice President, Information Technology
• Assistant Vice President, Human Resources
• Assistant Vice President, Student Affairs
• Chief of Police
• Director of Public Affairs

21
CSUEB Incident Response Plan Roles and
Responsibilities (cont.)

• Campus Network Security Group
• Staff (including the management officer) from the
  department where the breach occurred
• General counsel
• Staff from the CSU Chancellor's office
• State of California Office of Privacy Protection

22
CSUEB Incident Response Plan Overview

• Step 1 - Information Security office is notified
  that a potential or actual breach has occurred.
• Step 2 - Coordinator meets with department to
  discuss issue.
• Step 3 - If necessary Coordinator brings in IT
  experts to mitigate the problem and collect
  evidence.
• Step 4 - Coordinator submits preliminary report
  to ISO and AVP IT
• Step 5 - If it is determined that the event is a
  reportable security breach and law enforcement is
  not involved, the notification process begins.

23
CSUEB Incident Response Plan Interviewing the
Department

• Every incident will be different. However, the
  Coordinator will ask several basic questions
  during the initial interview
• What happened?
• Was personal information lost or stolen? If yes,
  what?
• How was the information acquired?
• What systems, devices, etc., were compromised?
• How was the system or device configured? What
  are the maintenance procedures? Do log files
  exist?
• Who was affected by the breach?

24
CSUEB Incident Response Plan Preserving
Evidence

• The preservation of evidence is important if you
  intend to
• Continue to analyze the problem after the
  notification process has ended.
• File criminal charges.
• Involve law enforcement.
• As our plan evolves, we will be developing
  standard methods to preserve evidence.

25
CSUEB Incident Response Plan Internal
Communication Procedures

• Once the ISO determines that the incident
  requires notification, the ISO informs the
  President .
• The Coordinator
• Assembles the Incident Response Team to discuss
  the incident and if law enforcement is not
  involved, begin the notification process.
• Notifies general counsel, the Chancellor's
  office, and the director of CA Office of Privacy
  Protection.
• Informs the department's management team that the
  ISO has determine the incident is reportable
  under CA law.
• If necessary, contacts the police department to
  file a police report.

26
CSUEB Incident Response Plan External
Communication Procedures

• The notification letter, press materials and
  other external communications are written by the
  Coordinator and Security Incident Response team.

27
CSUEB Incident Response Plan Contents of The
Notification Letter

• The notification letter contains the following
  pieces of information
• Description of the breach.
• Contact information for the major credit
  reporting agencies
• Trans Union
• Experian
• Equifax
• Recommendations
• Place a fraud alert on the credit report
• Monitor credit reports
• University contact information

28
CSUEB Incident Response Plan Distributing the
notice of a breach

• Notifications are sent to individuals in one of
  two ways
• If 50,000 or fewer individuals
• Send a letter to each individual on University
  letterhead via first class mail.
• If more than 50,000 individuals
• Send notification to a last known email address
• Conspicuously post a "Notice of Breach" on the
  campus web site
• Notify statewide media including television,
  radio and print media

29
CSUEB Incident Response Plan Responding to
Inquiries

• During the September 2004, we found ourselves
  responding to inquiries from many individuals who
  were not directly affected by the breach
• Parents
• Spouses
• Friends
• The media
• Individuals who did not receive a letter but
  wonder if their information was compromised
• Vendors
• The Incident Response plan includes a strategy
  for responding to inquiries from a variety of
  individuals.

30
CSUEB Incident Response Plan Responding to
Inquiries (cont.)

• The breached department is responsible for
  responding to inquiries regarding the breach.
• The Coordinator and Director of Public Affairs
  are responsible for training staff to respond
  appropriately.

31
CSUEB Incident Response Plan Training Staff to
Respond to Inquiries

• Staff will be trained to answer several basic
  questions
• What happened?
• Who attacked you?
• When did it happen?
• How did they breach your security?
• How widespread is the breach?
• What steps are you taking to determine what
  happened?
• What steps are you taking to prevent this from
  happening again?
• What is the estimated monetary cost of this
  incident?

32
CSUEB Incident Response Plan Training Staff to
Respond to Inquiries (cont.)

• During training, staff will be instructed to do
  the following
• Do not offer unsolicited information or comments
  to inquirers.
• Advise the inquirer that the incident is under
  investigation (if this is the case).
• Direct the inquirer to a web site, if one is
  available.
• Direct inquiries from law enforcement to the
  University Police department.
• Direct inquiries from the media to the Director
  of Public Affairs.
• Direct inquiries from vendors to the Information
  Security Office.

33
CSUEB Incident Response Plan Other Procedures

• Our plan also includes procedures for
• Documenting the incident as it happens.
• Maintaining an accounting of the costs associated
  with the incident.

34
CSUEB Incident Response Plan Post-Mortem

• It is important to establish a date and time when
  individuals involved in the incident response
  process can meet to discuss any lessons learned
  from the event.

35
CSUEB September 2004 Incident Post-Mortem

• Actions taken after our Sept. 2004 incident
• Removed personal data from the breached server.
• Reassigned responsibility for managing the server
  to a more experienced team of IT specialists.
• After a follow-up meeting, department decided to
  reduce the amount of personal data they collect.

36
Benefits of an Incident Response Plan

• Respond to incidents systematically so that
  appropriate actions are taken.
• Help the University recover quickly and
  efficiently and minimize loss and disruption of
  services.
• Use recommendations gathers from the post-mortem
  meeting to better prepare for future incidents
  and provide stronger protections for University
  data and assets.
• Deal properly with legal issues.

37
Summary

• Partner with individuals on your campus to
  develop an incident response plan.
• Periodically, review and update your plan.
• Review contracts with vendors to ensure that
  incident response handling is covered in your
  agreements.
• Learn from the experiences of others.
• Most importantly, educate your staff, faculty and
  students about your incident response plan.

38
Thank You

• Richard S. Metz
• dick.metz_at_csueastbay.edu
• Cheryl Washington
• cheryl.washington_at_csueastbay.edu

39
Questions?