Title: Developing an Incidence Response Plan
1Developing an Incidence Response Plan
- California State University, East Bay
- Information Security Office
- Richard S. Metz, Vice President of Administration
and Business Affairs/Information Security Officer - Cheryl Washington, Chief Information Security
Coordinator
2California State University, East BayInformation
Security office
- Responsible for protecting the confidentiality
and security of data in the custody of the
University and privacy rights of CSUEB students,
faculty and staff. - Our Staff
- Richard S. Metz, Vice President of Administration
Business Affairs/Information Security Officer - Cheryl Washington, Chief Information Security
Coordinator - Thomas Dixon, Information Security Specialist
3Recent news reports
- April 2005 106,000 individuals warned of a
security breach. - University officials state that personal data
stored on a server used for fund raising could
have been compromised. - March 2005 98,000 individuals warned of a
security breach. - A laptop containing personal information on
students and applicants was stolen from a
University department. - March 2005 59,000 individuals warned of a
security breach. - Hackers broke into a system containing personal
information on current, former, and prospective
students, faculty and staff.
4Computer threats are on the rise
- Computer threats have become more numerous,
damaging and disruptive. - Preventative measures (e.g., patch management
policies) can help lower the number of incidents,
but not all incidents can be prevented. - As the collection and storage of personal data
moves further away from a central IT department,
the likelihood that a security incident will
occur on your campus will increase.
5A Security Breach Can Happen to You
- A security breach can happen to any institution
at any time. - There are several trends that make Universities
uniquely attractive to hackers - Openness of the University environment.
- Use of the web and ERP systems have increased the
size of our data repositories. - Continued and sometimes required use of SSNs as
student and employee identification numbers.
6Why is incident response planning important?
- When a security incident occurs on your campus,
you will need to respond appropriately. - An incident response plan can help you move
quickly away from the initial panic phase ("We've
been hacked!) into a set of well thought out
activities designed to help you manage the event.
7CSUEB has been breached!
- Based on what we know, our campus experienced two
security incidents in which personal data may
have been compromised. - May 2004 Mailed notification letters to
approximately 30 students whose personal
information was inadvertently disclosed. - September 2004 Mailed notification letters to a
little more than 2,000 students whose personal
information may have been compromised.
8How did we respond to the May 2004 breach?
- Our incident response plan was not well defined
nor well understood by the campus community. - The Information Security Office was not made
aware of the security incident until nearly 2
months after the incident occurred. - We knew that we needed a better plan!
9Our response to the September 2004 breach
- The Security Office was quickly notified of the
breach. - We were able to react swiftly and sent
notification letters to affected individuals
within 10 days. - However, we made mistakes. We neglected to
preserve evidence. Essentially, losing valuable
information. - We recognized that our plan needed improvement!
10What did we learn from our incidents?
- Our incident response plan needed to be updated.
- Our plan needed to identify individuals who can
be dispatched to a security event quickly. - The incident response plan needed to be
communicated to the campus community.
11What our plan does
- Defines key terms (e.g., "security incident",
"personal information"). - Establishes roles and responsibilities.
- Describes guidelines for investigating an
incident. - Provides guidelines for internal and external
communication. - Establishes a checklist of what needs to be done,
by whom and when.
12Framework for our plan
- State of California's "security breach
notification" law (aka SB 1386). - Other factors
- Our definition of "directory information" under
FERPA. - Federal and state laws and regulations that apply
to the University (e.g., HIPAA) - Opinions from our Human Resources department and
legal counsel.
13What is SB 1386?
- Often referred to as "California's notification
or disclosure law". - Signed into law in September 2002.
- Part of CA Civil Code 1798.29 and 1798.82
- 1798.29 addresses the responsibilities of state
agencies - 1798.82 addresses the responsibilities of
individuals and business that conduct business in
California.
14What does SB 1386 say about security incidents?
- An agency, individual or business that "... owns
or licenses computerized data that includes
personal information, shall disclose any breach
of the security of the system following discovery
or notification of the breach in the security of
the data to any resident of California whose
unencrypted personal information was, or is
reasonably believed to have been, acquired by an
unauthorized person..."
15SB 1386's definition of personal data
- Individual's first name or first initial and last
name in combination with any one of the following
data elements when either the name or the data
element are not encrypted - Social security number
- Driver's license number or CA Identification Card
number - Account number, credit or debit card number, in
combination with any required security code,
access code, or password that would permit access
to an individual's financial account.
16Your state may have a similar law
- Other states and the federal government are
considering enacting legislation pattered after
SB 1386. - According to the National Conference of State
Legislatures web site (May 31, 2005) - Disclosure laws have been introduced in at least
34 states in 2005. - Six states (Arkansas, Georgia, Indiana, Montana,
North Dakota and Washington) enacted a disclosure
law in 2005. - California senator Diane Feinstein recently
introduced federal legislation that will create a
federal disclosure law (S.115 introduced in
January 2005)
17CSUEB Incident Response Plan Definition of
Personal Information
- Goes beyond what is required under CA law. We
added - Last 4 digits of SSN with DOB.
- Passport number or any other unique
identification number that has not been defined
as "directory information" under FERPA. - Personal medical information.
18CSUEB Incident Response Plan Methods by which
unauthorized data can be acquired
- Equipment Lost or stolen electronic equipment
(e.g., PDAs, laptops, desktop computer, and USB
storage devices). - Hacking incidents A successful intrusion of
computer systems. - Unauthorized Data Access Includes situations
where someone has received unauthorized access to
data, incorrect computer access settings, or
non-hacking incidents.
19CSUEB Incident Response Plan Definition of a
Reportable Security Incident
- A security incident is reportable, if unencrypted
personal information is (or we reasonably suspect
has been) acquired by an unauthorized person who
obtained lost or stolen equipment, hacked into
our systems or network, or gained unauthorized
access to data.
20CSUEB Incident Response Plan Roles and
Responsibilities
- Several individuals participate in the incident
response process - President of the University
- Information Security Officer
- Chief Information Security Coordinator
- Incident Response Team (includes the ISO and
Coordinator) - Deputy Provost, Academic Affairs
- Associate Vice President, Information Technology
- Assistant Vice President, Human Resources
- Assistant Vice President, Student Affairs
- Chief of Police
- Director of Public Affairs
21CSUEB Incident Response Plan Roles and
Responsibilities (cont.)
- Campus Network Security Group
- Staff (including the management officer) from the
department where the breach occurred - General counsel
- Staff from the CSU Chancellor's office
- State of California Office of Privacy Protection
22CSUEB Incident Response Plan Overview
- Step 1 - Information Security office is notified
that a potential or actual breach has occurred. - Step 2 - Coordinator meets with department to
discuss issue. - Step 3 - If necessary Coordinator brings in IT
experts to mitigate the problem and collect
evidence. - Step 4 - Coordinator submits preliminary report
to ISO and AVP IT - Step 5 - If it is determined that the event is a
reportable security breach and law enforcement is
not involved, the notification process begins.
23CSUEB Incident Response Plan Interviewing the
Department
- Every incident will be different. However, the
Coordinator will ask several basic questions
during the initial interview - What happened?
- Was personal information lost or stolen? If yes,
what? - How was the information acquired?
- What systems, devices, etc., were compromised?
- How was the system or device configured? What
are the maintenance procedures? Do log files
exist? - Who was affected by the breach?
24CSUEB Incident Response Plan Preserving
Evidence
- The preservation of evidence is important if you
intend to - Continue to analyze the problem after the
notification process has ended. - File criminal charges.
- Involve law enforcement.
- As our plan evolves, we will be developing
standard methods to preserve evidence.
25CSUEB Incident Response Plan Internal
Communication Procedures
- Once the ISO determines that the incident
requires notification, the ISO informs the
President . - The Coordinator
- Assembles the Incident Response Team to discuss
the incident and if law enforcement is not
involved, begin the notification process. - Notifies general counsel, the Chancellor's
office, and the director of CA Office of Privacy
Protection. - Informs the department's management team that the
ISO has determine the incident is reportable
under CA law. - If necessary, contacts the police department to
file a police report.
26CSUEB Incident Response Plan External
Communication Procedures
- The notification letter, press materials and
other external communications are written by the
Coordinator and Security Incident Response team.
27CSUEB Incident Response Plan Contents of The
Notification Letter
- The notification letter contains the following
pieces of information - Description of the breach.
- Contact information for the major credit
reporting agencies - Trans Union
- Experian
- Equifax
- Recommendations
- Place a fraud alert on the credit report
- Monitor credit reports
- University contact information
28CSUEB Incident Response Plan Distributing the
notice of a breach
- Notifications are sent to individuals in one of
two ways - If 50,000 or fewer individuals
- Send a letter to each individual on University
letterhead via first class mail. - If more than 50,000 individuals
- Send notification to a last known email address
- Conspicuously post a "Notice of Breach" on the
campus web site - Notify statewide media including television,
radio and print media
29CSUEB Incident Response Plan Responding to
Inquiries
- During the September 2004, we found ourselves
responding to inquiries from many individuals who
were not directly affected by the breach - Parents
- Spouses
- Friends
- The media
- Individuals who did not receive a letter but
wonder if their information was compromised - Vendors
- The Incident Response plan includes a strategy
for responding to inquiries from a variety of
individuals.
30CSUEB Incident Response Plan Responding to
Inquiries (cont.)
- The breached department is responsible for
responding to inquiries regarding the breach. - The Coordinator and Director of Public Affairs
are responsible for training staff to respond
appropriately.
31CSUEB Incident Response Plan Training Staff to
Respond to Inquiries
- Staff will be trained to answer several basic
questions - What happened?
- Who attacked you?
- When did it happen?
- How did they breach your security?
- How widespread is the breach?
- What steps are you taking to determine what
happened? - What steps are you taking to prevent this from
happening again? - What is the estimated monetary cost of this
incident?
32CSUEB Incident Response Plan Training Staff to
Respond to Inquiries (cont.)
- During training, staff will be instructed to do
the following - Do not offer unsolicited information or comments
to inquirers. - Advise the inquirer that the incident is under
investigation (if this is the case). - Direct the inquirer to a web site, if one is
available. - Direct inquiries from law enforcement to the
University Police department. - Direct inquiries from the media to the Director
of Public Affairs. - Direct inquiries from vendors to the Information
Security Office.
33CSUEB Incident Response Plan Other Procedures
- Our plan also includes procedures for
- Documenting the incident as it happens.
- Maintaining an accounting of the costs associated
with the incident.
34CSUEB Incident Response Plan Post-Mortem
- It is important to establish a date and time when
individuals involved in the incident response
process can meet to discuss any lessons learned
from the event.
35CSUEB September 2004 Incident Post-Mortem
- Actions taken after our Sept. 2004 incident
- Removed personal data from the breached server.
- Reassigned responsibility for managing the server
to a more experienced team of IT specialists. - After a follow-up meeting, department decided to
reduce the amount of personal data they collect.
36Benefits of an Incident Response Plan
- Respond to incidents systematically so that
appropriate actions are taken. - Help the University recover quickly and
efficiently and minimize loss and disruption of
services. - Use recommendations gathers from the post-mortem
meeting to better prepare for future incidents
and provide stronger protections for University
data and assets. - Deal properly with legal issues.
37Summary
- Partner with individuals on your campus to
develop an incident response plan. - Periodically, review and update your plan.
- Review contracts with vendors to ensure that
incident response handling is covered in your
agreements. - Learn from the experiences of others.
- Most importantly, educate your staff, faculty and
students about your incident response plan.
38Thank You
- Richard S. Metz
- dick.metz_at_csueastbay.edu
- Cheryl Washington
- cheryl.washington_at_csueastbay.edu
39Questions?