© Baker Tilly Virchow Krause, LLP

Auditing your institution's

cybersecurity incident/breach

response plan

© Baker Tilly Virchow Krause, LLP

Objectives

> Provide an overview of incident/breach response plans and their

intended benefits

> Describe regulatory/legal requirements related to incident/breach

responses

> Describe key aspects of response plans that should be reviewed as

part of your audit

© Baker Tilly Virchow Krause, LLP

Overview and benefitsof cybersecurity incident/breach response plan

© Baker Tilly Virchow Krause, LLP

Why is cybersecurity incident/breach

response important?

FrequencyBreaches are happening more frequently

Media attention2014 was a record year for breaches in the press/media

Requirements Regulations require incident/breach response plans

© Baker Tilly Virchow Krause, LLP

Why does your institution need an cybersecurity

incident/breach response plan?

> It is not a matter of if your institutions will have an incident or breach,

it is a matter of when

> Decentralized organizations with numerous stakeholders increase

the likelihood of ad hoc responses

> Inappropriate or inadequate response can lead to reputational and

financial damage

© Baker Tilly Virchow Krause, LLP

Impacts of data breaches

Negative

publicity

Regulatory

sanctions

Refusal

to share personal

information

Damage

to brand

Regulator

scrutiny

Legal

liability

Fines

Damaged

customer

relationships

Damaged

employee

relationships

Deceptive or

unfair trade

charges

!

© Baker Tilly Virchow Krause, LLP

What is a cybersecurity incident/breach

response plan?

“Capability to effectively manage unexpected

disruptive events with the objective of minimizing

impacts and maintaining or restoring normal

operations within defined time limits”

– ISACA

© Baker Tilly Virchow Krause, LLP

What goes into a cybersecurity

incident/breach response?

Cybersecurity incident/breach response plan

Laws, regulations

IT Risk framework

Data and system

inventory

© Baker Tilly Virchow Krause, LLP

How cybersecurity incident/breach response

plans align to various IT frameworks

> COBIT = Deliver & Support DS8 Manage Service Desk and

Incidents

> ITIL = Service Operation 4.1.5

> ISO 27002 = 13.0 Information Security Incident Management, 14.0

Business Continuity Management

> NIST SP 800-61 = Incident response guide

© Baker Tilly Virchow Krause, LLP

What should a cybersecurity

incident/breach response plan accomplish?

Preparation

Detection and Analysis

Containment, Eradication,

and Recovery

Post-Incident Activity

© Baker Tilly Virchow Krause, LLP

Regulatory/legal requirementsfor cybersecurity incident/breach response

© Baker Tilly Virchow Krause, LLP

Regulatory/legal requirements

where to start

> Regulatory review starts with information governance

> Need to identify and classify data/information and where it “lives” in

your institution

> Request a list of all important business processes and applications

and the contracts for any of processes or applications that are

provided by a third party

> Review the contracts to confirm that they address cybersecurity and

data breach matters

© Baker Tilly Virchow Krause, LLP

Regulatory response over time

1974Privacy Act

&

FERPA

1996HIPAA

1998Safe HarborEuropean Union

1999GLBA

2001Cybersecurity Enhancement Act

2006PCI DSS v1

2003California

Data Breach Law

2009HITECH

2010Massachusetts

Privacy Law

2014Kentucky

47th State

Data Breach Law

2015PCI DSS v3

© Baker Tilly Virchow Krause, LLP

Regulatory/legal requirements for

incident/breach response

FERPAHIPAA/

HITECHPCI DSS

State

laws

FERPA (34 CFR Part 99)

HIPAA/HITECH

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191,

Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act of 2009 (ARRA)

Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

Privacy Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

© Baker Tilly Virchow Krause, LLP

FERPA

Covers: Schools that receive funds under an applicable program of the

U. S. Department of Education

Key

provisions:

> Right of parents or eligible students (i.e., over 18) to review the

student’s educational records maintained by the school

> Right to request a correction for records they believe to be

inaccurate or misleading

> Escalation process for resolving disputes

> Written permission prior to releasing any information

from a student’s record (though there are exceptions)

> Recently updated to include student safety

and protection from online identity theft

© Baker Tilly Virchow Krause, LLP

FERPA

> FERPA is not a data breach notification statute

> Notification and response to breach of FERPA covered records

depends on the nature of the type of records breached and the

requirements of state statutes

> Department of Education offers some “suggestions” for handling

breaches of FERPA covered records

© Baker Tilly Virchow Krause, LLP

HIPAA/HITECH

Covers:

> Health care providers

> Health plans

> Health care clearinghouses

> Employers who administer their own health plans

Protected health information (PHI):

> Covered entities may only use or disclose

PHI as permitted

Enforced by:

> Department of Health and Human Services

> State attorneys general

H PAA

© Baker Tilly Virchow Krause, LLP

HIPAA/HITECH

What breaches require notification?

Minimum necessary violations may require breach notification

Nature and extent of PHI involved

Unauthorized person who used PHI

Whether PHI was actually acquired or viewed

Extent to which risk to PHI is mitigated

Exceptions

© Baker Tilly Virchow Krause, LLP

HIPAA/HITECH notifications

Media

Individuals

HHS

• Timeliness

• Content

• Methods

Business associates

© Baker Tilly Virchow Krause, LLP

PCI DSS

A multifaceted security standard

> Includes requirements for:

i. Business processes

ii. Security management

iii. Policies

iv. Procedures

v. Network architecture

vi. Software design

vii. Other critical protective measures

> Intended to help organizations proactively protect

customer payment data

© Baker Tilly Virchow Krause, LLP

PCI DSS

> What is covered by PCI-DSS?

> What to do in the event of a breach?

© Baker Tilly Virchow Krause, LLP

State laws

47 states+ DC, Guam, Puerto Rico,

USVI

*Exception: Alabama, New Mexico,

South Dakota

> The National Conference of State Legislatures

maintains a list of state security breach notification

laws with links to the text of each law. Check the list

regularly as the state laws continue to change.

> A substantial number of reported breaches have

involved non-profit universities and health systems.

See Privacy Rights Clearinghouse Chronology of

Data Breaches (listing breaches including breaches

at non-profits, educational institutions, and health

facilities)

© Baker Tilly Virchow Krause, LLP

Auditing the planfor cybersecurity incident/breach response

© Baker Tilly Virchow Krause, LLP

Cybersecurity incident/breach planning

key components

establishes goals and

vision for the breach

response process,

defined scope (to whom

it applies and under what

circumstances), roles

and responsibilities,

standards, metrics,

feedback, remediation

and requirements for

awareness training

POLICY

covers all phases of

the response

activities

PLAN

Reports and briefs;

online analysis

system; website with

available resources

PROCEDURES

© Baker Tilly Virchow Krause, LLP

Why should a cybersecurity incident/breach

response plan be audited?

Ensures that the plan contains accurate and current information

Allows the breach response process to be assessed and fine-tuned

Identifies potential issues in advance; before the breach occurs

Should a breach subsequently occur, it allows the process to

operate more efficiently

© Baker Tilly Virchow Krause, LLP

What should your cybersecurity incident/breach

response plan contain?

Detection and Analysis

• Individuals/team that will lead the breach response process and make the final determination that an actual breach has occurred

• Emergency contacts

• Information on relevant regulatory and law enforcement agencies that must be contacted

Containment, Eradication, and

Recovery

• Steps required to contain the breach and assess its scope

• Internal reporting system to alert legal, senior management, communications, employees and others

• External reporting to customers, business partners, public at large

Post-Incident Activity

• Post-mortem assessment, remediation

• Rehearsing (table-top testing) and awareness training

© Baker Tilly Virchow Krause, LLP

Cybersecurity incident/breach

response plan roles

Designated incident lead

> One individual (and backup)

designated to coordinate the

response

> Acts as go-between for

management and response team

> Typically someone from legal

> Coordinates efforts among all

groups, notifies appropriate

people within the company and

externally, documents the

response, identifies key tasks,

and estimates remediation costs

Who makes the call?

> Consists of representatives from

IT/ security, legal, and senior

leadership

> Once the facts are gathered, the

most senior-level executive

makes the determination that a

breach has/has not occurred, and

"breaks the glass" to execute the

response plan

© Baker Tilly Virchow Krause, LLP

Emergency contacts and

internal reporting system

Emergency contact list should include:

• Representative(s) of executive management team

• Legal, privacy & compliance

• Operations (security & IT)

• Customer service and/or HR

• Communications/ public relations

• Representatives of third-party vendors

• Outside experts

Incident response plan should designate structure of internal reporting system

© Baker Tilly Virchow Krause, LLP

Assessing the breach and response

Incident plan should include steps to contain the breach and assess its scope

Consider:

Isolating the affected system to prevent further release

Reviewing/activating auditing software

Preserving pertinent system logs

Making back-up copies of altered files to be kept secure

Identifying systems that connect to the affected system

Retaining an external forensic expert to assist with the investigation

Documenting conversations with law enforcement and steps taken to restore

the integrity of the system

© Baker Tilly Virchow Krause, LLP

Training and awareness

Staff should have recurring training, including:

• What constitutes a breach

• What does NOT constitute a breach

• What are appropriate communications channels for suspected breaches

Plan should be tested/rehearsed (table-top testing) not less than once per year

Training

Awareness

© Baker Tilly Virchow Krause, LLP

Conclusion

> Incident/breach response planning is critical in helping organizations

prepare for and recover from serious breaches

> Many federal and state laws require robust breach notification and

response procedures

> Auditing the incident/breach plan can help ensure that it contains

accurate and complete information so that it can operate efficiently

in the event of a breach

© Baker Tilly Virchow Krause, LLP

Resources

© Baker Tilly Virchow Krause, LLP

Resources

> CERT (http://www.cert.org/incident-management/)

> EDUCAUSE (www.educause.edu)

> Higher Education Information Security Council, HEISC (https://wiki.internet2.edu/confluence/display/2014infosecurityguide/)

> ISACA (www.isaca.org)

> NIST (www.nist.gov)

> Department of Education Privacy Technical Assistance Center (PTAC) Data Breach Response Checklist (http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf)

> National Conference of State Legislatures (http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx)

> Privacy Rights Clearinghouse Chronology of Data Breaches (http://www.privacyrights.org/data-breach/new)

© Baker Tilly Virchow Krause, LLP

Additional Resources

ACUA

> Promoting Internal Audit: www.acua.org/movie

> Listserv: acua-l@associationlists.com

> Forums: www.acua.org

Baker Tilly

> http://bakertilly.com/insights/acua

© Baker Tilly Virchow Krause, LLP

Required disclosure and Circular 230

Prominent Disclosure

The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought.

Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party.

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. © 2014 Baker Tilly Virchow Krause, LLP.