![Page 1: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/1.jpg)
Data Incident Notification Policies and Procedures
Tracy Mitrano
Steve Schuster
![Page 2: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/2.jpg)
Questions That Need to Be Answered
• Does your institution have policies that protect data?• Does your institution have processes to develop
enforceable policy?• Does your institution have a central IT security office
and how should it function?• How do you know when you’ve had a security
incident?• How do you know when you need to notify?
![Page 3: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/3.jpg)
Two Generalizations about Policy and Process: (1)
• Critical to have a policy process…– Legal compliance primarily
– Deference to the complex nature of higher education secondarily
• Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society
• …no matter what the particular culture or structure of your institution.
![Page 4: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/4.jpg)
Two Generalizations about Process: (2)
• It almost always does, or should, boil down to three essential steps:– Responsible office brings forward concept to a high level committee
• Audit, Counsel, VPs, Dean of Faculty or even President and Provost
– Mid-level review for implementation
• The greater the representation of the campus community the better
– Back to the high level for signoff and promulgation.
![Page 5: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/5.jpg)
http://www.cit.cornell.edu/oit/policy/framework-chart.html
![Page 6: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/6.jpg)
Information Security of Institutional Data
• Policy Statement– Every user of institutional data must manage
responsibly
• Appendix A– Roles and Responsibilities
• Appendix B– Minimum Data Security Standards
![Page 7: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/7.jpg)
Data Classification
• Cost/Benefit Analysis• Costs (financial and administrative):
– Administrative burden– Financial cost of new technologies– New business practices
• Benefits (mitigating risk):– Legal check list– Policy decisions (prioritizing institutional data)– Ethical considerations?
![Page 8: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/8.jpg)
Legal Check ListType of Data
Privacy Statement
AnnualNotice
NotificationUponBreach
Legislative PrivateRight ofAction*
GovernmentEnforcement
Statutory Damages
PersonallyIdentifiable
o o x O x x
EducationRecord
x X o o x o
MedicalRecord
x o o x x x
Banking Record
x x o o x x
![Page 9: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/9.jpg)
Does Your Institution have a central IT security office and how should it function?
• How many have a dedicated security office?• Several benefits
– Identified individual to consistently address and respond to security concerns
– Not responsible for delivering services that may conflict with security
– Tasked with developing incident response and remediation process
• Some common functions– Incident response– Security infrastructure development– Awareness– Governance
![Page 10: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/10.jpg)
How you know when you’ve had an incident?
• An indication of potential compromise can come from anywhere
• External indications– SPAM complaint– Scanning complaint
![Page 11: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/11.jpg)
How you know when you’ve had an incident?
• Internal indications– Network monitoring– IDS/IPS alerts– Internal scanning– Local identification
![Page 12: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/12.jpg)
How do you know when you’ve had an incident?
050818104944 [itsor ~] telnet 128.253.155.211 65534 Trying 128.253.155.211... Connected to 128.253.155.211. Escape character is '^]'. 220-... 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê =¨´.,+=- 220--=+=============================================================+=- 220--=+ +=- 220--=+ wlc0m +=- 220--=+ +=- 220--=+ Th0u $h4Ll Re$p3cT the rµLeZ +=- 220--=+ +=- 220--=+ Th0u $h4Ll n0t r3h4cK +=- 220--=+ Th0u $h4Ll n0t h4mMr +=- 220--=+ Th0u $h4Ll n0t Re$c4N +=- 220--=+ aNd n0w eNj0y :) +=- 220--=+ +=- 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,+=- 220--=+=============================================================+=- 220--=+ +=- 220--=+ server uptime: 2d 13h 20m 3s. +=- 220--=+ users since start: 2 +=- 220--=+ logged in: 6 total +=- 220--=+ users since last 24h: 6 +=- 220--=+ upload since start: 0 kb @ 0 file(s) +=- 220--=+ download since start: 0 kb @ 0 file(s) +=- 220--=+ average throughput: 0.000 kb/s +=- 220--=+ the current bandwidth use is 0.000 kb/s +=- 220--=+ your ip: 132.236.54.173 +=- 220--=+ free diskspace: 72608.19 MByte +=- 220--=+ +=- 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,+=- 220 -=+=============================================================+=- ^] telnet> quit Connection closed. 050818104944 [itsor ~]
![Page 13: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/13.jpg)
How do you know when you’ve had an incident
• Everyone has incidents but what matters is the type of data stored on the computer
• The following data means significantly more work– Social security numbers– Credit card numbers– Drivers license numbers– Other protected data
![Page 14: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/14.jpg)
How do you know when you need to notify?
• Establishing reasonable belief of unauthorized data access is not an exact science
• Institution-wide decision making is imperative• Thorough computer and network analysis is
required
![Page 15: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/15.jpg)
Institution-Wide Decision Making
• Data Incident Response Team (DIRT)• DIRT meets for every incident involving critical data• DIRT objectives
– Thoroughly understand each incident– Guide immediate required response– Determine requirement to notify
![Page 16: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/16.jpg)
DIRT Members
• Core Tam– University Audit– Risk Management– University Police– University Counsel– University
Communication– CIO– Director, IT Policy– Director, IT Security
• Incident Specific– Data Steward– Unit Head– Local IT support– Security Liaison– ITMC member
![Page 17: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/17.jpg)
Computer and Network Analysis
• Data sources– System data
• What data are on the computer• How are these data stored• When were they last accessed or modified• What was the method of compromise
– Network data• Who has been accessing this system• What were the services used• What was the method of compromise• What was the amount of uploads and downloads
![Page 18: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/18.jpg)
Computer and Network Analysis
![Page 19: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/19.jpg)
Computer and Network Analysis
![Page 20: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/20.jpg)
Computer and Network Analysis
![Page 21: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/21.jpg)
How Do You Know when You Need to Notify?
Nee
d t
o N
oti
fy
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Were Occurred
Access to Data Confirmed
![Page 22: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/22.jpg)
How Do You Know when You Need to Notify?
Nee
d t
o N
oti
fy
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Were Occurred
Access to Data Confirmed
![Page 23: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/23.jpg)
Likelihood of Unauthorized Access
• Reasonable belief data were acquired– System compromise
occurred a significant time ago
– File MAC times after compromise and not tied down to support application
– Significant remote access and download
– More sophisticated hacker tools
– Etc.
• Reasonable belief data were NOT acquired
– Compromise identified quickly– File MAC times consistently
before compromise– Limited or no network download– More benign hacker tools– Benign system use
characteristics– Etc.
![Page 24: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/24.jpg)
Data Incident Notification Toolkit*
• Provide a tool that pulls from our collective experience.
• A real-time aid for creating the various communications that form data breach notification.
• An essential part of an incident response plan.• http://www.educause.edu/DataIncidentNotific
ationToolkit/9320
* Hosted by EDUCAUSE
![Page 25: Data Incident Notification Policies and Procedures](https://reader030.vdocuments.net/reader030/viewer/2022032612/56812ed3550346895d947375/html5/thumbnails/25.jpg)
Notification Templates• Outlines and content for
– Press Releases– Notification Letters– Incident Specific Website – Incident Response FAQs– Generic Identity Theft Web Site
• Sample language from actual incidents• Food for thought – one size does not fit all