how to handle data breaches and it incidents · • lessons learned ... recent higher ed data...

Information & Communication Technologies 08 2014 NMSU All About Discovery!

How to Handle Data Breaches

and IT Incidents

presented by

Carlos S. Lobato, CISSP, CISA, CIANMSU IT Compliance Officer


AGENDA

• What is a Data Breach?

• Are Data Breaches Happening in Higher Ed?

• What laws or regulations require or recommend incident

handling procedures?

• Is there a best way to handle an incident?

• NMSU’s journey to develop a policy and procedures

• NMSU’s way of handling incidents

• Lessons Learned

• Q & A

2


What is a Data Breach?

• The U.S. Department of Education - Privacy Technical

Assistance Center (PTAC) http://www.ed.gov/ptac

defines it as:

“A data breach is any instance in which there is an

unauthorized release or access of PII or other

information not suitable for public release.”

3

http://www.ed.gov/ptac


How Data Breaches Happen?

U.S. Department of Ed• Hackers gaining access to data through a malicious

attack;

• Lost, stolen, or temporary misplaced equipment (e.g.,

laptops, mobile phones, portable thumb drives, etc.);

• Employee negligence (e.g., leaving a password list in a

publicly accessible location, technical staff

misconfiguring a security service or device, etc.); and

• Policy and/or system failure (e.g., a policy that doesn’t

require multiple overlapping security measures—if

backup security measures are absent, failure of a single

protective system can leave data vulnerable).

4


Defining a Data Breach for Your

Organization• The actual definition of what constitutes a data breach

has to be localized to the environment of your institution.

• Your Governing Body, Executive Administration and

University Community should get involved in determining

what constitutes a data breach and creating awareness.

• Internal Audit, Legal Counsel, Information Security, IT

Compliance, Police, Fire, and executive administration

including the provost should lead this effort

5


Are Data Breaches Happening in

Higher Ed?

YES• Verizon - 2014 Data Breach Investigations Report

• Privacy Rights Clearinghouse - Data Breaches

Timeline since 2005 – Present

• Google data breaches

6

http://www.verizonenterprise.com/DBIR/

https://www.privacyrights.org/


Recent Higher Ed Data Breaches

• Butler University, June 2014

– ~163,000 records

• Iowa State University (NMSU peer), April 2014

– ~48,729 records

• North Dakota University, March 2014

– ~291,465 records

• Indiana University, February 2014

– ~146,000 records

• University of Maryland, February 2014

– ~309,079 records

7


What can we do to stop data

breaches from happening?

• Create awareness

– Make a big deal (next slides)

• Enhance security controls and practices

• Create incident handling policy and

procedures and communicate it to employees

• Work on IT Governance, Data Governance

and Mandatory Training

8


What is your institution’s risk?

If hackers would compromised your central

ERP/Banner system, how many unique social

security numbers would they have access to?

A. 10,000

B. 25,000

C. 50,000

D. I already have enough trouble sleeping at night

9


It is very likely you have over

100,000 records available

through your central

computing systems.(including the SSN of the person sitting in your chair)

10


Why are we concerned about Data

Breaches?

• Bad reputation

• Cost a lot to fix (next slide)

• Requirements for security to exist (Data privacy

regulations i.e. FERPA, HIPAA)

11


Estimated Cost of a Data Breach

• Based on 2013 Study by Ponemon Institute &

Symantec

– $111 per record at US universities and colleges

– $136 per record across industry

• Estimated cost of a breach at an institution with

500,000 records

– $55,500,000 based on loss of 500,000 records at

$111 per record

• Includes costs associated with loss of public confidence,

reputation, etc.

12

http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-2013


Regulations that require/recommend

incident handling procedures

• FERPA – Family Educational Rights and Privacy Act

• HIPAA – Health Insurance Portability and Accountability

Act

• GLBA – Gramm-Leach-Bliley Act

• RFR – Red Flags Rule of the Federal Trade Commission

• FISMA – Federal Information Security Management Act

• PCI DSS – Payment Card Industry Data Security

Standards

13


General Institutional Requirements

• FERPA, HIPAA, GLBA, RFR, FISMA, and PCI-

DSS require the following:

– Designated information security responsibility

– Risk-based information security program

– Data security policies and procedures

– Monitoring and incident handling/compliance

– Data security training and awareness

14


Consequences of Noncompliance

• FERPA – Loss of federal funding to institution

• HIPAA – Monetary penalties of up to $6M / year

• GLBA – Fines and imprisonment

• RFR – Federal fines

• FISMA – Loss of funding

• PCI DSS

– Fines

– Removal of institution’s ability to take credit card

payments

15


What is NMSU doing?

• Enhancing security practices within the

technology – network, servers, software;

• Implementing new security tools;

• Beefing up training & awareness, compliance

across the institution;

• Working to establish a risk-based information

security program;

• Doing what we can with what we have and

hopefully the administration will realize the need

for more resources…

16


Is there a best way to handle an

incident?

• No, but ensure to have Incident Handling

Policies and Procedures» Use PTAC’s checklist (U.S. Department of Ed)

» ISACA, SANS, ISC^2, NIST have guidelines

» Involve various University functions to develop policy and

guidelines

– Designate the responsibility of leading the handling of an

incident to a qualified employee(s)

» Experience and Certifications (CISA, CISSP, etc.)

– Create an incident handling team through policy

17

PTAC Checklist - Data Breach Response (Sep 2012).pdf


Is there a best way to handle an

incident?

• Ensure all of your employees know:

– What a data breach is and what to do

– Who to contact (CIO, IT Compliance, CISO,

Audit, Legal, etc.)

• Ensure the employee handling the

incident knows policy and escalation

procedures

18


DO’s

• Don’t panic – ask for help from FTC if needed

• Thoroughly investigate and document incident

according to your policy and procedures

• Be consistent in handling and documenting

• Be transparent to affected parties

• Notify affected parties in a timely manner, but

not more than 60 days unless directed by Law

Enforcement (sample letter from FTC)

• Notify regulatory agencies if applicable

19

http://www.business.ftc.gov/documents/bus59-information-compromise-and-risk-id-theft-guidance-your-business

http://www.business.ftc.gov/documents/bus59-information-compromise-and-risk-id-theft-guidance-your-business


NMSU’s journey to develop a policy

and procedures (Data Breach)

• January 2012 – no written policy and

procedures/noncompliant with laws

• Brought this gap to the attention of [then] CIO

• Created a quick draft based on samples from

other Universities and was asked to lead an

effort– External Auditor was made aware of gap, but no finding

because we were already working on developing a policy &

procedures

20




• Created a committee (Legal, Audit, Police, etc.)– Given initial draft to review

– Given samples from other Universities

– Given resources from PTAC, NIST and best practices i.e. ISACA,

etc.

• Had a lot of meetings

• Draft sent to various employees for feedback– Got a lot of feedback

21




• Have a draft policy and procedures– Policy and procedures waiting Board of Regents approval

• Created websites– IT Compliance website

– Information Security Website

22

3.a 04 08 13 proposed Policy 2.35.1.2.6 (incident handling).pdf

http://compliance.ict.nmsu.edu/

http://infosec.nmsu.edu/


NMSU’s way of handling incidents

• IT Compliance investigates and leads the

efforts regarding incidents involving data– Follow Policy and procedures (Team effort)

– Notify Federal Agencies (Depart of Ed, DHHS for HIPPA, etc.)

– Lead effort to notify affected parties

• IT Security investigate hacking suspicions, virus

infection, phishing type of incidents and will

involve me when needed

23


NMSU’s way of handling incidents

• Compliance Officer maintains the files for data

breaches fully encrypted

• A concluding memo is always written stating

what happened, what we did, and what we are

going to do to prevent future reoccurrences. A

copy is sent to the applicable federal agency.

We have had to send several copies to the U.S.

Department of Ed – sample communication and

recommended steps

24

Theft of Computing Equipment - Involved Student Data - Incident - Concluding Memo.msg

FW FERPA Notice from US Dept of Education.msg


Lessons Learned

• Involve as many functions as possible when

getting feedback on draft policies and

procedures to ensure they are understandable

by most employees– What matters is the awareness that you are creating and that

employees are being made aware of their responsibilities

• Get Governing Body and Executive

Administration Support/Buy-in

• Procedures are a living document

25


How to Handle Data Breaches

and IT Incidents

Q & A

Carlos S. LobatoNMSU IT Compliance Officer

how to handle data breaches and it incidents · • lessons learned ... recent higher ed data...

Documents