how to handle data breaches and it incidents · • lessons learned ... recent higher ed data...
TRANSCRIPT
Information & Communication Technologies 08 2014 NMSU All About Discovery!
How to Handle Data Breaches
and IT Incidents
presented by
Carlos S. Lobato, CISSP, CISA, CIANMSU IT Compliance Officer
Information & Communication Technologies 08 2014 NMSU All About Discovery!
AGENDA
• What is a Data Breach?
• Are Data Breaches Happening in Higher Ed?
• What laws or regulations require or recommend incident
handling procedures?
• Is there a best way to handle an incident?
• NMSU’s journey to develop a policy and procedures
• NMSU’s way of handling incidents
• Lessons Learned
• Q & A
2
Information & Communication Technologies 08 2014 NMSU All About Discovery!
What is a Data Breach?
• The U.S. Department of Education - Privacy Technical
Assistance Center (PTAC) http://www.ed.gov/ptac
defines it as:
“A data breach is any instance in which there is an
unauthorized release or access of PII or other
information not suitable for public release.”
3
Information & Communication Technologies 08 2014 NMSU All About Discovery!
How Data Breaches Happen?
U.S. Department of Ed• Hackers gaining access to data through a malicious
attack;
• Lost, stolen, or temporary misplaced equipment (e.g.,
laptops, mobile phones, portable thumb drives, etc.);
• Employee negligence (e.g., leaving a password list in a
publicly accessible location, technical staff
misconfiguring a security service or device, etc.); and
• Policy and/or system failure (e.g., a policy that doesn’t
require multiple overlapping security measures—if
backup security measures are absent, failure of a single
protective system can leave data vulnerable).
4
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Defining a Data Breach for Your
Organization• The actual definition of what constitutes a data breach
has to be localized to the environment of your institution.
• Your Governing Body, Executive Administration and
University Community should get involved in determining
what constitutes a data breach and creating awareness.
• Internal Audit, Legal Counsel, Information Security, IT
Compliance, Police, Fire, and executive administration
including the provost should lead this effort
5
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Are Data Breaches Happening in
Higher Ed?
YES• Verizon - 2014 Data Breach Investigations Report
• Privacy Rights Clearinghouse - Data Breaches
Timeline since 2005 – Present
• Google data breaches
6
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Recent Higher Ed Data Breaches
• Butler University, June 2014
– ~163,000 records
• Iowa State University (NMSU peer), April 2014
– ~48,729 records
• North Dakota University, March 2014
– ~291,465 records
• Indiana University, February 2014
– ~146,000 records
• University of Maryland, February 2014
– ~309,079 records
7
Information & Communication Technologies 08 2014 NMSU All About Discovery!
What can we do to stop data
breaches from happening?
• Create awareness
– Make a big deal (next slides)
• Enhance security controls and practices
• Create incident handling policy and
procedures and communicate it to employees
• Work on IT Governance, Data Governance
and Mandatory Training
8
Information & Communication Technologies 08 2014 NMSU All About Discovery!
What is your institution’s risk?
If hackers would compromised your central
ERP/Banner system, how many unique social
security numbers would they have access to?
A. 10,000
B. 25,000
C. 50,000
D. I already have enough trouble sleeping at night
9
Information & Communication Technologies 08 2014 NMSU All About Discovery!
It is very likely you have over
100,000 records available
through your central
computing systems.(including the SSN of the person sitting in your chair)
10
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Why are we concerned about Data
Breaches?
• Bad reputation
• Cost a lot to fix (next slide)
• Requirements for security to exist (Data privacy
regulations i.e. FERPA, HIPAA)
11
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Estimated Cost of a Data Breach
• Based on 2013 Study by Ponemon Institute &
Symantec
– $111 per record at US universities and colleges
– $136 per record across industry
• Estimated cost of a breach at an institution with
500,000 records
– $55,500,000 based on loss of 500,000 records at
$111 per record
• Includes costs associated with loss of public confidence,
reputation, etc.
12
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Regulations that require/recommend
incident handling procedures
• FERPA – Family Educational Rights and Privacy Act
• HIPAA – Health Insurance Portability and Accountability
Act
• GLBA – Gramm-Leach-Bliley Act
• RFR – Red Flags Rule of the Federal Trade Commission
• FISMA – Federal Information Security Management Act
• PCI DSS – Payment Card Industry Data Security
Standards
13
Information & Communication Technologies 08 2014 NMSU All About Discovery!
General Institutional Requirements
• FERPA, HIPAA, GLBA, RFR, FISMA, and PCI-
DSS require the following:
– Designated information security responsibility
– Risk-based information security program
– Data security policies and procedures
– Monitoring and incident handling/compliance
– Data security training and awareness
14
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Consequences of Noncompliance
• FERPA – Loss of federal funding to institution
• HIPAA – Monetary penalties of up to $6M / year
• GLBA – Fines and imprisonment
• RFR – Federal fines
• FISMA – Loss of funding
• PCI DSS
– Fines
– Removal of institution’s ability to take credit card
payments
15
Information & Communication Technologies 08 2014 NMSU All About Discovery!
What is NMSU doing?
• Enhancing security practices within the
technology – network, servers, software;
• Implementing new security tools;
• Beefing up training & awareness, compliance
across the institution;
• Working to establish a risk-based information
security program;
• Doing what we can with what we have and
hopefully the administration will realize the need
for more resources…
16
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Is there a best way to handle an
incident?
• No, but ensure to have Incident Handling
Policies and Procedures» Use PTAC’s checklist (U.S. Department of Ed)
» ISACA, SANS, ISC^2, NIST have guidelines
» Involve various University functions to develop policy and
guidelines
– Designate the responsibility of leading the handling of an
incident to a qualified employee(s)
» Experience and Certifications (CISA, CISSP, etc.)
– Create an incident handling team through policy
17
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Is there a best way to handle an
incident?
• Ensure all of your employees know:
– What a data breach is and what to do
– Who to contact (CIO, IT Compliance, CISO,
Audit, Legal, etc.)
• Ensure the employee handling the
incident knows policy and escalation
procedures
18
Information & Communication Technologies 08 2014 NMSU All About Discovery!
DO’s
• Don’t panic – ask for help from FTC if needed
• Thoroughly investigate and document incident
according to your policy and procedures
• Be consistent in handling and documenting
• Be transparent to affected parties
• Notify affected parties in a timely manner, but
not more than 60 days unless directed by Law
Enforcement (sample letter from FTC)
• Notify regulatory agencies if applicable
19
Information & Communication Technologies 08 2014 NMSU All About Discovery!
NMSU’s journey to develop a policy
and procedures (Data Breach)
• January 2012 – no written policy and
procedures/noncompliant with laws
• Brought this gap to the attention of [then] CIO
• Created a quick draft based on samples from
other Universities and was asked to lead an
effort– External Auditor was made aware of gap, but no finding
because we were already working on developing a policy &
procedures
20
Information & Communication Technologies 08 2014 NMSU All About Discovery!
NMSU’s journey to develop a policy
and procedures (Data Breach)
• Created a committee (Legal, Audit, Police, etc.)– Given initial draft to review
– Given samples from other Universities
– Given resources from PTAC, NIST and best practices i.e. ISACA,
etc.
• Had a lot of meetings
• Draft sent to various employees for feedback– Got a lot of feedback
21
Information & Communication Technologies 08 2014 NMSU All About Discovery!
NMSU’s journey to develop a policy
and procedures (Data Breach)
• Have a draft policy and procedures– Policy and procedures waiting Board of Regents approval
• Created websites– IT Compliance website
– Information Security Website
22
Information & Communication Technologies 08 2014 NMSU All About Discovery!
NMSU’s way of handling incidents
• IT Compliance investigates and leads the
efforts regarding incidents involving data– Follow Policy and procedures (Team effort)
– Notify Federal Agencies (Depart of Ed, DHHS for HIPPA, etc.)
– Lead effort to notify affected parties
• IT Security investigate hacking suspicions, virus
infection, phishing type of incidents and will
involve me when needed
23
Information & Communication Technologies 08 2014 NMSU All About Discovery!
NMSU’s way of handling incidents
• Compliance Officer maintains the files for data
breaches fully encrypted
• A concluding memo is always written stating
what happened, what we did, and what we are
going to do to prevent future reoccurrences. A
copy is sent to the applicable federal agency.
We have had to send several copies to the U.S.
Department of Ed – sample communication and
recommended steps
24
Information & Communication Technologies 08 2014 NMSU All About Discovery!
Lessons Learned
• Involve as many functions as possible when
getting feedback on draft policies and
procedures to ensure they are understandable
by most employees– What matters is the awareness that you are creating and that
employees are being made aware of their responsibilities
• Get Governing Body and Executive
Administration Support/Buy-in
• Procedures are a living document
25
Information & Communication Technologies 08 2014 NMSU All About Discovery!
How to Handle Data Breaches
and IT Incidents
Q & A
Carlos S. LobatoNMSU IT Compliance Officer