Data Incident Notification Policies and Procedures

Tracy Mitrano

Steve Schuster

Questions That Need to Be Answered

• Does your institution have policies that protect data?• Does your institution have processes to develop

enforceable policy?• Does your institution have a central IT security office

and how should it function?• How do you know when you’ve had a security

incident?• How do you know when you need to notify?

Two Generalizations about Policy and Process: (1)

• Critical to have a policy process…– Legal compliance primarily

– Deference to the complex nature of higher education secondarily

• Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society

• …no matter what the particular culture or structure of your institution.

Two Generalizations about Process: (2)

• It almost always does, or should, boil down to three essential steps:– Responsible office brings forward concept to a high level committee

• Audit, Counsel, VPs, Dean of Faculty or even President and Provost

– Mid-level review for implementation

• The greater the representation of the campus community the better

– Back to the high level for signoff and promulgation.

http://www.cit.cornell.edu/oit/policy/framework-chart.html

Information Security of Institutional Data

• Policy Statement– Every user of institutional data must manage

responsibly

• Appendix A– Roles and Responsibilities

• Appendix B– Minimum Data Security Standards

Data Classification

• Cost/Benefit Analysis• Costs (financial and administrative):

– Administrative burden– Financial cost of new technologies– New business practices

• Benefits (mitigating risk):– Legal check list– Policy decisions (prioritizing institutional data)– Ethical considerations?

Legal Check ListType of Data

Privacy Statement

AnnualNotice

NotificationUponBreach

Legislative PrivateRight ofAction*

GovernmentEnforcement

Statutory Damages

PersonallyIdentifiable

o o x O x x

EducationRecord

x X o o x o

MedicalRecord

x o o x x x

Banking Record

x x o o x x

Does Your Institution have a central IT security office and how should it function?

• How many have a dedicated security office?• Several benefits

– Identified individual to consistently address and respond to security concerns

– Not responsible for delivering services that may conflict with security

– Tasked with developing incident response and remediation process

• Some common functions– Incident response– Security infrastructure development– Awareness– Governance

How you know when you’ve had an incident?

• An indication of potential compromise can come from anywhere

• External indications– SPAM complaint– Scanning complaint

How you know when you’ve had an incident?

• Internal indications– Network monitoring– IDS/IPS alerts– Internal scanning– Local identification

How do you know when you’ve had an incident?

050818104944 [itsor ~] telnet 128.253.155.211 65534 Trying 128.253.155.211... Connected to 128.253.155.211. Escape character is '^]'. 220-... 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê =¨´.,+=- 220--=+=============================================================+=- 220--=+ +=- 220--=+ wlc0m +=- 220--=+ +=- 220--=+ Th0u $h4Ll Re$p3cT the rµLeZ +=- 220--=+ +=- 220--=+ Th0u $h4Ll n0t r3h4cK +=- 220--=+ Th0u $h4Ll n0t h4mMr +=- 220--=+ Th0u $h4Ll n0t Re$c4N +=- 220--=+ aNd n0w eNj0y :) +=- 220--=+ +=- 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,+=- 220--=+=============================================================+=- 220--=+ +=- 220--=+ server uptime: 2d 13h 20m 3s. +=- 220--=+ users since start: 2 +=- 220--=+ logged in: 6 total +=- 220--=+ users since last 24h: 6 +=- 220--=+ upload since start: 0 kb @ 0 file(s) +=- 220--=+ download since start: 0 kb @ 0 file(s) +=- 220--=+ average throughput: 0.000 kb/s +=- 220--=+ the current bandwidth use is 0.000 kb/s +=- 220--=+ your ip: 132.236.54.173 +=- 220--=+ free diskspace: 72608.19 MByte +=- 220--=+ +=- 220--=+=============================================================+=- 220--=+,..ª¨=ªÊ§∫≤∞¥∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,∏_∏,.ª¨=ʧ∫≤∞`∞≤∫§Ê=¨´.,+=- 220 -=+=============================================================+=- ^] telnet> quit Connection closed. 050818104944 [itsor ~]

How do you know when you’ve had an incident

• Everyone has incidents but what matters is the type of data stored on the computer

• The following data means significantly more work– Social security numbers– Credit card numbers– Drivers license numbers– Other protected data

How do you know when you need to notify?

• Establishing reasonable belief of unauthorized data access is not an exact science

• Institution-wide decision making is imperative• Thorough computer and network analysis is

required

Institution-Wide Decision Making

• Data Incident Response Team (DIRT)• DIRT meets for every incident involving critical data• DIRT objectives

– Thoroughly understand each incident– Guide immediate required response– Determine requirement to notify

DIRT Members

• Core Tam– University Audit– Risk Management– University Police– University Counsel– University

Communication– CIO– Director, IT Policy– Director, IT Security

• Incident Specific– Data Steward– Unit Head– Local IT support– Security Liaison– ITMC member

Computer and Network Analysis

• Data sources– System data

• What data are on the computer• How are these data stored• When were they last accessed or modified• What was the method of compromise

– Network data• Who has been accessing this system• What were the services used• What was the method of compromise• What was the amount of uploads and downloads

Computer and Network Analysis

Computer and Network Analysis

Computer and Network Analysis

How Do You Know when You Need to Notify?

Nee

d t

o N

oti

fy

Confirmed Data Were Not Acquired

Reasonable Belief Data Were Not Acquired

No Data Available for Analysis

Reasonable Belief Data Were Occurred

Access to Data Confirmed

How Do You Know when You Need to Notify?

Nee

d t

o N

oti

fy

Confirmed Data Were Not Acquired

Reasonable Belief Data Were Not Acquired

No Data Available for Analysis

Reasonable Belief Data Were Occurred

Access to Data Confirmed

Likelihood of Unauthorized Access

• Reasonable belief data were acquired– System compromise

occurred a significant time ago

– File MAC times after compromise and not tied down to support application

– Significant remote access and download

– More sophisticated hacker tools

– Etc.

• Reasonable belief data were NOT acquired

– Compromise identified quickly– File MAC times consistently

before compromise– Limited or no network download– More benign hacker tools– Benign system use

characteristics– Etc.

Data Incident Notification Toolkit*

• Provide a tool that pulls from our collective experience.

• A real-time aid for creating the various communications that form data breach notification.

• An essential part of an incident response plan.• http://www.educause.edu/DataIncidentNotific

ationToolkit/9320

* Hosted by EDUCAUSE

Notification Templates• Outlines and content for

– Press Releases– Notification Letters– Incident Specific Website – Incident Response FAQs– Generic Identity Theft Web Site

• Sample language from actual incidents• Food for thought – one size does not fit all