Presentation is loading. Please wait.

Presentation is loading. Please wait.

Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing,

Published byMyron Fleming Modified over 9 years ago

Similar presentations

Presentation on theme: "Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing,"— Presentation transcript:

1 Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing, Ga Tech Dan Updegrove VP for IT, The U of Texas at Austin Educause 2003, Anaheim, California Nov 5, 2003

2 Goodyear/Clark/Updegrove2 Educause 2003 Abstract Even carefully deployed security systems aren’t 100% safe. While we work to reduce security exposures, we must also prepare for the day an incident hits the headlines. One way to prepare is to study lessons learned by those who have “been there, done that” —what worked, what didn’t, surprises encountered, surviving the crisis.

3 When in crisis, plan Marilu Goodyear Vice Provost for Information Services and CIO University of Kansas goodyear@ku.edu

4 Nov 5, 2003Goodyear/Clark/Updegrove4 KU INS Data Incident January 21, 2003 tech staff member reports a compromise on the machine being used to compile SEVIS data for submission KU Immediately launched technical investigation, determined next day that the SEVIS test file had been taken (as well as rogue activity relating to movies and music) File contained data from Student Information System extract matching on: –Country of permanent address –Presence of visa information Included some US students due to mismatches 1,900 records with this info: Name, Student ID No., Social Security No., Passport No., Country of Origin, Visa Status

5 Nov 5, 2003Goodyear/Clark/Updegrove5 Planning in a Crisis Defined Successful Outcome –Protect our students –University acts, and is viewed as, a responsible organization Mind map to get major areas of concern Just kept determining next steps Based on personal planning model –David Allen, Getting Things Done –www.davidco.com

6 Nov 5, 2003Goodyear/Clark/Updegrove6 Organization of Response Team – Overall Strategy –Vice Provost/CIO –Coordinator of IT Policy –External Relations Staff IT External Relations Officer Director of University Relations Team - Technical –Associate Vice Provost –IT Security Officer –Technical staff who work on system

7 Nov 5, 2003Goodyear/Clark/Updegrove7 Organization of Response Teams – Student Support –Director of Office of International Students and Scholars –Staff in office building INS file –Academic Computing for e-mail communication support Teams – Legal –Provost –Head, University Counsel –VP/CIO –Coordinator of IT Policy and Planning

8 Nov 5, 2003Goodyear/Clark/Updegrove8 Response Activities Communication with FBI and INS US Attorney called us after public Notified State of Kansas Security Officer Press release, waited to see if it had “legs”, then called a press conference Student communication: e-mail, Web, one phone number to call for support Communication with software vendors and SEVIS technical staff

9 Nov 5, 2003Goodyear/Clark/Updegrove9 What we did right Took care of the students –Notified students quickly (four hours) –Provided personal communication for students –Legal Services for Students for identity theft assistance Open communication strategy –Provost support –Went public quickly (five hours) –Had media savvy admin assistants to deal with phones –Press conference to help deliver our message –Involved students in the press conference

10 Nov 5, 2003Goodyear/Clark/Updegrove10 What we did right Structure of our approach –Involvement of campus players, good team of individuals –Dynamic communication structure of activities and next actions Technical –Kept vendor name out of press announcements –Notification of other IT professionals about their risk –Work with software vendor to improve system security Human resources approach: Reward staff for reporting Failed Forward: Had meetings to review actions, second guess and learn

11 Nov 5, 2003Goodyear/Clark/Updegrove11 What we could have done better Communication with law enforcement Attention to open records issues in documenting the incident Incident response procedures more specific Communication internally to own staff Staff assumptions of system security Language with press: Tech, English, Media translation table Call them, don’t wait until they call you

12 Nov 5, 2003Goodyear/Clark/Updegrove12 Recommendations Preparation Activities –Crisis communication plan –Policy on whether and how to notify individuals affected –Protocol for working with University Relations, Legal Counsel –Prepare communication materials In the heat of the moment –Determine outcomes –Plan –Act –Communicate

13 I’m from Internal Auditing, and I’m here to help you… Robert N. Clark, Jr. Director of Internal Auditing Georgia Institute of Technology Rob.Clark@business.gatech.edu

14 Nov 5, 2003Goodyear/Clark/Updegrove14 Responding to Info Security Incidents Information on an incident may come from a variety of sources: –OHR – personnel-related complaint –Legal Affairs – person seeking legal advice –Financial Services – questionable transaction(s) –Campus Police – allegation of illegal behavior –Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection reports, etc. –Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc. –Unit management with concerns over activity, etc.

15 Nov 5, 2003Goodyear/Clark/Updegrove15 Responding to Info Security Incidents Challenge: ensuring a consistent approach to dealing with incidents Risk: If investigation not handled appropriately or consistently, puts Institute at risk Solution: IA recommended creation of ad-hoc task force and procedure to address Info Security incidents

16 Nov 5, 2003Goodyear/Clark/Updegrove16 http://www.audit.gatech.edu/IAcollabrative2.wmf

17 Nov 5, 2003Goodyear/Clark/Updegrove17 Step 1 Incident is brought to attention of member of mgmt He/She convenes Ad-Hoc Group [CIO, Chief Audit Executive, Chief Legal Advisor, Director of Information Security, AVP- OHR, Director Homeland Security] “What do we know now?” Group shares info to determine other resources that may need to be involved (e.g., AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.) Group determines needed resources

18 Nov 5, 2003Goodyear/Clark/Updegrove18 Step 2 Group makes a determination on the potential outcome –E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? –This determines procedures to be followed in conducting the investigation and standard of evidence to which we should adhere –Also determines whether law enforcement should be notified and/or involved

19 Nov 5, 2003Goodyear/Clark/Updegrove19 Step 3 Group determines who will take the lead in facilitating the investigation. This person: –Coordinates efforts, arranges meetings, initiates status reporting –Initiates status reporting to the Office of the President –Determines appropriate custodian of investigation data –Facilitates reporting at the end of investigation

20 Nov 5, 2003Goodyear/Clark/Updegrove20 Step 4 Investigation is conducted following appropriate procedures agreed-to by Group Regular communication with Group on status, observations, noteworthy issues Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues

21 Nov 5, 2003Goodyear/Clark/Updegrove21 Step 5 Group re-convenes to: –Evaluate effectiveness of process; –Document “lessons learned”; –Track total cost of incident in time and resources; and –Discuss ways the situation may be prevented in the future, e.g., Additional audit steps to examine for this elsewhere? Need for policy enhancement? Need for additional education/awareness?

22 Handling a Breach in Security Dan Updegrove VP for Information Technology The University of Texas at Austin d.updegrove@its.utexas.edu

23 Nov 5, 2003Goodyear/Clark/Updegrove23 UT Austin SSN Data Theft Chronology Sun, Mar 2, 7:20 p.m.: Initial observation of high-volume database access from off-campus Mar 3, a.m.: Law enforcement contacted Mar 4, p.m.: Evidence points to UT student Mar 5, p.m.: Two residences searched: Austin, Houston Mar 5, p.m.: Austin American-Statesman breaks story; UT datatheft website deployedUT datatheft website Mar 14: UT undergraduate student charged Nov 5: Federal case still pending …

24 Nov 5, 2003Goodyear/Clark/Updegrove24 UT Austin SSN: What Happened? An insecure interface to a UT mainframe database provided access to over 1 million records A rogue program was written to input 2.6 million sequential SSNs against this interface. Of these, ~ 50,000 matched, disclosing names of current/former UT Austin students, faculty, staff, admission & job applicants, library patrons; current/former fac/staff at other UT campuses No evidence to date that SSNs, names misused or disseminated – but it’s impossible to “prove a negative” UT has attempted to contact all individuals affected

25 Nov 5, 2003Goodyear/Clark/Updegrove25 UT Austin SSN: Communications https://www.utexas.edu/datatheft/ –UT’s public statement –Links to US Attorney statements –Link to email: over 2,000 –Link to data form: over 6,500 –Toll-free hotline: over 3,000 Press conference, same day story broke in A A-S U.S. mail to all for whom UT can obtain addresses Confusion, concern re “data theft” vs. “identity theft” Total costs of incident exceed $120,000

26 Nov 5, 2003Goodyear/Clark/Updegrove26 UT SSN: Issues, Aftermath Highlights risk of SSN as University ID –UT Austin Cmte had been addressing this issue Web front-ends remove “security by obscurity” Downside of integrated databases All UT System (15 campuses) central & mission-critical applications undergoing security review UT System has launched a Security Advisory Cmte and a SSN Task Force

27 Nov 5, 2003Goodyear/Clark/Updegrove27 What & When to Disclose? Should individuals be advised if their data exposed? What constitutes a “security breach?” –Does any access to root compromise all data on system? –What if all evidence points away from personal data? Potential for needless panic, versus Potential for further damage to individuals – and institution – if “data theft” becomes “identify theft” Public relations implications Ethical implications Legal requirements: none in Texas currently, but this may change if current California law is adopted elsewhere

28 Nov 5, 2003Goodyear/Clark/Updegrove28 California Civil Code 1798.291798.29 (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

29 Nov 5, 2003Goodyear/Clark/Updegrove29 California 1798.29 (Cont’d)1798.29 (e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: –(1) Social security number. –(2) Driver's license or California ID Card number. –(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

30 Nov 5, 2003Goodyear/Clark/Updegrove30 California 1798.29 (Cont’d)1798.29 g) For purposes of this section, "notice" may be provided by one of the following methods: –(1) Written notice, –(2) Electronic notice, –(3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of: (A) E-mail (B) Conspicuous posting of the notice on the agency's Web site page (C) Notification to major statewide media

31 Nov 5, 2003Goodyear/Clark/Updegrove31 UC System Response to 1798.29 University of California System requries its campuses to take these steps to comply with the new state law that requires notification of people after a hacker/intruder has viewed their personal data: Data Inventory ~ Set up a process to identify: –Where personal information is used and stored. –Who has authority to gain access to and use the data. –The custodian of the data. –An acceptable level of security protection for the data.

32 Nov 5, 2003Goodyear/Clark/Updegrove32 UC System Response (Cont’d) Reporting Requirements: –Campuses must report immediately in writing to UC Assoc VP for Info Res & Communication: Anytime there has been a security breach. –When the incident is closed. The report should provide a description of the incident, the response process, the notification process, and the actions taken to prevent further breaches of security. Source: Chronicle of HE, June 6, 2003Chronicle of HE, June 6, 2003 See also: Full text of UC policyFull text of UC policy

33 Nov 5, 2003Goodyear/Clark/Updegrove33 Likely Federal Legislation? Sen. Feinstein (D-CA) has introduced legislationSen. Feinstein (D-CA) has introduced legislation, “Notification of Risk to Personal Data Act” -- modeled after the California law, with its ambiguitiesNotification of Risk to Personal Data Act HB 2262, which amends the 1996 Fair Credit Reporting Act, passed in the House of Representatives Sept. 10, awaits action in the Senate, weaker than some state laws, would reduce individual rights, says PIRG in Daily Texan, 9/25/03Daily Texan, 9/25/03 “You have no privacy; get over it,” S. McNeely, CEO, Sun, 1999

34 Nov 5, 2003Goodyear/Clark/Updegrove34 Existing Federal Legislation The Privacy Act of 1974 (5 U.S.C. 552A) Family Educational Rights & Privacy Act (FERPA) of 1974 Electronic Communications Privacy Act (ECPA) of 1986 Health Insurance Portability and Accountability Act (HIPPA) of 1996 Gramm-Leach-Bliley Act, "Privacy of Consumer Financial Information" of 1999 USA Patriot Act of 2001

35 Nov 5, 2003Goodyear/Clark/Updegrove35 Resources Ga Tech, “New security measures protect your information,” www.ferstcenter.gatech.edu/boxoffice/security.php www.ferstcenter.gatech.edu/boxoffice/security.php KU, “Protecting your identity:” www.ku.edu/identity/www.ku.edu/identity/ UT, datatheft site: www.utexas.edu/datatheft/www.utexas.edu/datatheft/ Educause-Internet2 Security Task Force: www.educause.edu/security/ www.educause.edu/security/ Privacy Rights Clearinghouse identity theft resources: www.privacyrights.org/identity.htm www.privacyrights.org/identity.htm Chronicle of Higher Education: www.chronicle.comwww.chronicle.com

Download ppt "Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing,"

Similar presentations

Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.

Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.
Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,

Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,
Public Records Office Indiana Access to Public Records Act and Responding to Subpoenas Employee Training.

Public Records Office Indiana Access to Public Records Act and Responding to Subpoenas Employee Training.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.

Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.

FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
INDIANA UNIVERSITY OFFICE OF THE VICE PRESIDENT AND GENERAL COUNSEL Indiana Access to Public Records Act (APRA) Training.

INDIANA UNIVERSITY OFFICE OF THE VICE PRESIDENT AND GENERAL COUNSEL Indiana Access to Public Records Act (APRA) Training.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.

1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.
Today’s Event Thursday, August 14, 2003 1:00-2:00pm EDT “Managing Security Incidents” with Gordon Wishon Chief Information Officer and Associate Vice President.

Today’s Event Thursday, August 14, :00-2:00pm EDT “Managing Security Incidents” with Gordon Wishon Chief Information Officer and Associate Vice President.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Similar presentations

Ads by Google