REDEFINING THE BOUNDARIES OF RISK MANAGEMENT, NOW AND INTO THE FUTURE

Transcription

1 CYBER RISKS SECURITY BREACH CHECKLIST REDEFINING THE BOUNDARIES OF RISK MANAGEMENT, NOW AND INTO THE FUTURE STEP 1 UNDERTAKE PRELIMINARY ASSESSMENT OF THE INCIDENT A serious data security breach is described in the Data Breach GPN as a breach: - that could cause significant threat of harm to individuals; - where large volumes of data are involved (generally 1000 people); - where sensitive data is involved, such as financial or medical records or unencrypted personal data. When and the location where the security breach occurred? How is it suspected that the breach occurred? Description of devices, paperwork or electronic data that was lost, stolen or breached? If devices were stolen, were they immediately reported to law enforcement? What personal data might be involved? - An individual s name - Identification Number - Financial Data - Driver s License Number - Credit Card Information - Health Information - Any other specific information that might identify an individual Can the data be used for fraudulent or other purposes? (for what might the electronic data be used?) What is the value of the electronic data? Is there further information at risk? Estimate of how many individuals / services (exchange/financial services etc.) were affected by the security breach? THE POWER OF KNOWLEDGE AUTHORISED FINANCIAL SERVICES PROVIDER, LICENSE NUMBER: APPROVED LLOYD S COVERHOLDER PIN: DRW Camargue Underwriting Managers (Pty) Ltd. Co. Reg. No. 2000/028098/07. DIRECTORS: MG Marescia (Managing), V Hayter, A Mullins, GJ de Bruin, LM Carciumaru. 33 Glenhove Road, Melrose Estate, Postnet Suite 250, Private Bag X4, Bedfordview, 2008 Telephone: , Facsimile: , camargue@camargueum.co.za, Website:

2 STEP 2 INVESTIGATION STEPS Ensure that there is a security response team with an identified team leader and deputy leaders if the team leader is not available. The nature and cause of the breach. Asses if the data breach is still active and stop it. The extent of the damage or harm that results or could result from the breach. Identify and institute immediate action to stop the source or entity responsible for incident. Identify system, application, or electronic device compromised and begin identification process to determine whose information was compromised and what data elements were included. Determine need to notify key internal stakeholders not represented on the team. Determine if the response team has enough knowledge / experience to rectify the problem if not hire external assistance. Identify the source or suspects involved in the event: - Is the source of data breach an external vendor or business associate. - Is the source of the breach a current employee establish existence of criminal record, privacy and security education and training. - Is the source of the breach external involve law enforcement agency to determine appropriate action. Institute computer forensic investigation to gather evidence and determine course of events as well as determine and identify electronic device compromised. Determine need to notify external entities: - Legal Counsel - IT Forensic Support - Law Enforcement Agency - Victims - Media Determine likelihood of harm and possible recipient of information, if known. Requirements of regulatory reporting and disclosure. STEP 3 NOTIFY APPROPRIATE PEOPLE WITHIN THE ENTITYS Other data controllers. If there are other data controllers of the personal data in question, you may want to notify them. Insurers. Notification of potential claims may be an insurance policy requirement. Data subjects. In the Data Breach GPN, the Information Commissioner cautions that data subjects should not be notified of a data security breach unless there is a reason for doing so. Data controllers should instead consider whether the data subject will benefit from knowing about the data security breach, involving their personal data, for example, by being able to change passwords or bank accounts to help prevent potential fraudulent use of the data. The Information Commissioner also suggests that data controllers may wish to consider providing data subjects, whose personal data security is at risk, with assistance in dealing with practical issues, such as identity fraud checking services. 2 SECURITY BREACH CHECKLIST

3 Make the following Executive Officer s contacts: Make the following internal contacts: - The Chief Executive Officer - Chief Information Security Officer (CISO) - Head Internal Audit Officer - Head of Forensic Department - Head of IT - Management responsible for the business area - Management responsible for Administration - Chief Information Officer - Information Security Officer - Legal Office STEP 4 EVALUATION OF THE SCOPE OF THE INCIDENT Does there appear to be evidence of suspicious behavior or negligence by an employee? Type of incident targeted theft of data or incidental as part of a crime of opportunity (ie. laptop left unaccompanied). Was there criminal intent by an employee? Determine who needs to conduct interview of employee? Has the entity completed an IT security incident form? Does a backup of the system/data exist? Is there a similar functioning device that needs to be analyzed to help determine the risk? Does the Human Resource department need to be involved? If there was physical damage to a building, should the entity hire security guards? Do the access codes for the building need to be changed or updated? Were users ID and passwords disabled that might have been associated with the stolen or lost devices? Should the entities employees be briefed on the situation? Has a key person within the entity been identified to monitor the progress and communicate the actions to the appropriate people identified in Step 3 of this checklist? STEP 5 DETERMINE NEED TO NOTIFY PUBLIC Do employees need to be informed of the incident? Should the public be notified of the incident? If so, consider the following: 1 Develop talking points 3 Press Conference. - What will be the Key Message communicated? 4 Contact other provinces. - What will the next steps be? 5 Any public organizations that could assist in 2 Press Release. communicating the information to the public. If law enforcement was involved, did the entity consult with them to determine the timing of what and when details of the security breach could be released to the public? Has a spokesman or public relations official been designated as the contact person for releasing information? Have the communication messages regarding the security breach been coordinated? When does the entity need to notify affected citizens? 3 SECURITY BREACH CHECKLIST

4 What types of services need to be purchased for affected individuals in order to mitigate the data breach? - Does a contract need to be setup with one of the credit bureaus (e.g. Equifax, Experian or TransUnion) to provide free credit monitoring for affected individuals? - How often should the credit bureau track statistics and report any identity thefts to the entity? - If a contract is established with one of the credit bureaus, how will the information be communicated to the individuals? - Does a reminder letter on the credit services need to be sent to the citizens? - When the credit bureau is unable to locate a credit file for an individual, should a notification be sent? STEP 7 ANALYZE NEED TO ADDRESS DATA SECURITY WEAKNESSES Did the entity have full disk encryption on the hardware devices? Was the security software up-to-date? Did the entity employ other local security measures outside of encryption (ie. password protected files, multiple factor authentication, etc.)? Did the entity have security procedures in place? If so, were the procedures followed? If not, do procedures need to be implemented? Does the entity need to conduct a security assessment? Should this type of sensitive data be stored in the current location? Does the access to the data need to be restricted? Was the data being saved to the network and not to the local hard drives? If the data should be stored in that particular location, is there a way to truncate the information? If the entity has branch offices with similar security, should the alarms be tested? Does the entity need to conduct a risk analysis and security threat assessment if items were stolen from the building? STEP 8 FOLLOW-UP PROTOCOL IDENTIFYING OPPORTUNITIES FOR IMPROVEMENT 1 Evaluation of Security Incident Response Identify actions: - Identification measures (incident verified, assessed, options evaluated) - Evidence collected - Eradication measures - Recovery measures 4 SECURITY BREACH CHECKLIST

5 CYBER RISKS Determine: - How well did the forensic team members respond to the event? - Were documented procedures followed and were they adequate? - What information was needed sooner? - Were there any steps or actions that might have inhibited recovery? - What could the forensic team do differently the next time an incident occurs? - What corrective actions can prevent similar events in the future? - What additional resources are needed to detect, analyze and mitigate future incidents? - Can missing electronic data be recreated to provide continuity of services? - What external resources and contacts proved helpful? - Other conclusions or recommendations 2 FOLLOW-UP Security incident response form completed and supporting documentation made part of form or filed as attachments. Policy and process review completed and all necessary changes made based on the shortcomings identified through managing the event. Training, education, and awareness carried out (balancing need for awareness with disclosure of event). Event documented as educational case study for internal use. Contact Cyanre on or for immediate security and forensic assistance when a breach is detected. Adopted from various Internet and academic sources THE POWER OF KNOWLEDGE AUTHORISED FINANCIAL SERVICES PROVIDER, LICENSE NUMBER: APPROVED LLOYD S COVERHOLDER PIN: DRW Camargue Underwriting Managers (Pty) Ltd. Co. Reg. No. 2000/028098/07. DIRECTORS: MG Marescia (Managing), V Hayter, A Mullins, GJ de Bruin, LM Carciumaru. 33 Glenhove Road, Melrose Estate, Postnet Suite 250, Private Bag X4, Bedfordview, 2008 Telephone: , Facsimile: , camargue@camargueum.co.za, Website: