Auditing your institution's cybersecurity incident/breach response plan
Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements related to incident/breach responses > Describe key aspects of response plans that should be reviewed as part of your audit
Overview and benefits of cybersecurity incident/breach response plan
Why is cybersecurity incident/breach response important? Frequency Breaches are happening more frequently Media attention 2014 was a record year for breaches in the press/media Requirements Regulations require incident/breach response plans
Why does your institution need an cybersecurity incident/breach response plan? > It is not a matter of if your institutions will have an incident or breach, it is a matter of when > Decentralized organizations with numerous stakeholders increase the likelihood of ad hoc responses > Inappropriate or inadequate response can lead to reputational and financial damage
Impacts of data breaches Deceptive or unfair trade charges Regulator scrutiny Damage to brand! Regulatory sanctions Negative publicity Damaged employee relationships Refusal to share personal information Damaged customer relationships Fines Legal liability
What is a cybersecurity incident/breach response plan? Capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits ISACA
What goes into a cybersecurity incident/breach response? IT Risk framework Data and system inventory Laws, regulations Cybersecurity incident/breach response plan
How cybersecurity incident/breach response plans align to various IT frameworks > COBIT = Deliver & Support DS8 Manage Service Desk and Incidents > ITIL = Service Operation 4.1.5 > ISO 27002 = 13.0 Information Security Incident Management, 14.0 Business Continuity Management > NIST SP 800-61 = Incident response guide
What should a cybersecurity incident/breach response plan accomplish? Preparation Post-Incident Activity Detection and Analysis Containment, Eradication, and Recovery
Regulatory/legal requirements for cybersecurity incident/breach response
Regulatory/legal requirements where to start > Regulatory review starts with information governance > Need to identify and classify data/information and where it lives in your institution > Request a list of all important business processes and applications and the contracts for any of processes or applications that are provided by a third party > Review the contracts to confirm that they address cybersecurity and data breach matters
Regulatory response over time 1996 HIPAA 1999 GLBA 2006 PCI DSS v1 2009 HITECH 2014 Kentucky 47 th State Data Breach Law 1974 Privacy Act & FERPA 1998 Safe Harbor European Union 2001 Cybersecurity Enhancement Act 2003 California Data Breach Law 2010 Massachusetts Privacy Law 2015 PCI DSS v3
Regulatory/legal requirements for incident/breach response FERPA HIPAA/ HITECH PCI DSS State laws FERPA (34 CFR Part 99) HIPAA/HITECH Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act of 2009 (ARRA) Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html Privacy Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
FERPA Covers: Schools that receive funds under an applicable program of the U. S. Department of Education > Right of parents or eligible students (i.e., over 18) to review the student s educational records maintained by the school Key provisions: > Right to request a correction for records they believe to be inaccurate or misleading > Escalation process for resolving disputes > Written permission prior to releasing any information from a student s record (though there are exceptions) > Recently updated to include student safety and protection from online identity theft
FERPA > FERPA is not a data breach notification statute > Notification and response to breach of FERPA covered records depends on the nature of the type of records breached and the requirements of state statutes > Department of Education offers some suggestions for handling breaches of FERPA covered records
HIPAA/HITECH Covers: > Health care providers > Health plans > Health care clearinghouses > Employers who administer their own health plans Protected health information (PHI): > Covered entities may only use or disclose PHI as permitted H PAA Enforced by: > Department of Health and Human Services > State attorneys general
HIPAA/HITECH What breaches require notification? Minimum necessary violations may require breach notification Nature and extent of PHI involved Unauthorized person who used PHI Whether PHI was actually acquired or viewed Extent to which risk to PHI is mitigated Exceptions
HIPAA/HITECH notifications Individuals HHS Timeliness Content Methods Business associates Media
PCI DSS A multifaceted security standard > Includes requirements for: i. Business processes ii. Security management iii. Policies iv. Procedures v. Network architecture vi. Software design vii. Other critical protective measures > Intended to help organizations proactively protect customer payment data
PCI DSS > What is covered by PCI-DSS? > What to do in the event of a breach?
State laws 47 states + DC, Guam, Puerto Rico, USVI *Exception: Alabama, New Mexico, South Dakota > The National Conference of State Legislatures maintains a list of state security breach notification laws with links to the text of each law. Check the list regularly as the state laws continue to change. > A substantial number of reported breaches have involved non-profit universities and health systems. See Privacy Rights Clearinghouse Chronology of Data Breaches (listing breaches including breaches at non-profits, educational institutions, and health facilities)
Auditing the plan for cybersecurity incident/breach response
Cybersecurity incident/breach planning key components POLICY establishes goals and vision for the breach response process, defined scope (to whom it applies and under what circumstances), roles and responsibilities, standards, metrics, feedback, remediation and requirements for awareness training PLAN covers all phases of the response activities PROCEDURES Reports and briefs; online analysis system; website with available resources
Why should a cybersecurity incident/breach response plan be audited? Ensures that the plan contains accurate and current information Allows the breach response process to be assessed and fine-tuned Identifies potential issues in advance; before the breach occurs Should a breach subsequently occur, it allows the process to operate more efficiently
What should your cybersecurity incident/breach response plan contain? Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity Individuals/team that will lead the breach response process and make the final determination that an actual breach has occurred Emergency contacts Information on relevant regulatory and law enforcement agencies that must be contacted Steps required to contain the breach and assess its scope Internal reporting system to alert legal, senior management, communications, employees and others External reporting to customers, business partners, public at large Post-mortem assessment, remediation Rehearsing (table-top testing) and awareness training
Cybersecurity incident/breach response plan roles Designated incident lead Who makes the call? > One individual (and backup) designated to coordinate the response > Acts as go-between for management and response team > Typically someone from legal > Coordinates efforts among all groups, notifies appropriate people within the company and externally, documents the response, identifies key tasks, and estimates remediation costs > Consists of representatives from IT/ security, legal, and senior leadership > Once the facts are gathered, the most senior-level executive makes the determination that a breach has/has not occurred, and "breaks the glass" to execute the response plan
Emergency contacts and internal reporting system Emergency contact list should include: Representative(s) of executive management team Legal, privacy & compliance Operations (security & IT) Customer service and/or HR Communications/ public relations Representatives of third-party vendors Outside experts Incident response plan should designate structure of internal reporting system
Assessing the breach and response Incident plan should include steps to contain the breach and assess its scope Consider: Isolating the affected system to prevent further release Reviewing/activating auditing software Preserving pertinent system logs Making back-up copies of altered files to be kept secure Identifying systems that connect to the affected system Retaining an external forensic expert to assist with the investigation Documenting conversations with law enforcement and steps taken to restore the integrity of the system
Training and awareness Training Staff should have recurring training, including: What constitutes a breach What does NOT constitute a breach What are appropriate communications channels for suspected breaches Awareness Plan should be tested/rehearsed (table-top testing) not less than once per year
Conclusion > Incident/breach response planning is critical in helping organizations prepare for and recover from serious breaches > Many federal and state laws require robust breach notification and response procedures > Auditing the incident/breach plan can help ensure that it contains accurate and complete information so that it can operate efficiently in the event of a breach
Resources
Resources > CERT (http://www.cert.org/incident-management/) > EDUCAUSE (www.educause.edu) > Higher Education Information Security Council, HEISC (https://wiki.internet2.edu/confluence/display/2014infosecurityguide/) > ISACA (www.isaca.org) > NIST (www.nist.gov) > Department of Education Privacy Technical Assistance Center (PTAC) Data Breach Response Checklist (http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf) > National Conference of State Legislatures (http://www.ncsl.org/research/telecommunications-and-informationtechnology/security-breach-notification-laws.aspx) > Privacy Rights Clearinghouse Chronology of Data Breaches (http://www.privacyrights.org/data-breach/new)
Additional Resources ACUA > Promoting Internal Audit: www.acua.org/movie > Listserv: acua-l@associationlists.com > Forums: www.acua.org Baker Tilly > http://bakertilly.com/insights/acua
Required disclosure and Circular 230 Prominent Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2014 Baker Tilly Virchow Krause, LLP.