Follow the trainer s instructions and explanations to complete the planned tasks.



Similar documents
20. Exercise: CERT participation in incident handling related to Article 4 obligations

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Privacy and Electronic Communications Regulations

The potential legal consequences of a personal data breach

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

COMMISSION REGULATION (EU) No /.. of XXX

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Data Breach Management Policy and Procedures for Education and Training Boards

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

Data protection compliance checklist

How To Protect Your Data In European Law

Coláiste Pobail Bheanntraí

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Information Society Services and Mandatory Data Breach Notifications: Introduction to Open Issues in the EU Framework

Enterprise Information Security Procedures

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

PRIVACY BREACH MANAGEMENT POLICY

Cork ETB Data Breach Management Policy and Procedures

Data Processing Agreement for Oracle Cloud Services

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Access Control Policy

Guidelines on Data Protection. Draft. Version 3.1. Published by

Merthyr Tydfil County Borough Council. Data Protection Policy

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

Practical Overview on responsibilities of Data Protection Officers. Security measures

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

Data Protection Breach Management Policy

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Incident reporting procedure

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Data Protection in Ireland

Office 365 Data Processing Agreement with Model Clauses

Scottish Rowing Data Protection Policy

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Privacy Policy for Data Collected by Blue State Digital s Clients

DBC 999 Incident Reporting Procedure

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)

Data Compliance. And. Your Obligations

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Matthias Hauss- SRC Security Research & Consulting GmbH October PCI DSS Requirements in the Context of European Data Protection Law

SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Information security incident reporting procedure

The impact of the personal data security breach notification law

University of Limerick Data Protection Compliance Regulations June 2015

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

So the security measures you put in place should seek to ensure that:

Guidance on data security breach management

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

Standard: Information Security Incident Management

PRIVACY AND DATA SECURITY MODULE

ST IVES CHAMBERS POLICY ON THE COLLECTION AND USE OF DIVERSITY DATA

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

EURODAC Central Unit. Inspection Report

Cloud computing and the legal framework

Data Security Breach Management Procedure

Microsoft Online Services - Data Processing Agreement

AlixPartners, LLP. General Data Protection Statement

Comments and proposals on the Chapter II of the General Data Protection Regulation

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Corporate Information Security Policy

CROATIAN PARLIAMENT 1364

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Personal Information Protection Act Information Sheet 11

White Paper Security. Data Protection and Security in School Management Systems

Data Protection Policy

Miami University. Payment Card Data Security Policy

Data Protection and Privacy Policy

Data protection policy

Guidance on data security breach management

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

California State University, Sacramento INFORMATION SECURITY PROGRAM

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Dealing with data breaches in Europe and beyond

Navigating the Privacy Law Landscape - US and Europe

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

CORK INSTITUTE OF TECHNOLOGY

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

RFID and Privacy Impact Assessment (PIA)

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Information Security Policy. Appendix B. Secure Transfer of Information

Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule)

HIPAA Security Alert

Recommendations for companies planning to use Cloud computing services

Data Security Breach Management - A Guide

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Data Protection A Guide for Users

Data Protection Policy

Data Security Incident Response Plan. [Insert Organization Name]

Incident Reporting Guidelines for Constituents (Public)

Transcription:

CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures and best practices in incident handling related to personal data breaches. Information provided to you is based on notification requirements for data breaches for the electronic communication sector introduced by the review of the eprivacy Directive. 43 You should know that the process of notification is parallel to the normal incident handling process and is part of it. During the next two hours you will have a chance to practise a set of activities, which are characteristic for events involving personal data breaches. The term data breach is understood as a security incident related to personal data. 44 These events are usually related to breaches of national law on personal data protection. Specifically, during the exercise you will learn: the terminology related to data breach notification as well as to personal data protection; how to evaluate the severity of data breach incident; how to prepare notifications for different kinds of receivers competent national bodies (data protection authorities) and individuals; how to conduct some specific parts of incident handling process severity evaluation and incident notification. 20.2 Exercise course Follow the trainer s instructions and explanations to complete the planned tasks. 20.2.1 Introduction to the exercise Firstly, it is important to know the terminology related to the data breach and personal data. 45 The most important terms and their definitions are listed here. Personal data breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic 43 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201, 31/07/2002 P. 0037 0047. Available at: http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:32002l0058:en:html 44 See definition of personal data breach in the terminology part of the exercise Introduction to the exercise. 45 The terminology is from the ENISA publication Recommendations for technical implementation guidelines of Article 4 (http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/dbn/art4_tech)

172 CERT Exercises Toolset communications service in the European Union. 46 It can be the result of an information security incident (see below) or loss of user control. Information security incident An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. 47 Personal data any information relating to an identified or identifiable natural person ( data subject ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 48 During the analysis performed by the Art. 29 WP on the explanation of the personal data regarding the four main building blocks that can be distinguished in the definition of personal data : i.e. any information, relating to, an identified or identifiable, natural person. 49 Individual any living natural person affected by the personal data breach. This includes users and subscribers, for private or for business purposes, without necessarily having subscribed to the service that is affected by the breach. 50 Sensitive personal data personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. The scope of sensitive personal data is broad; for example, membership of a political party is seen as data revealing a political opinion (Directive 95/46/EC). 48 Data controller the natural or legal person, public authority, agency or any other body that alone or jointly with others determines the purposes and means of the processing of personal data (Article 2(d) of Directive 95/46/EC). 48 Data processor the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller (Article 2(e) of Directive 95/46/EC). 48 20.3 The general workflow of personal data breach handling procedures Below is the workflow presenting the general workflow for managing cases of data breach. 51 There are some parts of it that are dedicated to incident handling procedures themselves and will be part of the further exercise activities, which are the parts of this exercise e.g.: 46 Amendment by Directive 2006/24/EC and Directive 2009/136/EC of Directive on Privacy and electronic communications 2002/58/EC: (http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:32002l0058:en:html) (http://eur-lex.europa.eu/lex-uriserv/lexuriserv.do?uri=celex:32006l0024:en:html) 47 International Organization for Standardization (ISO), Information technology Security techniques Information security incident management, International Standard, ISO/IEC 27035:2011-09(E) 48 Article 2(a) of Directive 95/46/EC: (http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:31995l0046:en:html) 49 Opinion 4/2007 of the Article 29 Data Protection Working Party 50 ENISA, Recommendation on technical implementation guidelines of Article 4 51 The workflow is part of the ENISA document: Recommendations on technical implementation guidelines of Article 4 http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/dbn/art4_tech

CERT Exercises Toolset 173 initial assessments; preliminary notification; detailed notification. Figure 1: Personal Data Breach Management Procedure 52 52 ENISA, Recommendation on technical implementation guidelines of Article 4

174 CERT Exercises Toolset 20.4 Task 1: Data breach incident severity evaluation Now your task is to work with a particular case. Spend five minutes in your group to learn about the case, which is described before. If you need any clarification, ask the trainer. The case is the following: i. The company database administrator notices an access to database at rare hours during a night. He/she investigates the case and decides that it is probably an attack from outside the company. The company cooperates with banks and in its business contracts to process the personal data of banks customers ii. He reports the fact to the company security team. The company security team plays the role of the internal CERT. They have good specialists on network and computer forensics and some of them participated in the events organised by the CERT community for example, the FIRST Conference. Currently they are trying to convince the company management that their team should become an official CERT team and join the European CERT community TERENA TF-CSIRT. iii. The security team contacts the company network and system administrator to explain the case. They explain the possible scenario of a data breach and recommend and suggest some control activities for further investigation of the case. It is recommended to check network connections to the database server, authorisation logs in the local network and remote connections to the company s network. iv. The administrator discovers a new unauthorised account which was created three days ago with administrative privileges on the database server. During this investigation it is also discovered that the host intrusion detection system was not active for almost one week. There is no clear evidence why it was deactivated. Was it an intentional activity or was it a system failure? v. Further investigation shows that more than 10,000 records have been copied from the company s database server: these include personal data like names of company customers, their credit card data as well as postal addresses and authorisation data for the online service (online shop). The system administrators ensure that data was encrypted with the AES 256 algorithm. vi. The customer list includes citizens from Germany, The Netherlands, Poland, Greece and the United States. Now you should prepare your own evaluation of the incident s severity. To calculate the potential impact of data breach you should estimate two main factors: identifiability and level of exposure. Identifiability is understood as the ability to identify a person from the personal data that have been breached (according to the Directive an identifiable person is one who can be identified,

CERT Exercises Toolset 175 directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity ). Level of exposure can be evaluated as the result of a few important factors; the most important are the nature of the data breach, the controls implemented, and delay in identifying the breach. There are no simple, unambiguous values. An evaluation comes from users knowledge and experience. 20.4.1 Initial assessment Your task is to prepare the initial assessment. Propose your calculation of identifiability and level of exposure. Both are scored between 1 and 4. A value of 1 is the least identifiable and the least exposed. A value of 4 represents the most identifiable and exposed asset. To complete this task use the calculations values presented in the Appendix and use the table below to determine the final value. Calculation of the impact 53 Impact assessment Calculation of impact B. Level of exposure A. Identifiability 1 2 3 4 1 1 2 3 4 2 2 3 4 5 3 3 4 5 6 4 4 5 6 7 20.5 Task 2: Notification of data breach to data controller and individuals 20.5.1 Preliminary notification Now you should prepare two notification reports. One is for the data controller and the second is for individuals who were victims of the data breach. In the Appendix section you can find the table Sample template of a data breach notification form to the competent authority. To better understand your task the trainer will provide you with one example: the report of the fictitious company YOUR JOB KEEPER Limited. Learn what kind of concrete fields and information should be included in the notification, according to the proposed law. If you have your own ideas about the notification format, you can propose them and they will be discussed during the exercise summary. 53 Article 2(a) of Directive 95/46/EC: (http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:31995l0046:en:html)

176 CERT Exercises Toolset In your work you should consider the eprivacy Directive regulations: 54 The notification to the subscriber or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach. The notification to the competent national authority shall, in addition to the notification to the data subjects, describe the consequences of, and the measures proposed or taken by the provider to address, the personal data breach. You should prepare your own list of information taking into consideration the purpose of this notification, especially regarding victims who should not only learn about the fact of their personal data breach but also learn about its consequences and possible actions they should take. Learn more from the trainer about detailed information, which should consist of technical reports from your investigation as well as results of the steps taken by the attacked organisation. Also, if you have any information that should be used for identifying the source of the breach, or you have already identified it, this also should be a part of the detailed report. 20.6 Summary of the exercise Now it is time to make a summary of the exercise. You will present the results of your group work and discuss them with other groups. 20.7 References and Further Reading Please use the following sources for further reading about the data breach notifications. 1. ENISA, Recommendations on technical implementation guidelines of Article 4, April 2012, http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-databreaches/dbn/art4_tech 2. ENISA, Good Practice Guide for Incident Management, December 2010, http://www.enisa.europa.eu/act/cert/support/incident-management/files/goodpractice-guide-for-incident-management 3. ENISA, Data breach notifications in the EU, 2010, http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/dbn 20.8 Appendix Table for evaluating the identifiability of persons affected Evaluation of identifiability Scenarios/Examples Value [1 to 4] 54 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201, 31/07/2002 P. 0037 0047. (http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:32002l0058:en:html)

CERT Exercises Toolset 177 Impossible or very difficult: it is almost impossible to identify the persons with the data that are compromised (e.g. first name within a database of 60 million people) 1 Possible: e.g. name & first name 2 Easy: e.g. name & first name & date of birth 3 Certain: e.g.name & first name & address & zip code & date of birth & tax or social security number or name & first name & address & picture 4 Table for evaluating the level of exposure Nature of data breach/type of exposure Type Exposure Unauthorised or unlawful access (read access only) 1 Loss or destruction 2 Minor alteration/modification of personal data 3 Transmission 3 Major alteration/modification of personal data 4 Disclosure (e.g. to public or unauthorised third parties) 4

178 CERT Exercises Toolset Sample template of a data breach notification form to the competent authority System data 1. Unique notification number 2. Notification date and time Notification data 3. Information on organisation notifying the data breach: a. Name organisation: b. Notified by: c. Job title: d. Email: e. Telephone: f. Mobile phone: 4. The notification is a(n): [choose between the following options] a. Initial notification (go to 7) b. Follow-up / detailed notification (go to 5) 5. The follow-up notification serves the following purpose: [choose between the following options] a. Adding additional information to notification [notification number] (go to 7) b. Withdrawal of notification [notification number] (go to 6) 6. The reason for the withdrawal of this notification is: 7. Contact persons for more information about this notification [only if different from 3] If applicable contact details of one or more persons: a. Name: b. Job title: c. Email: d. Telephone: e. Mobile phone: 8. Summary of the incident that caused the data breach: [Only a short summary is needed here; the details will be addressed in the other questions]

CERT Exercises Toolset 179 9. When did the actual data breach take place? [choose among the following options] a. At [date + time] b. Between [date + time] and [date + time] c. Has not been determined yet d. Has not been determined yet and the breach is (possibly) still ongoing 10. The type of exposure is: Breach type: [choose one or more applicable options] a. Reading (only reading, an attacker does not have data) b. Copying (data still exist in the controller s system) c. Alteration (data exist but their integrity was breached) d. Removal (data do not exist in the controller s system; attacker does not have them either) e. Theft (data do not exist in the controller s system: an attacker has them) Breach subject: [choose one or more applicable options] a. A computer b. A mobile device c. A paper document d. A file or part of a file e. A means of electronic backup f. A network 11. How many individuals are affected by the data breach? [choose one or more applicable options] a. A (currently) unknown quantity of people b. [exact number] people c. An estimated [give approximate number] people d. At least [x] but certainly no more than [y] people 12. What type of data are involved in the data breach? [choose one or more applicable options] a. (Currently) unknown b. Name and address data

180 CERT Exercises Toolset c. (Mobile) phone numbers d. Email address/other electronic communication addresses e. Access and identifying data (choose one or more applicable options: user name, password, customer ID, other f. Payment data (choose one or more applicable options: account number, credit card details, other g. (Other) personal data (choose one or more applicable options: sex, date of birth/age, maiden name, [free text]), special categories of data (choose one or more applicable options: racial or ethnic origin/criminal data/political opinions/religious or philosophical beliefs/trade-union membership/data concerning health or sex life) h. Other, namely 13. Estimated severity of the data breach (see chapter 4, assessing a data breach and its consequences) a. Low/Negligible b. Medium c. High d. Very high 14. Technical and organisational measures applied on the affected data 15. Have the individuals been notified? [choose one or more applicable options] a. Yes, they have been notified on [date] (go to 15) b. No, but they will be notified on [date] (go to 16) c. No, but they will be notified if the ongoing investigation shows it is necessary (go to 16) d. No, they will not be notified because the data have been adequately secured (go to 16) e. No, they will not be notified because (go to 16) 16. What is the content of the notification to the individuals? [Copy text of notification] 17. Which communication channel is used for the notification to the individuals? 18. What technological and organisational measures have been taken to address and contain the data breach and prevent similar future data breaches? 19. Does the data breach involve individuals in other EU countries? [choose between the following options]

CERT Exercises Toolset 181 a. No b. Yes 20. Have you notified the competent authority in one or several other EU countries? [choose between the following options] a. No b. Yes 21. Which authorities have you informed?

182 CERT Exercises Toolset Table for evaluating the nature of data breach and type of exposure Nature of data breach/type of exposure Implemented controls Data have been stored or transferred in plain text format, standardised formats, proprietary formats, No backups of data kept/no backup policy Data stored in hashed format or is password-protected (with no key) Short password-based encryption Backups taken, but are not taken often Weak encryption Non-secure deletion Full backups are taken but not every day Encrypted data with strong key/password Hashed data with a 128-bit key Destruction, degaussing or secure deletion Full daily backups Exposure Very High (increasing the severity of the previous parameter: +2) High (increasing the severity of the previous parameter: +1) Medium (decreasing the severity of the previous parameter: -1) Low/very low: Data can be considered unintelligible in this case, the data controller is also exempt from notifying the individual (decreasing the severity of the previous parameter: -2) Table presenting the influence of delay in identifying the breach on the severity Delay in identifying the breach Possibilities / Examples Exposure <24 hours Decreasing severity of first parameter -1 2 5 days No increase / decrease 5 10 days Increasing severity of first parameter +1 >10 days Increasing severity of first parameter +2

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information