Auditing your institution's cybersecurity incident...
Transcript of Auditing your institution's cybersecurity incident...
© Baker Tilly Virchow Krause, LLP
Auditing your institution's
cybersecurity incident/breach
response plan
© Baker Tilly Virchow Krause, LLP
Objectives
> Provide an overview of incident/breach response plans and their
intended benefits
> Describe regulatory/legal requirements related to incident/breach
responses
> Describe key aspects of response plans that should be reviewed as
part of your audit
© Baker Tilly Virchow Krause, LLP
Overview and benefitsof cybersecurity incident/breach response plan
© Baker Tilly Virchow Krause, LLP
Why is cybersecurity incident/breach
response important?
FrequencyBreaches are happening more frequently
Media attention2014 was a record year for breaches in the press/media
Requirements Regulations require incident/breach response plans
© Baker Tilly Virchow Krause, LLP
Why does your institution need an cybersecurity
incident/breach response plan?
> It is not a matter of if your institutions will have an incident or breach,
it is a matter of when
> Decentralized organizations with numerous stakeholders increase
the likelihood of ad hoc responses
> Inappropriate or inadequate response can lead to reputational and
financial damage
© Baker Tilly Virchow Krause, LLP
Impacts of data breaches
Negative
publicity
Regulatory
sanctions
Refusal
to share personal
information
Damage
to brand
Regulator
scrutiny
Legal
liability
Fines
Damaged
customer
relationships
Damaged
employee
relationships
Deceptive or
unfair trade
charges
!
© Baker Tilly Virchow Krause, LLP
What is a cybersecurity incident/breach
response plan?
“Capability to effectively manage unexpected
disruptive events with the objective of minimizing
impacts and maintaining or restoring normal
operations within defined time limits”
– ISACA
© Baker Tilly Virchow Krause, LLP
What goes into a cybersecurity
incident/breach response?
Cybersecurity incident/breach response plan
Laws, regulations
IT Risk framework
Data and system
inventory
© Baker Tilly Virchow Krause, LLP
How cybersecurity incident/breach response
plans align to various IT frameworks
> COBIT = Deliver & Support DS8 Manage Service Desk and
Incidents
> ITIL = Service Operation 4.1.5
> ISO 27002 = 13.0 Information Security Incident Management, 14.0
Business Continuity Management
> NIST SP 800-61 = Incident response guide
© Baker Tilly Virchow Krause, LLP
What should a cybersecurity
incident/breach response plan accomplish?
Preparation
Detection and Analysis
Containment, Eradication,
and Recovery
Post-Incident Activity
© Baker Tilly Virchow Krause, LLP
Regulatory/legal requirementsfor cybersecurity incident/breach response
© Baker Tilly Virchow Krause, LLP
Regulatory/legal requirements
where to start
> Regulatory review starts with information governance
> Need to identify and classify data/information and where it “lives” in
your institution
> Request a list of all important business processes and applications
and the contracts for any of processes or applications that are
provided by a third party
> Review the contracts to confirm that they address cybersecurity and
data breach matters
© Baker Tilly Virchow Krause, LLP
Regulatory response over time
1974Privacy Act
&
FERPA
1996HIPAA
1998Safe HarborEuropean Union
1999GLBA
2001Cybersecurity Enhancement Act
2006PCI DSS v1
2003California
Data Breach Law
2009HITECH
2010Massachusetts
Privacy Law
2014Kentucky
47th State
Data Breach Law
2015PCI DSS v3
© Baker Tilly Virchow Krause, LLP
Regulatory/legal requirements for
incident/breach response
FERPAHIPAA/
HITECHPCI DSS
State
laws
FERPA (34 CFR Part 99)
HIPAA/HITECH
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191,
Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act of 2009 (ARRA)
Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
Privacy Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
© Baker Tilly Virchow Krause, LLP
FERPA
Covers: Schools that receive funds under an applicable program of the
U. S. Department of Education
Key
provisions:
> Right of parents or eligible students (i.e., over 18) to review the
student’s educational records maintained by the school
> Right to request a correction for records they believe to be
inaccurate or misleading
> Escalation process for resolving disputes
> Written permission prior to releasing any information
from a student’s record (though there are exceptions)
> Recently updated to include student safety
and protection from online identity theft
© Baker Tilly Virchow Krause, LLP
FERPA
> FERPA is not a data breach notification statute
> Notification and response to breach of FERPA covered records
depends on the nature of the type of records breached and the
requirements of state statutes
> Department of Education offers some “suggestions” for handling
breaches of FERPA covered records
© Baker Tilly Virchow Krause, LLP
HIPAA/HITECH
Covers:
> Health care providers
> Health plans
> Health care clearinghouses
> Employers who administer their own health plans
Protected health information (PHI):
> Covered entities may only use or disclose
PHI as permitted
Enforced by:
> Department of Health and Human Services
> State attorneys general
H PAA
© Baker Tilly Virchow Krause, LLP
HIPAA/HITECH
What breaches require notification?
Minimum necessary violations may require breach notification
Nature and extent of PHI involved
Unauthorized person who used PHI
Whether PHI was actually acquired or viewed
Extent to which risk to PHI is mitigated
Exceptions
© Baker Tilly Virchow Krause, LLP
HIPAA/HITECH notifications
Media
Individuals
HHS
• Timeliness
• Content
• Methods
Business associates
© Baker Tilly Virchow Krause, LLP
PCI DSS
A multifaceted security standard
> Includes requirements for:
i. Business processes
ii. Security management
iii. Policies
iv. Procedures
v. Network architecture
vi. Software design
vii. Other critical protective measures
> Intended to help organizations proactively protect
customer payment data
© Baker Tilly Virchow Krause, LLP
PCI DSS
> What is covered by PCI-DSS?
> What to do in the event of a breach?
© Baker Tilly Virchow Krause, LLP
State laws
47 states+ DC, Guam, Puerto Rico,
USVI
*Exception: Alabama, New Mexico,
South Dakota
> The National Conference of State Legislatures
maintains a list of state security breach notification
laws with links to the text of each law. Check the list
regularly as the state laws continue to change.
> A substantial number of reported breaches have
involved non-profit universities and health systems.
See Privacy Rights Clearinghouse Chronology of
Data Breaches (listing breaches including breaches
at non-profits, educational institutions, and health
facilities)
© Baker Tilly Virchow Krause, LLP
Cybersecurity incident/breach planning
key components
establishes goals and
vision for the breach
response process,
defined scope (to whom
it applies and under what
circumstances), roles
and responsibilities,
standards, metrics,
feedback, remediation
and requirements for
awareness training
POLICY
covers all phases of
the response
activities
PLAN
Reports and briefs;
online analysis
system; website with
available resources
PROCEDURES
© Baker Tilly Virchow Krause, LLP
Why should a cybersecurity incident/breach
response plan be audited?
Ensures that the plan contains accurate and current information
Allows the breach response process to be assessed and fine-tuned
Identifies potential issues in advance; before the breach occurs
Should a breach subsequently occur, it allows the process to
operate more efficiently
© Baker Tilly Virchow Krause, LLP
What should your cybersecurity incident/breach
response plan contain?
Detection and Analysis
• Individuals/team that will lead the breach response process and make the final determination that an actual breach has occurred
• Emergency contacts
• Information on relevant regulatory and law enforcement agencies that must be contacted
Containment, Eradication, and
Recovery
• Steps required to contain the breach and assess its scope
• Internal reporting system to alert legal, senior management, communications, employees and others
• External reporting to customers, business partners, public at large
Post-Incident Activity
• Post-mortem assessment, remediation
• Rehearsing (table-top testing) and awareness training
© Baker Tilly Virchow Krause, LLP
Cybersecurity incident/breach
response plan roles
Designated incident lead
> One individual (and backup)
designated to coordinate the
response
> Acts as go-between for
management and response team
> Typically someone from legal
> Coordinates efforts among all
groups, notifies appropriate
people within the company and
externally, documents the
response, identifies key tasks,
and estimates remediation costs
Who makes the call?
> Consists of representatives from
IT/ security, legal, and senior
leadership
> Once the facts are gathered, the
most senior-level executive
makes the determination that a
breach has/has not occurred, and
"breaks the glass" to execute the
response plan
© Baker Tilly Virchow Krause, LLP
Emergency contacts and
internal reporting system
Emergency contact list should include:
• Representative(s) of executive management team
• Legal, privacy & compliance
• Operations (security & IT)
• Customer service and/or HR
• Communications/ public relations
• Representatives of third-party vendors
• Outside experts
Incident response plan should designate structure of internal reporting system
© Baker Tilly Virchow Krause, LLP
Assessing the breach and response
Incident plan should include steps to contain the breach and assess its scope
Consider:
Isolating the affected system to prevent further release
Reviewing/activating auditing software
Preserving pertinent system logs
Making back-up copies of altered files to be kept secure
Identifying systems that connect to the affected system
Retaining an external forensic expert to assist with the investigation
Documenting conversations with law enforcement and steps taken to restore
the integrity of the system
© Baker Tilly Virchow Krause, LLP
Training and awareness
Staff should have recurring training, including:
• What constitutes a breach
• What does NOT constitute a breach
• What are appropriate communications channels for suspected breaches
Plan should be tested/rehearsed (table-top testing) not less than once per year
Training
Awareness
© Baker Tilly Virchow Krause, LLP
Conclusion
> Incident/breach response planning is critical in helping organizations
prepare for and recover from serious breaches
> Many federal and state laws require robust breach notification and
response procedures
> Auditing the incident/breach plan can help ensure that it contains
accurate and complete information so that it can operate efficiently
in the event of a breach
© Baker Tilly Virchow Krause, LLP
Resources
> CERT (http://www.cert.org/incident-management/)
> EDUCAUSE (www.educause.edu)
> Higher Education Information Security Council, HEISC (https://wiki.internet2.edu/confluence/display/2014infosecurityguide/)
> ISACA (www.isaca.org)
> NIST (www.nist.gov)
> Department of Education Privacy Technical Assistance Center (PTAC) Data Breach Response Checklist (http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf)
> National Conference of State Legislatures (http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx)
> Privacy Rights Clearinghouse Chronology of Data Breaches (http://www.privacyrights.org/data-breach/new)
© Baker Tilly Virchow Krause, LLP
Additional Resources
ACUA
> Promoting Internal Audit: www.acua.org/movie
> Listserv: [email protected]
> Forums: www.acua.org
Baker Tilly
> http://bakertilly.com/insights/acua
© Baker Tilly Virchow Krause, LLP
Required disclosure and Circular 230
Prominent Disclosure
The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought.
Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party.
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. © 2014 Baker Tilly Virchow Krause, LLP.