Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

View the presentation slides

advertisement 
Auditing your institution's
cybersecurity incident/breach
response plan
© Baker Tilly Virchow Krause, LLP
Objectives
> Provide an overview of incident/breach response plans and their
intended benefits
> Describe regulatory/legal requirements related to incident/breach
responses
> Describe key aspects of response plans that should be reviewed as
part of your audit
© Baker Tilly Virchow Krause, LLP
Overview and benefits
of cybersecurity incident/breach response plan
© Baker Tilly Virchow Krause, LLP
Why is cybersecurity incident/breach
response important?
Frequency
Breaches are happening more frequently
Media attention
2014 was a record year for breaches in the press/media
Requirements
Regulations require incident/breach response plans
© Baker Tilly Virchow Krause, LLP
Why does your institution need an cybersecurity
incident/breach response plan?
> It is not a matter of if your institutions will have an incident or breach,
it is a matter of when
> Decentralized organizations with numerous stakeholders increase
the likelihood of ad hoc responses
> Inappropriate or inadequate response can lead to reputational and
financial damage
© Baker Tilly Virchow Krause, LLP
Impacts of data breaches
Regulator
scrutiny
Deceptive or
unfair trade
charges
!
Damage
to brand
Regulatory
sanctions
Damaged
employee
relationships
Negative
publicity
Refusal
to share personal
information
Fines
Damaged
customer
relationships
© Baker Tilly Virchow Krause, LLP
Legal
liability
What is a cybersecurity incident/breach
response plan?
“Capability to effectively manage unexpected
disruptive events with the objective of minimizing
impacts and maintaining or restoring normal
operations within defined time limits”
– ISACA
© Baker Tilly Virchow Krause, LLP
What goes into a cybersecurity
incident/breach response?
IT Risk
framework
Data and
system
inventory
Laws,
regulations
Cybersecurity incident/breach
response plan
© Baker Tilly Virchow Krause, LLP
How cybersecurity incident/breach response
plans align to various IT frameworks
> COBIT = Deliver & Support DS8 Manage Service Desk and
Incidents
> ITIL = Service Operation 4.1.5
> ISO 27002 = 13.0 Information Security Incident Management, 14.0
Business Continuity Management
> NIST SP 800-61 = Incident response guide
© Baker Tilly Virchow Krause, LLP
What should a cybersecurity
incident/breach response plan accomplish?
Preparation
Post-Incident
Activity
Detection and
Analysis
Containment,
Eradication,
and Recovery
© Baker Tilly Virchow Krause, LLP
Regulatory/legal requirements
for cybersecurity incident/breach response
© Baker Tilly Virchow Krause, LLP
Regulatory/legal requirements
where to start
> Regulatory review starts with information governance
> Need to identify and classify data/information and where it “lives” in
your institution
> Request a list of all important business processes and applications
and the contracts for any of processes or applications that are
provided by a third party
> Review the contracts to confirm that they address cybersecurity and
data breach matters
© Baker Tilly Virchow Krause, LLP
Regulatory response over time
1996
HIPAA
2006
2014
PCI DSS v1
Kentucky
2009
1999
47th State
Data Breach Law
HITECH
GLBA
2010
1974
Massachusetts
2001
Privacy Act
&
FERPA
Privacy Law
Cybersecurity
Enhancement Act
1998
2003
Safe Harbor
California
European Union
Data Breach Law
© Baker Tilly Virchow Krause, LLP
2015
PCI DSS v3
Regulatory/legal requirements for
incident/breach response
FERPA
HIPAA/
HITECH
PCI DSS
State
laws
FERPA (34 CFR Part 99)
HIPAA/HITECH
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191,
Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act of 2009 (ARRA)
Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
Privacy Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
© Baker Tilly Virchow Krause, LLP
FERPA
Covers:
Schools that receive funds under an applicable program of the
U. S. Department of Education
Key
provisions:
© Baker Tilly Virchow Krause, LLP
>
Right of parents or eligible students (i.e., over 18) to review the
student’s educational records maintained by the school
>
Right to request a correction for records they believe to be
inaccurate or misleading
>
Escalation process for resolving disputes
>
Written permission prior to releasing any information
from a student’s record (though there are exceptions)
>
Recently updated to include student safety
and protection from online identity theft
FERPA
> FERPA is not a data breach notification statute
> Notification and response to breach of FERPA covered records
depends on the nature of the type of records breached and the
requirements of state statutes
> Department of Education offers some “suggestions” for handling
breaches of FERPA covered records
© Baker Tilly Virchow Krause, LLP
HIPAA/HITECH
Covers:
> Health care providers
> Health plans
> Health care clearinghouses
> Employers who administer their own health plans
Protected health information (PHI):
> Covered entities may only use or disclose
PHI as permitted
Enforced by:
> Department of Health and Human Services
> State attorneys general
© Baker Tilly Virchow Krause, LLP
H PAA
HIPAA/HITECH
What breaches require notification?
Minimum necessary violations may require breach notification
Nature and extent of PHI involved
Unauthorized person who used PHI
Whether PHI was actually acquired or viewed
Extent to which risk to PHI is mitigated
Exceptions
© Baker Tilly Virchow Krause, LLP
HIPAA/HITECH notifications
Individuals
HHS
• Timeliness
• Content
• Methods
Business associates
Media
© Baker Tilly Virchow Krause, LLP
PCI DSS
A multifaceted security standard
> Includes requirements for:
i. Business processes
ii. Security management
iii. Policies
iv. Procedures
v. Network architecture
vi. Software design
vii. Other critical protective measures
>
Intended to help organizations proactively protect
customer payment data
© Baker Tilly Virchow Krause, LLP
PCI DSS
> What is covered by PCI-DSS?
> What to do in the event of a breach?
© Baker Tilly Virchow Krause, LLP
State laws
>
The National Conference of State Legislatures
maintains a list of state security breach notification
laws with links to the text of each law. Check the list
regularly as the state laws continue to change.
>
A substantial number of reported breaches have
involved non-profit universities and health systems.
See Privacy Rights Clearinghouse Chronology of
Data Breaches (listing breaches including breaches
at non-profits, educational institutions, and health
facilities)
47 states
+ DC, Guam, Puerto Rico,
USVI
*Exception: Alabama, New Mexico,
South Dakota
© Baker Tilly Virchow Krause, LLP
Auditing the plan
for cybersecurity incident/breach response
© Baker Tilly Virchow Krause, LLP
Cybersecurity incident/breach planning
key components
POLICY
establishes goals and
vision for the breach
response process,
defined scope (to whom
it applies and under what
circumstances), roles
and responsibilities,
standards, metrics,
feedback, remediation
and requirements for
awareness training
© Baker Tilly Virchow Krause, LLP
PLAN
covers all phases of
the response
activities
PROCEDURES
Reports and briefs;
online analysis
system; website with
available resources
Why should a cybersecurity incident/breach
response plan be audited?
 Ensures that the plan contains accurate and current information
 Allows the breach response process to be assessed and fine-tuned
 Identifies potential issues in advance; before the breach occurs
 Should a breach subsequently occur, it allows the process to
operate more efficiently
© Baker Tilly Virchow Krause, LLP
What should your cybersecurity incident/breach
response plan contain?
Detection and Analysis
Containment,
Eradication, and
Recovery
• Individuals/team that will
lead the breach response
process and make the
final determination that
an actual breach has
occurred
• Emergency contacts
• Information on relevant
regulatory and law
enforcement agencies
that must be contacted
• Steps required to contain
the breach and assess
its scope
• Internal reporting system
to alert legal, senior
management,
communications,
employees and others
• External reporting to
customers, business
partners, public at large
© Baker Tilly Virchow Krause, LLP
Post-Incident Activity
• Post-mortem assessment,
remediation
• Rehearsing (table-top
testing) and awareness
training
Cybersecurity incident/breach
response plan roles
Designated
incident lead
> One individual (and backup)
designated to coordinate the
response
> Acts as go-between for
management and response team
> Typically someone from legal
> Coordinates efforts among all
groups, notifies appropriate
people within the company and
externally, documents the
response, identifies key tasks,
and estimates remediation costs
© Baker Tilly Virchow Krause, LLP
Who makes
the call?
> Consists of representatives from
IT/ security, legal, and senior
leadership
> Once the facts are gathered, the
most senior-level executive
makes the determination that a
breach has/has not occurred, and
"breaks the glass" to execute the
response plan
Emergency contacts and
internal reporting system
 Emergency contact list should include:
•
•
•
•
•
•
•
Representative(s) of executive management team
Legal, privacy & compliance
Operations (security & IT)
Customer service and/or HR
Communications/ public relations
Representatives of third-party vendors
Outside experts
 Incident response plan should designate structure of internal
reporting system
© Baker Tilly Virchow Krause, LLP
Assessing the breach and response
Incident plan should include steps to contain the breach
and assess its scope
Consider:
 Isolating the affected system to prevent further release
 Reviewing/activating auditing software
 Preserving pertinent system logs
 Making back-up copies of altered files to be kept secure
 Identifying systems that connect to the affected system
 Retaining an external forensic expert to assist with the investigation
 Documenting conversations with law enforcement and steps taken to restore
the integrity of the system
© Baker Tilly Virchow Krause, LLP
Training and awareness
Staff should have recurring training, including:
•
•
•
What constitutes a breach
What does NOT constitute a breach
What are appropriate communications channels for suspected
breaches
Training
Plan should be tested/rehearsed (table-top
testing) not less than once per year
Awareness
© Baker Tilly Virchow Krause, LLP
Conclusion
> Incident/breach response planning is critical in helping organizations
prepare for and recover from serious breaches
> Many federal and state laws require robust breach notification and
response procedures
> Auditing the incident/breach plan can help ensure that it contains
accurate and complete information so that it can operate efficiently
in the event of a breach
© Baker Tilly Virchow Krause, LLP
Resources
© Baker Tilly Virchow Krause, LLP
Resources
>
CERT (http://www.cert.org/incident-management/)
>
EDUCAUSE (www.educause.edu)
>
Higher Education Information Security Council, HEISC
(https://wiki.internet2.edu/confluence/display/2014infosecurityguide/)
>
ISACA (www.isaca.org)
>
NIST (www.nist.gov)
>
Department of Education Privacy Technical Assistance Center (PTAC) Data Breach
Response Checklist
(http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf)
>
National Conference of State Legislatures
(http://www.ncsl.org/research/telecommunications-and-informationtechnology/security-breach-notification-laws.aspx)
>
Privacy Rights Clearinghouse Chronology of Data Breaches
(http://www.privacyrights.org/data-breach/new)
© Baker Tilly Virchow Krause, LLP
Additional Resources
ACUA
> Promoting Internal Audit: www.acua.org/movie
> Listserv: acua-l@associationlists.com
> Forums: www.acua.org
Baker Tilly
> http://bakertilly.com/insights/acua
© Baker Tilly Virchow Krause, LLP
Required disclosure and Circular 230
Prominent Disclosure
The information provided here is of a general nature and is not intended to
address the specific circumstances of any individual or entity. In specific
circumstances, the services of a professional should be sought.
Pursuant to the rules of professional conduct set forth in Circular 230, as
promulgated by the United States Department of the Treasury, nothing
contained in this communication was intended or written to be used by any
taxpayer for the purpose of avoiding penalties that may be imposed on the
taxpayer by the Internal Revenue Service, and it cannot be used by any
taxpayer for such purpose. No one, without our express prior written
permission, may use or refer to any tax advice in this communication in
promoting, marketing, or recommending a partnership or other entity,
investment plan or arrangement to any other party.
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned
and managed member of Baker Tilly International. © 2014 Baker Tilly Virchow
Krause, LLP.
© Baker Tilly Virchow Krause, LLP
Related documents
COSO internal control framework as a best practice for
COSO internal control framework as a best practice for
High Court case Citation Court Procedural History Facts Issue
High Court case Citation Court Procedural History Facts Issue
Hedging Using Collars
Hedging Using Collars
UCSB Accounting Association
UCSB Accounting Association
Case 37. Baker Adhesives
Case 37. Baker Adhesives
Baker vs. Carr
Baker vs. Carr
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Little Red Riding Hood Revisited
Little Red Riding Hood Revisited
Paper-B-Internal-Audit-Recommendations-and
Paper-B-Internal-Audit-Recommendations-and
Download
advertisement