Credit Card Data Compromise: Incident Response Plan

Similar documents
Information Security Incident Response Plan

Information Security Incident Response Plan

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Donor Credit Card Security Policy

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Wichita State University Credit Card Security Incident Response Team

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

Table of Contents. PCI Information Security Policy

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Red Flags Program. Purpose

PTLGateway Data Breach Policy

Standard for Security of Information Technology Resources

Privacy & Information Security Protocol: Breach Notification & Mitigation

[Utility Name] Identity Theft Prevention Program

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Subject: University Information Technology Resource Security Policy: OUTDATED

Identity Theft Prevention Policy

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Red Flags/Identity Theft Prevention Policy: Purpose

IDENTITY THEFT PREVENTION Policy Statement

Employee Security Awareness Training Program

LCU Privacy Breach Response Plan

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Information Security Incident Response and Reporting

Payment Card Industry - Data Security Standard (PCI-DSS)

Prevention of Identity Theft in Student Financial Transactions AP 5800

Ouachita Baptist University. Identity Theft Policy and Program

Identity Theft Prevention Program. Effective beginning August 1, 2009

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

University of Pittsburgh Security Assessment Questionnaire (v1.7)

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Cyber Risks in the Boardroom Conference

01.0 Policy Responsibilities and Oversight

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

University of North Texas System Administration Identity Theft Prevention Program

MNsure Privacy Program Strategic Plan FY

Privacy Breach Policy

( Utility Name ) Identity Theft Prevention Program

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Red Flag Policy and Identity Theft Prevention Program

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

Putting It All Together:

Member of the County or municipal emergency management organization

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Will you be PCI DSS Compliant by September 2010?

Policy. Policy Information. Purpose. Scope. Background

ADIENT VENDOR SECURITY STANDARD

University of Sunderland Business Assurance PCI Security Policy

Data Security and Privacy Principles IBM Cloud Services

DATA BREACH NUTS AND BOLTS

Responding to Cybercrime:

Data Compromise Notice Procedure Summary and Guide

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Data Breach Preparation and Response. April 21, 2017

HPE DATA PRIVACY AND SECURITY

Data Privacy Breach Policy and Procedure

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Heavy Vehicle Cyber Security Bulletin

HIPAA Privacy, Security and Breach Notification

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

CCISO Blueprint v1. EC-Council

Security and Privacy Breach Notification

Data Breach Response Guide

Ohio Supercomputer Center

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Seven Requirements for Successfully Implementing Information Security Policies and Standards

DETAILED POLICY STATEMENT

Security Surveillance Camera and Video Policy

Information Technology General Control Review

Security Breaches: How to Prepare and Respond

INCIDENT RESPONSE POLICY AND PROCEDURE

Records Management and Retention

SECURITY & PRIVACY DOCUMENTATION

Version 1/2018. GDPR Processor Security Controls

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Lakeshore Technical College Official Policy

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

UTAH VALLEY UNIVERSITY Policies and Procedures

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Rules for LNE Certification of Management Systems

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

The Data Protection Act 1998 Clare Hall Data Protection Policy

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Cybersecurity The Evolving Landscape

1 Privacy Statement INDEX

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

A full list of SaltWire Network Inc. publications is available by visiting saltwire.com.

NYDFS Cybersecurity Regulations

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Security of Information Technology Resources IT-12

Transcription:

Credit Card Data Compromise: Incident Response Plan Purpose It is the objective of the university to maintain secure financial transactions. In order to comply with state law and contractual obligations, the division of business and finance and the division of information services are responsible for a unified response to a breach or potential compromise of credit card data. This incident response plan provides guidance for identification, containment, notification, verification, communication, investigation, and remediation of such incidents. Responsibility Any university employee or any other person or entity accepting credit card payments on behalf of the university who believes a breach or potential compromise (electronic or physical) of any type or form of cardholder data (personally identifiable information associated with a specific cardholder) has occurred is required to adhere to the steps outlined in this plan. Identification Identification of a breach or potential compromise of data is the first step in an incident response. Identification can occur by, but is not limited to, the following: (1) Report from a third party (such as a cardholder), (2) Anonymous complaint of unauthorized use or misuse of data, (3) Alerts from security monitoring systems including, but not limited to, intrusion-detection, intrusion prevention, firewalls, file-integrity monitoring systems, and network infrastructure devices that detect rogue wireless access (wireless access points physically connected to the network that are used to intentionally subvert University policy and/or security controls) (4) Routine monitoring (examination of activity and/or access logs), (5) Vulnerability scans, or (6) Suspicious circumstances beyond normal processes. Containment Containment is the next critical step to limit exposure, preserve potential evidence, and prepare for an investigation of the incident. Containment steps include: (1) If an electronic device: (e) Do not access or alter the compromised device, Do not power off the device, Do terminate its network connection (unplug network connection from the device or disable the wireless adapter), Isolate the device from access by others, Document how the event was detected and the device s state at that time, and Revised 10/17/17 1

(f) Document steps taken to contain and isolate the device. (2) If data is believed to have been compromised by loss of physical property, follow the steps outlined in the section for Internal Notification. Internal Notification In the event of a breach or potential compromise of data, notification of the appropriate internal personnel will ensure a coordinated and unified response in determining the scope of the breach, business continuity, internal and external communications, and remediation. Notification must be made to bursar s office cashiering at 330-672-2757 during normal business hours. Do not leave a voicemail message if the call goes unanswered. If the call is not answered or it is being made outside of normal business hours, contact the division of information services data center at 330-672-2552. An email notification should also be sent to PCICompliance@kent.edu. (1) If the data breach involves loss of physical property (theft of physical media or a device containing credit card data), report this to the law enforcement agency having jurisdiction where the loss occurred. (2) Cross reference each notification. Provide law enforcement with contact information used for internal university notification. Include law enforcement department and report number in notification to university. Response Team The recipient(s) of notification of a breach or potential compromise of data should immediately contact the chair of the PCI-DSS Compliance Oversight Committee who will immediately contact the members of the Response Team to begin the requisite response activities. The Response Team will be comprised of representation from bursar s office cashiering, office of security and access management, and compliance and risk management department. The department of public safety/ police services will be a member of the Response Team if the breach or potential compromise of data occurs on any Kent State University owned or leased property or until such jurisdiction is determined. In the absence of the chair of the PCI-DSS Compliance Oversight Committee, responsibility for contacting the Response Team will fall to the members of the team in the order listed. The Response Team will convene immediately to initiate a response and will involve others in the university community as circumstances warrant. Verification (1) The division of information services will lead preliminary efforts in verifying a breach of electronic data. The division of business and finance will lead efforts in verifying a breach of non-electronic data. If and upon the discovery of evidence indicating a criminal offense was committed, the department of public safety / police services will be notified. Police services may collaborate with other federal, state, and local law enforcement agencies as appropriate. A criminal investigation may be Revised 10/17/17 2

conducted in parallel, supersede, or require authorization for any further action taken by the university. (2) The theft of physical media or a device containing credit card data will be reported to the appropriate law enforcement agency. A criminal investigation will be at the discretion of said agency. The division of information services will be responsible for attempts to determine the type and scope of cardholder data potentially compromised. Additionally, the division of information services in conjunction with the person having control over the device will determine the availability of remote access to the device. Internal Notification Communication strategies begin upon the verification of a data breach or compromise. Once a potential breach has been reported and verified per the Internal Notification and Verification procedures, the PCI compliance oversight committee will facilitate communications to other university areas. The following institutional members will ALL be informed of the breach or compromise of data and will be provided with periodic updates of significant findings from the PCI compliance oversight committee during the investigation and remediation processes: Senior Vice President for Finance and Administration, (The SVP for Finance and Administration will notify the President and the President s office will determine if notification of Trustees is warranted based on the circumstances.) Vice President for Information Services, Vice President or executive responsible for functional area of breach, General Counsel, Director of Public Safety / Police Services, Senior Vice President for Strategic Communications and External Affairs First Data / Card Brand(s) representatives Insurance company providing cyber liability coverage Investigation The investigation will be the responsibility of the division of information services, the appropriate law enforcement agency, or a combination of both. The investigation will include, but is not limited to, the following: (1) Interview of the person or entity learning of or discovering the breach or compromise of data. (2) Collect and preserve evidence: Photograph or video record the scene as is, Collect affected hardware, Acquire activity and/or access logs and network logs for device, Revised 10/17/17 3

(e) (f) (g) Acquire recent history of users of device, Retain documentation of any associated alerts from security monitoring systems, Obtain video surveillance history and key swipe logs of area accessed without authorization, and Maintain chain of custody records for evidence collected. (3) Minimize scope: Determine if breach or compromise is likely to be duplicated, Determine if breach or compromise is beyond a single device, Cease operation of certain hardware or physical areas where there is a reasonable belief the breach or compromise could be repeated, and Provide alternatives to affected area to maintain business operations. (4) Forensics: Forensics should support the overall investigation in determining the origination of the breach or compromise, the devices and or systems affected, the data compromised, and the possibility of re-occurrence. A forensic consultant may be contracted at the discretion of the division of information services and the division of business and finance in the absence of or in conjunction with a criminal forensic process. The need for a forensic consultant will be determined based on the type and scope of the breach or compromise or may be contractually required by one or more of the involved credit card brands. Recovery/ External Notification / Remediation The information gathered during the investigation will allow for assessment of functional impact, informational impact, and remediation. (1) The division of business and finance will be responsible for the following: Formal documentation of event. Notifying the cyber liability insurance carrier and coordinating the services provided under the policy with internal stakeholders. In consultation with the office of general counsel, notification and delivery of documentation will be made to the relevant card processors, banks, and credit card brands as appropriate based on the nature and magnitude of the breach (see appendix A for card brand guidelines). Revised 10/17/17 4

(e) (f) In consultation with the division of university relations, prepare notification in the form deemed most appropriate and expedient to be sent to affected individuals. If deemed appropriate by legal statute or otherwise decided, prepare to offer free credit report resources to affected users. Determine if a call center, website, or email service should be offered to affected individuals. Coordinate regular update meetings during the investigative process and a debriefing meeting approximately two to four weeks post event. (2) The division of information services will be responsible for the following: Remediate any compromise to network or device security. Document cardholder data including names and contact information of affected cardholders. Backup and provide any necessary network, log, scan, and device data to any investigative body within the legal requirements. Aid in providing resources necessary for the university to coordinate communication to all entities listed within this plan (for example: website, call center, email development and support). (3) The division of university relations will assume responsibility for disseminating information to the media in consultation with the division of business and finance and the division of information services. (4) The division of information services with guidance from the office of general counsel will assume responsibility for the review and compliance of applicable state (Ohio Revised Code 1347.12) and federal statutes related to data breaches. Incident Response Plan Distribution and Review (1) The Incident Response Plan will be available on the office of security and access management website (security.kent.edu/systemsaccess/index.cfm) (2) Incident Response Plan training will occur annually or during employment orientation. (3) A mock event will be held annually to test the Incident Response Plan. The division of business and finance and the division of information services will collaborate to coordinate this mock event. (4) As part of the mock event, event controllers will be present not only to observe the plan in action, but also to assess the content, structure, and usability of the plan. Revised 10/17/17 5

(5) The division of business and finance will maintain current information on Payment Card Industry (PCI) standards as well as current contact information for the payment card brands. (6) Training assessment, mock event evaluation, lessons learned from actual incidents, and current information from the PCI Security Standards Council and the payment brands will be used to appropriately modify existing controls and the Incident Response Plan as needed, at a minimum annually. Review and Revision History Original document 3/25/15 Revised 6/30/15 Revised 12/20/16 Revised 10/17/17 Revised 10/17/17 6

Appendix A: Payment brand guidelines and contact information. MasterCard: https://www.mastercard.us/content/dam/mccom/en-us/documents/accountdata-compromise-manual.pdf e-mail account_data_compromise@mastercard.com (verified 12/2016). -and- https://www.mastercard.us/content/dam/mccom/en-us/documents/rules/spme-manualfinal-march-2016.pdf (verified 12/2016). Visa: http://usa.visa.com/merchants/protect-your-business/cisp/if-compromised.jsp 1-650-432-2978 or e-mail usfraudcontrol@visa.com (verified 12/2016). Discover: https://www.discovernetwork.com/en-us/business-resources/fraud-security/ 1-800-347-3083 (verified 12/2016). American Express: https://www209.americanexpress.com/merchant/singlevoice/dsw/frontservlet?request_ty pe=dsw&pg_nm=merchinfo&ln=en&frm=idc&tabbed=breach 1-800-297-2639 (verified 12/2016). Revised 10/17/17 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback