Breaches and Remediation

Similar documents
Breaches and Remediation

What is a Breach? 8/28/2017

PII SPOT CHECK DOCUMENTATION

Data Privacy Breach Policy and Procedure

Privacy Breach Policy

Keeping It Under Wraps: Personally Identifiable Information (PII)

Data Compromise Notice Procedure Summary and Guide

Course Objectives Identifying Personally Identifiable Information (PII) Safeguarding Procedures of PII Reporting PII Breaches Proper disposal of PII

Cyber Security Issues

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Privacy Breach Response and Reporting

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Security and Privacy Breach Notification

DEFINITIONS AND REFERENCES

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

University of Wisconsin-Madison Policy and Procedure

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Media Protection Program

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Red Flags/Identity Theft Prevention Policy: Purpose

Presented by: Jason C. Gavejian Morristown Office

HIPAA UPDATE. Michael L. Brody, DPM

Security Breaches: How to Prepare and Respond

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Managing Cybersecurity Risk

Bar The Gates: Cyber Threat. Wednesday, August 12, 2015: ISACA Geek Week

LCU Privacy Breach Response Plan

UTAH VALLEY UNIVERSITY Policies and Procedures

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Cyber Risks in the Boardroom Conference

HIPAA & Privacy Compliance Update

The Data Breach: How to Stay Defensible Before, During & After the Incident

Information Technology General Control Review

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

The Impact of Cybersecurity, Data Privacy and Social Media

Subject: University Information Technology Resource Security Policy: OUTDATED

Privacy and Security Basics for CDSME Data Collection. Updated October 2016

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

The New COSO Framework, PII and Data Security. October 30, 2014

IDENTITY THEFT PREVENTION Policy Statement

Information Security Incident Response Plan

Employee Security Awareness Training Program

Technology Risk Management and Information Security A Practical Workshop

Privacy & Information Security Protocol: Breach Notification & Mitigation

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Cybersecurity Act of 2015 Audit for NRC

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

7.16 INFORMATION TECHNOLOGY SECURITY

Rob Foster, Department of the Navy Chief Information Officer

Privacy Impact Assessment (PIA) Tool

Information Security Incident Response Plan

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Security Note. BlackBerry Corporate Infrastructure

Integrating HIPAA into Your Managed Care Compliance Program

SECURITY & PRIVACY DOCUMENTATION

Information Security Policy

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Cybersecurity in Higher Ed

Ohio Supercomputer Center

Cyberspace : Privacy and Security Issues

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

PTLGateway Data Breach Policy

Credit Card Data Compromise: Incident Response Plan

Data Breach Notification Policy

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Checklist: Credit Union Information Security and Privacy Policies

NEN The Education Network

Building a Privacy Management Program

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Juniper Vendor Security Requirements

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

EXHIBIT A. - HIPAA Security Assessment Template -

Data Leak Protection legal framework and managing the challenges of a security breach

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

HIPAA Compliance Checklist

KuppingerCole Whitepaper. by Dave Kearns February 2013

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

HIPAA-HITECH: Privacy & Security Updates for 2015

A Homeopath Registered Homeopath

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Data Breach Incident Management Policy

Standard CIP Cyber Security Critical Cyber Asset Identification

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Transcription:

Breaches and Remediation Ramona Oliver US Department of Labor Personally Identifiable Information Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual s identity, such as their name, social security number, date and place of birth, mother s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual What is a Breach? What is a breach? Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for an other than authorized purpose, where one or more individuals will be adversely affected 1

Reported Security Incidents Involving PII Examples of Breaches Examples of breaches include: Unauthorized use of another user s account Unauthorized use of system privileges and data extraction An unencrypted e-mail containing PII that is sent outside of the network or sent into the network and forwarded The theft or loss of a laptop containing PII Inadvertent posting of PII in training slides or on the Internet Unauthorized access to PII Data breach scenarios Scenario 1: An employee, while on official travel, inadvertently leaves several CDs containing PII (employees names and social security numbers) in her hotel room. The incident is not discovered until the employee returns to work and notices that the CDs were left behind. Scenario 2: An employee forwards work materials containing employee medical records to her commercial account so that she can work from home to meet approaching deadlines. Scenario 3: A contractor inadvertently leaves his laptop on the metro en route to work. The laptop contains PII (employee organizational listings) that will be used for training purposes. 2

Breach Response Steps When responding to a breach, the following seven steps should be observed: Incident Identification Incident Reporting Containment Mitigation of Harmful Effects Eradication Recovery Follow-up Identify the Nature of the Incident Learn as much as you can about the breach ASAP Is PII involved? Is it an actual breach? Next steps: Assemble your breach response team Conduct a full assessment to determine risk of harm Contain further loss or compromise of PII data Breach Reporting When reporting a breach, you must include the following elements: Date of breach Breach discovery date Date reported to US-CERT and US-CERT identifier Total number of individual(s) affected by the breach Type(s) of data elements involved Description of the breach Mitigation steps taken 3

Risk Assessment Once a breach is discovered, a risk assessment must be conducted to determine the likelihood of harm, based on the following factors: Nature of the data elements breached Number of affected individuals The number of affected individuals is a determining factor in how notifications are made, not whether they are made Likelihood the information is accessible and usable Likelihood the breach may lead to harm Ability of the agency to mitigate the risk of harm Working to Eliminate the Risk Follow up with employees on Rules and Consequences? Provide appropriate training at regular intervals Implement quality controls and audits Physical and technical safeguards Records management and disposition instructions Road to Recovery: Post-Breach Leverage Available Resources Examine Lessons Learned Create Paradigm Shifts Use as an Opportunity 4

Safeguarding PII Policy Ensure Horizontal Cohesion Understand Business Objectives Training and Awareness Incorporate Best Practices Crash the Party Incident Management Lessons Learned Know the Costs Safeguarding PII T r a i n i n g Establish a Firm Foundation Privacy Toolkit Privacy Impact Assessments System of Records Notices Data Loss Prevention Tools Senior Level Support 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback