Managing Catastrophic Loss of Sensitive Data (eBook)

Front Cover 1
Managing Catastrophic Loss of Sensitive Data 4
Copyright Page 5
Author 6
Contents 8
Chapter 1: Introduction 20
Overview 21
What Is Sensitive Data? 22
Personally Identifiable Information 23
Confidential Business Information 23
Data Categories 24
Data Security Breach 24
Data Loss Consequences 25
Impact 25
Identity Theft 26
Organizational Costs 27
Prevention and Safeguards 28
Response 29
Notification 30
Recovering from a Data Breach 31
Organization of the Book 32
Chapter 2: Data Classification 32
Chapter 3: Controls and Safeguards 32
Chapter 4: Data Security Policy 32
Chapter 5: Response Program 33
Chapter 6: Detection and Reporting 33
Chapter 7: Evaluation and Response 33
Chapter 8: Disclosure and Notification 33
Chapter 9: Closure 33
Appendix A: Relevant Legislation 33
Chapter 2: Data Classification 34
Introduction 35
Security Objectives 35
Potential Impact 37
Low 37
Moderate 37
High 38
Classification Levels 38
Confidential 39
Internal 40
Public 40
Data Ownership and Usage 42
Owner 42
Custodian 43
User 44
User Manager 44
Information Security Officer 45
Chief Information Officer 45
Data Sharing 46
Metadata 46
Classification Project 47
Create an Information Asset Inventory 47
Specify the Classification Criteria 49
Classify the Data 50
Special Considerations 51
Aggregation 51
Extracts 51
Impact on Other Data or Systems 51
Unstructured Data 52
Perform Risk Assessment 52
Assessment Elements 53
Models 54
Approach 54
Considerations 55
Risk Management Options 56
Key Practices 56
Documentation 57
Update 57
Challenges 58
Develop Control Implementation Plan 58
Types of Classification Level Controls 59
Device and Media Controls 59
Document Exceptions to Recommended Controls 60
The Data Life Cycle 61
Summary 63
Chapter 3: Controls and Safeguards 66
Data Security Program 67
Security Controls 67
Management Responsibility 67
Defense in Depth 68
Control Identification 69
Types of Controls 70
Baseline Approach 70
Constraints 71
Laptops 72
Portable Storage Devices 73
Transportable Media 74
E-mail 75
Internal Controls 75
External Controls 76
Technical Safeguards 76
Firewalls 76
Intrusion Detection and Prevention Systems 77
Penetration Testing and Vulnerability Scanning 78
Data Transmission 79
Remote Access 79
External System Connections 80
Antivirus and Patches 81
Isolation and Minimization 81
Access Control 82
Access Provisioning 82
Authentication 82
Entitlement Reviews 84
Privileged Accounts 85
Account Ownership 85
Account Assignment and Usage 85
Managing Account Passwords 86
Activity Logging and Monitoring 86
Policies and Procedures 86
Developer Access to Production 87
Physical Access 88
Activity Logging and Monitoring 89
Activity Monitoring 89
Baseline Logging 90
Centralized Log Management 90
Protection of Log Files 91
Storage 91
Software Assurance 91
Change Management 93
Backup and Restore 94
Disaster Recovery/Business Continuity Planning 95
Disposal 96
Measures 97
Responsibility 97
Recording 97
Insiders 97
Social Engineering 99
Third-Party Vendors 100
Training and Awareness 102
Compensating Controls 104
Auditing 104
Data Security Policy 105
Risk Assessment 105
Controls 105
Testing 106
Third Party Providers 106
Testing 107
Updating 108
Security Program 108
Controls 108
Summary 109
Chapter 4: Data Security Policy 112
Introduction 113
Standards and Procedures 114
Benefits 114
Goals and Trade-Offs 115
Tone and Perspective 116
Policy Development Process 116
Organize a Policy Development Team 116
Obtain Management Sponsorship and Approval 117
Outline Major Organizational Activities 118
Identify and Classify Data 118
Identify Threats 118
Determine Appropriate Controls 118
Develop the Policy 119
Obtain Needed Approvals 119
Contents 119
Statement of Purpose 120
Goals 120
Scope 120
Privacy Principles 121
Policy Statement 122
Data Classification 123
Data Ownership 123
Risk Assessment 124
Data Collection 124
Data Access 124
Transmission and Distribution 125
Data Transportation 125
Third-Party Use 126
Backup and Recovery 126
Disposal 127
Roles and Responsibilities 127
Organizational Management 127
Unit Management 128
Information Security Officer 128
Data Owner 128
Data Custodian 128
User 128
User Manager 129
Operations and Infrastructure 129
Development 129
Audit 129
Human Resources 129
Legal 129
General Responsibilities and Obligations 130
Reporting Data Security Breaches 130
Enforcement 131
Exceptions 131
Distribution 132
Contacts 132
Related Documents 132
Definitions 133
Acknowledgment 133
Related Policies 133
Policy Implementation 136
Update and Maintenance 136
Compliance Audit 138
Metrics 138
Management and Board Approval 140
Summary 142
Chapter 5: Response Program 144
Introduction 145
Objectives 145
Structure 146
Business Impact Analysis 147
Data Breach Response Team 147
Benefits 148
Organization 149
Team Members 150
Team Director 150
Functional Membership and Duties 151
Chief Security Officer 152
Chief Privacy Officer 152
Legal Counsel 152
Public Affairs 153
Human Resources 153
Chief Information Officer 153
Audit 154
Data Owner 154
Other Resources 154
Skills 154
External Expertise 155
Charter 155
Availability 156
Training 156
Team Support 157
Communications 157
Information Disclosure 158
Constituency Awareness 158
Funding 159
Outsourcing 159
Developing the Response Plan 160
Overview 160
Development 161
Approval 162
Audience 162
Contents 162
Strategies and Goals 163
Statement of Management Commitment 163
Data Breach Response Team 163
Contact Information 164
List of Critical Assets 164
Safeguards and Controls 164
Incident Types 164
Business Impact Analysis 165
Reporting Mechanisms and Guidelines 165
Information Disclosure 165
Severity Classification 165
Analysis and Assessment 166
Containment 167
Isolation 167
Recovery 167
Forensics 168
Disclosure and Notification 168
Communications 169
Documentation 169
Damage Assessment 170
Lessons Learned 171
Diagnosis Matrix 171
Vendor Contacts 172
Internal and External Resources 172
Related Documents 172
Future Roadmap 172
Update 173
Simulations and Walkthroughs 173
Summary 175
Chapter 6: Detection and Reporting 178
Incident Life Cycle 179
Detection 179
Party Responsible for Loss 180
System and Database Administrators 181
End Users 183
External Parties 184
Malicious Party 185
Antivirus Software 185
Intrusion Detection Systems 186
Firewalls 188
Honeypots 189
Audit Logs 190
Event Correlation 191
Variance from Baseline Profile 191
Multiple Steps 192
Reporting 192
Contacting the Response Team 193
Help Desk 193
Reporting Form 194
Initial Follow-Up 195
Summary 196
Chapter 7: Evaluation and Response 198
Introduction 199
Preliminary Determination 199
Initial Assessment 200
Team Escalation 203
Information Gathering 204
Party Responsible for Loss 204
Data Owners 205
System and Database Administrators 205
Network Administrators 206
End Users 206
Help Desk 207
Malicious Party 207
Intrusion Detection Systems 207
Log Analysis 208
Device-Based Information 208
Baselines and Variations 209
Root Causes 209
Classification 209
Scope 210
Length of Occurrence 211
Severity Assessment 211
Severity 1: Critical 212
Severity 2: Medium 212
Severity 3: Low 213
Need to Know 213
Response Approach 213
Containment 214
Criteria 214
Isolation 214
Other Measures 216
Powering Off Affected Systems 216
Disabling Services and Processes 216
Securing Access 217
Integrity Checks 217
Disabling Accounts 217
Enhancing Physical Security 218
Reconfiguring Detection Systems 218
Preserving Data and Logs 218
Recovery 219
Restoration 219
Monitoring 220
Data Compromise 220
System Compromise 220
Account Compromise 221
Identifying the Attacker 221
Documentation 221
Forensics 223
Summary 225
Chapter 8: Disclosure and Notification 228
Introduction 229
Notification Threshold 230
Identifying Notification Recipients 232
Timing 233
Source 234
Contents 235
Protection Recommendations 236
Offered Services 237
Credit Monitoring 237
Data Breach Monitoring 238
Identity Theft Insurance 238
Incentives 238
Method of Delivery 238
Other Notifications 239
Internal Disclosure 240
Regulatory Agencies 241
Law Enforcement 242
Media 243
Incident Reporting Agencies 244
Credit Reporting Agencies 245
Financial and Other Institutions 245
Other External Parties 245
Information Requests 246
Legal Issues and Requirements 247
Preparing for Follow-Up 248
Summary 249
Chapter 9: Closure 252
Introduction 253
Lessons Learned/Postmortem Meeting 253
Incident Impact and Costs 256
Overall Impact 257
Personnel Costs 257
Staff Productivity 257
Lost Revenue 258
Victim Notification 258
Victim Assistance 258
Call Center 259
Media Management 259
Consulting Services 259
Legal Fees 259
Regulatory or Legal Penalties 259
Reputational 260
Competitive Advantage 260
Credit Rating and Stock Price 261
New Controls and Safeguards 261
Root Cause Analysis 261
Corrective Action Plan 261
Internal and External Follow-Up 263
Closure Report 264
Preparation 265
Detection 266
Evaluation 266
Response 266
Closure 267
Summary 269
Appendix A: Relevant Legislation 272
Introduction 273
United States-Federal Legislation 273
Gramm-Leach-Bliley (GLB) 273
Health Insurance Portability and Accountability Act (HIPAA) 275
Sarbanes-Oxley Act (SOX) 276
Federal Information Security Management Act (FISMA) 277
United States-State Legislation 278
California 278
Other States 279
Arizona 280
Arkansas 281
Colorado 281
Connecticut 282
Delaware 283
District of Columbia 283
Florida 284
Georgia 284
Hawaii 285
Idaho 285
Illinois 286
Indiana 286
Kansas 286
Louisiana 287
Maine 287
Maryland 288
Massachusetts 288
Michigan 289
Minnesota 289
Montana 290
Nebraska 290
Nevada 291
New Hampshire 291
New Jersey 292
New York 292
North Carolina 293
North Dakota 293
Ohio 294
Oklahoma 295
Oregon 295
Pennsylvania 296
Rhode Island 296
Tennessee 297
Texas 297
Utah 298
Vermont 298
Washington 299
Wisconsin 299
Wyoming 300
Canada 300
Personal Information Protection and Electronic documents Act (PIPEDA) 300
European Union 301
Directive 95/46/EC 301
Index 304