Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Collapse Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Hacking, Malware, and Social Engineering Threats (January 2012)
SEC Issues Guidance on Cybersecurity and Cyber Incident Disclosure (December 2011)
The Militarization of Cyber Space and the Risks for U.S. Businesses (November 2011)
SEC Requires Disclosure of Cyber Attacks (October 2011)
Massachusetts Enacts Privacy Regulations (September 2011)
Avoiding Privacy Risks: Smile! You're on the Web Camera! (March 2010)
The Developing Legal Standards for Data Security (August 2008)
Privacy and Security Litigation and Enforcement: Growing Risks for Businesses? (May 2007)
Deflecting and Responding to Data Security Breaches (February 2006)
"Media Liability" Coverage in Tech/Media/eBusiness Policies (February 2006)
Variations in "Fraud/Dishonesty" Exclusions in Tech/Media/eBusiness Policies (January 2006)
Insuring Liability for Third-Party Claims Seeking Lost Profits (November 2005)
Addressing Liability Risks for Data Loss from an Insurance and Contractual Risk Transfer Perspective (July 2005)
Addressing Privacy Risk from an Insurance and Contractual Risk Transfer Perspective (May 2005)
Storing Liability: The Increasing Risks of Off-Site Data Storage (May 2005)
Privacy: Outsourcing and the Need for a Vendor Compliance Strategy (March 2005)
E-mail Privacy: Does Your E-mail Take a Pit Stop? (September 2004)
Indemnity and Insurance Provisions in E-Business Contracts (July 2004)
Protecting Data Assets: Not Just a Cyberspace Issue (June 2004)
New Liability Forms and Media, Tech, and E-Business Risks (May 2004)
Protecting Your Employees from Identity Theft (February 2004)
Creating a Privacy Policy Compliant with the New Online Privacy Protection Act (December 2003)
Tech E&O—A Primer for Risk Managers (November 2003)
Going Public: Dealing with the Disclosure Mandate of California's Latest Privacy Law (September 2003)
Cyber Liability Insurance Market Update (August 2003)
Security Requirements in a Privacy World (June 2003)
The Growing Privacy Risk and the Insurance Industry (February 2003)
Insuring First-Party Cyber Risk for Fortune 1000 Companies (November 2002)
Stand-Alone E-Business Insurance: Who's Buying, Selling, and Why? (September 2002)
The End of Computer Virus Coverage as We Know It? (May 2002)
You Say Professional Services, I Say B2B Activities (January 2002)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 1 (August 2001)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 2 (November 2001)
E-Commerce Insurance Issues: A Year in Review (June 2001)
New Stand-Alone E-Commerce Insurance for First-Party Risks? (February 2001)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 1) (December 2000)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 2) (December 2000)
Third-Party Liability E-Commerce Risks and Traditional Insurance Programs (August 2000)
First-Party E-Commerce Risks (June 2000)
Insurance Issues for E-Commerce Activities (May 2000)
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Deflecting and Responding to Data Security Breaches

February 2006

The growth of Internet communications and Web applications has increased exponentially in the past 5 years and, as a result, all businesses must watch out for the new breed of risk created by the networked economy.

by Saundra Kae Rubel, edited by Gary E. Clayton, Esq.
www.privacycg.com

Companies of all sizes are being affected by data security breaches now more than ever. Not a week goes by where there isn't a newsworthy data loss event. With businesses being dependent on their computer networks and the data in them for success, a lack of proper planning for data security incidents will leave a company in a precarious position. Companies such as ChoicePoint and BJ's Wholesale know just how precarious: Choice Point's data security breach lead to a $15 million dollar fine by the Federal Trade Commission,1 and BJ's has set aside $16 million dollars to recover from it's data security incident.2

Is your company prepared to defend against and respond to a security breach? If not, does it know how to get prepared? Effective risk management is an integral part of any network and data security program. Protection of a business' assets—including information systems and confidential and proprietary data—must be embedded in every organization's mission. The standard risk management processes—risk mitigation, evaluation, and assessment—can be applied to the area of computer and data security. Threats to the network must be mitigated, potential vulnerabilities analyzed and the proper controls put into place to limit exposure.

Understand Your Risk

Preparedness for a security event of any kind calls for a better understanding of what types of events might occur. A security incident refers to an adverse event in an information system and/or network, or the threat of the occurrence of such an event. A security incident can include any of the following events.

  • Unauthorized access by employee, contractor, or third party
  • Root or system level attacks to any host or system
  • Compromise of restricted confidential service accounts or software areas
  • Denial of service attacks to infrastructure, confidential service accounts, or software areas
  • Large scale attacks of any kind (worms, sniffing attacks, etc.)
  • Threats, harassment, or criminal offenses involving individual user accounts
  • Compromise of individual user accounts
  • Compromise of desktop systems
  • Forgery, misrepresentation, or misuse of resources
  • Workstation, computer, laptop, PDA, Blackberry, Backup, CD-Rom loss or theft
  • Any act of violation of an established policy

Implement Policies and Procedures

Preparedness for a security event also calls for well-defined policies and procedures. For example, when a security incident occurs, the ensuing investigation may warrant taking intrusive steps, such as monitoring activities of employees. Without any policies to the contrary, your employees might have an expectation of privacy during an investigation. With the proper policies and established procedures, however, you can more effectively pursue your determined objectives when responding to an incident.

Policies can have some common elements which will allow for consistency across departments. Each policy should contain at a minimum: purpose, scope (who the policy applies to), actual policy statement, acknowledgement statement with voluntary or mandatory participation, the stated process the policy supports, general requirements, user requirements, definitions, objectives, how and when the policy is updated, sponsor of the policy, custodian of the policy, and revision history.

Assign Responsibility

Whether an organization has a fixed security department or part-time security, staff must be assigned certain functionality in case of an incident. Depending on the size of the company, there may be a need for a complete security department; some companies will have a chief information officer (CIO) who will also handle security incidents.

A computer security incident response team (CSIRT) is a group of professionals within an organization who are trained to respond to an information system or data security incident. This select group of individuals follows a specific plan when activated during a breach (or potential breach).

This team's role is investigation and problem solving. Team members should include among others:

  • Management personnel and mission owners with the authority to act
  • IT security program manager (or other individual responsible for the security program)
  • IT system owners
  • Business or functional managers
  • IT auditors
  • Technical personnel with the knowledge and expertise to rapidly diagnose and resolve problems
  • Communications representatives who can keep the appropriate individuals and organizations informed and can develop public image control strategies as necessary

The CSIRT must create a mission statement that aligns with the corporation's goals. Typically, each team behaves in one of two ways: proactive or reactive. Proactive behavior includes security awareness, education, and analysis of user behavior and event logs. Reactive behavior is most often utilized due to an incident.

Develop a Formal Plan

What's a team without a plan? A documented plan for responding to security incidents (or potential incidents), commonly called an incident response plan (IRP), is a necessity for effectively handling the internal and external issues surrounding a crisis. An IRP:

  • Prevents a disjointed, noncohesive response
  • Confirms or dispels whether an incident occurred
  • Enables legal and law enforcement to prosecute malicious entities
  • Promotes accumulation of accurate information
  • Establishes controls for proper retrieval and handling of evidence
  • Protects privacy rights established by law and policy
  • Minimizes disruption to business and network operations
  • Provides accurate reports and useful recommendations
  • Provides rapid detection and containment
  • Establishes priorities
  • Minimizes exposure and compromise of proprietary data
  • Protects the organization's assets and reputation
  • Educates senior management
  • Promotes rapid detection and/or prevention of such incidents in the future

For an IRP to be successful, the maintenance of the program is an ongoing process that must be kept current and reflect organizational/infrastructure changes and newly discovered vulnerabilities as they occur. In addition, an IRP should be a key component to a well-rounded Information security program that includes policies and procedures, a compliance monitoring program and an intrusion detection system.

However, the scale of a response is dictated by the nature of each individual organization. An organization that does little e-commerce can more easily disconnect their network at a moment's notice without much harm to it's revenue, while an organization whose mainstay is e-commerce may want to invest more resources into developing an in-depth IRP.

Each plan will be different and a one-size plan does not fit all. The plan's success is based on willing participants, streamlined processes, management support and knowledge of where data lies in the organization. If you have not already done an audit of where data exists in both manual and electronic format, it would be a good time to consider this as part of the overall preplanning. If you do not know where your data is, it is hard to know that it's been lost or compromised, or what to remediate when an incident occurs. Having data maps and data flows are extremely helpful in incident response scenarios.

Determining If There Has Been an Incident

In most cases, staff will already have a good idea if there has been an incident. However, the extent of the incident might not be known. Here are a few suspicious events to be aware of when preparing a plan to follow.

  • Hardware problems
  • Software problems
  • Accidental deletion of system or user files
  • Malicious user
  • A strange process running and accumulating a lot of CPU time
  • Intruder logged into system
  • Virus has infected system
  • Someone from a remote site is trying to penetrate the system
  • The corporate website has been defaced
  • Hacked user account
  • Hacked root account
  • Denial of service (DoS) attack

Data security involves the education and systematic training of employees. Policies must be enforced and security should be a part of an organization's overall mission. Risk managers will need to cost-justify information security, understand security best practices, gain senior management support, and integrate security into all data handling practices.

Saundra Kae Rubel, CIPP, is a consultant with Privacy Compliance Group. She has over 7 years' experience in implementing privacy management practices into business processes. She specializes in security and data protection issues and has served as a member of the California Office of Privacy Protection Task Force on California Information-Sharing Disclosures and Privacy Policy Statements. A member of the InfraGard and High Tech Crime Investigation Association (www.HTCIA.org), Ms. Rubel works with organizations to ensure their business practices meet international data protection regulations. She was awarded the Certified Information Privacy Professional (CIPP) designation in October 2004.

1United States of America (for the Federal Trade Commission) v. ChoicePoint Inc. (N.D. Ga.) (FTC File No. 052-3069). (last visited February 1, 2006.)

2BJ's Wholesale Club, Inc., In the Matter of, (FTC File No. 042 3160). (last visited February 1, 2006.)

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.