O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Managing Catastrophic Loss of Sensitive Data

Book Description

Offering a structured approach to handling and recovering from a catastrophic data loss, this book will help both technical and non-technical professionals put effective processes in place to secure their business-critical information and provide a roadmap of the appropriate recovery and notification steps when calamity strikes.

*Addresses a very topical subject of great concern to security, general IT and business management
*Provides a step-by-step approach to managing the consequences of and recovering from the loss of sensitive data.
*Gathers in a single place all information about this critical issue, including legal, public relations and regulatory issues

Table of Contents

  1. Copyright
  2. Visit us at www.syngress.com
    1. Solutions Web Site
    2. Ultimate CDs
    3. Downloadable E-Books
    4. Syngress Outlet
    5. Site Licensing
    6. Custom Publishing
  3. Author
  4. 1. Introduction
    1. Overview
    2. What Is Sensitive Data?
      1. Personally Identifiable Information
      2. Confidential Business Information
      3. Data Categories
    3. Data Security Breach
    4. Data Loss Consequences
      1. Impact
      2. Identity Theft
      3. Organizational Costs
    5. Prevention and Safeguards
    6. Response
    7. Notification
    8. Recovering from a Data Breach
    9. Organization of the Book
      1. Chapter 2: Data Classification
      2. Chapter 3: Controls and Safeguards
      3. Chapter 4: Data Security Policy
      4. Chapter 5: Response Program
      5. Chapter 6: Detection and Reporting
      6. Chapter 7: Evaluation and Response
      7. Chapter 8: Disclosure and Notification
      8. Chapter 9: Closure
      9. Appendix A: Relevant Legislation
  5. 2. Data Classification
    1. Introduction
    2. Security Objectives
    3. Potential Impact
      1. Low
      2. Moderate
      3. High
    4. Classification Levels
      1. Confidential
      2. Internal
      3. Public
    5. Data Ownership and Usage
      1. Owner
      2. Custodian
      3. User
      4. User Manager
      5. Information Security Officer
      6. Chief Information Officer
    6. Data Sharing
    7. Metadata
    8. Classification Project
      1. Create an Information Asset Inventory
      2. Specify the Classification Criteria
      3. Classify the Data
      4. Special Considerations
        1. Aggregation
        2. Extracts
        3. Impact on Other Data or Systems
        4. Unstructured Data
      5. Perform Risk Assessment
        1. Assessment Elements
        2. Models
        3. Approach
        4. Considerations
        5. Risk Management Options
        6. Key Practices
        7. Documentation
        8. Update
        9. Challenges
      6. Develop Control Implementation Plan
      7. Types of Classification Level Controls
        1. Device and Media Controls
      8. Document Exceptions to Recommended Controls
    9. The Data Life Cycle
    10. Summary
  6. 3. Controls and Safeguards
    1. Data Security Program
    2. Security Controls
      1. Management Responsibility
      2. Defense in Depth
      3. Control Identification
      4. Types of Controls
      5. Baseline Approach
      6. Constraints
      7. Laptops
      8. Portable Storage Devices
      9. Transportable Media
      10. E-mail
        1. Internal Controls
        2. External Controls
    3. Technical Safeguards
      1. Firewalls
      2. Intrusion Detection and Prevention Systems
      3. Penetration Testing and Vulnerability Scanning
      4. Data Transmission
      5. Remote Access
      6. External System Connections
      7. Antivirus and Patches
      8. Isolation and Minimization
    4. Access Control
      1. Access Provisioning
      2. Authentication
      3. Entitlement Reviews
      4. Privileged Accounts
        1. Account Ownership
        2. Account Assignment and Usage
        3. Managing Account Passwords
        4. Activity Logging and Monitoring
        5. Policies and Procedures
      5. Developer Access to Production
      6. Physical Access
    5. Activity Logging and Monitoring
      1. Activity Monitoring
      2. Baseline Logging
      3. Centralized Log Management
      4. Protection of Log Files
      5. Storage
    6. Software Assurance
    7. Change Management
    8. Backup and Restore
    9. Disaster Recovery/Business Continuity Planning
    10. Disposal
      1. Measures
      2. Responsibility
      3. Recording
    11. Insiders
    12. Social Engineering
    13. Third-Party Vendors
    14. Training and Awareness
    15. Compensating Controls
    16. Auditing
      1. Data Security Policy
      2. Risk Assessment
      3. Controls
      4. Testing
      5. Third Party Providers
    17. Testing
    18. Updating
      1. Security Program
      2. Controls
    19. Summary
  7. 4. Data Security Policy
    1. Introduction
    2. Standards and Procedures
    3. Benefits
    4. Goals and Trade-Offs
      1. Tone and Perspective
    5. Policy Development Process
      1. Organize a Policy Development Team
      2. Obtain Management Sponsorship and Approval
      3. Outline Major Organizational Activities
      4. Identify and Classify Data
      5. Identify Threats
      6. Determine Appropriate Controls
      7. Develop the Policy
      8. Obtain Needed Approvals
    6. Contents
      1. Statement of Purpose
      2. Goals
      3. Scope
      4. Privacy Principles
      5. Policy Statement
        1. Data Classification
        2. Data Ownership
        3. Risk Assessment
        4. Data Collection
        5. Data Access
        6. Transmission and Distribution
        7. Data Transportation
        8. Third-Party Use
        9. Backup and Recovery
        10. Disposal
      6. Roles and Responsibilities
        1. Organizational Management
        2. Unit Management
        3. Information Security Officer
        4. Data Owner
        5. Data Custodian
        6. User
        7. User Manager
        8. Operations and Infrastructure
        9. Development
        10. Audit
        11. Human Resources
        12. Legal
        13. General Responsibilities and Obligations
      7. Reporting Data Security Breaches
      8. Enforcement
      9. Exceptions
      10. Distribution
      11. Contacts
        1. Related Documents
      12. Definitions
      13. Acknowledgment
    7. Related Policies
    8. Policy Implementation
    9. Update and Maintenance
    10. Compliance Audit
    11. Metrics
    12. Management and Board Approval
    13. Summary
  8. 5. Response Program
    1. Introduction
      1. Objectives
      2. Structure
        1. Business Impact Analysis
    2. Data Breach Response Team
      1. Benefits
      2. Organization
      3. Team Members
      4. Team Director
      5. Functional Membership and Duties
        1. Chief Security Officer
        2. Chief Privacy Officer
        3. Legal Counsel
        4. Public Affairs
        5. Human Resources
        6. Chief Information Officer
        7. Audit
        8. Data Owner
        9. Other Resources
      6. Skills
      7. External Expertise
      8. Charter
      9. Availability
      10. Training
      11. Team Support
      12. Communications
      13. Information Disclosure
      14. Constituency Awareness
      15. Funding
      16. Outsourcing
    3. Developing the Response Plan
      1. Overview
      2. Development
      3. Approval
      4. Audience
      5. Contents
        1. Strategies and Goals
        2. Statement of Management Commitment
        3. Data Breach Response Team
        4. Contact Information
        5. List of Critical Assets
        6. Safeguards and Controls
        7. Incident Types
        8. Business Impact Analysis
        9. Reporting Mechanisms and Guidelines
        10. Information Disclosure
        11. Severity Classification
        12. Analysis and Assessment
        13. Containment
        14. Isolation
        15. Recovery
        16. Forensics
        17. Disclosure and Notification
        18. Communications
        19. Documentation
        20. Damage Assessment
        21. Lessons Learned
        22. Diagnosis Matrix
        23. Vendor Contacts
        24. Internal and External Resources
        25. Related Documents
        26. Future Roadmap
      6. Update
      7. Simulations and Walkthroughs
    4. Summary
  9. 6. Detection and Reporting
    1. Incident Life Cycle
    2. Detection
      1. Party Responsible for Loss
      2. System and Database Administrators
      3. End Users
      4. External Parties
      5. Malicious Party
      6. Antivirus Software
      7. Intrusion Detection Systems
      8. Firewalls
      9. Honeypots
      10. Audit Logs
      11. Event Correlation
      12. Variance from Baseline Profile
      13. Multiple Steps
    3. Reporting
      1. Contacting the Response Team
        1. Help Desk
        2. Reporting Form
        3. Initial Follow-Up
    4. Summary
  10. 7. Evaluation and Response
    1. Introduction
    2. Preliminary Determination
    3. Initial Assessment
    4. Team Escalation
    5. Information Gathering
      1. Party Responsible for Loss
      2. Data Owners
      3. System and Database Administrators
      4. Network Administrators
      5. End Users
      6. Help Desk
      7. Malicious Party
      8. Intrusion Detection Systems
      9. Log Analysis
      10. Device-Based Information
      11. Baselines and Variations
      12. Root Causes
    6. Classification
    7. Scope
    8. Length of Occurrence
    9. Severity Assessment
      1. Severity 1: Critical
      2. Severity 2: Medium
      3. Severity 3: Low
    10. Need to Know
    11. Response Approach
    12. Containment
      1. Criteria
      2. Isolation
      3. Other Measures
        1. Powering Off Affected Systems
        2. Disabling Services and Processes
        3. Securing Access
        4. Integrity Checks
        5. Disabling Accounts
        6. Enhancing Physical Security
      4. Reconfiguring Detection Systems
        1. Preserving Data and Logs
      5. Recovery
        1. Restoration
        2. Monitoring
          1. Data Compromise
          2. System Compromise
          3. Account Compromise
        3. Identifying the Attacker
        4. Documentation
        5. Forensics
    13. Summary
  11. 8. Disclosure and Notification
    1. Introduction
    2. Notification Threshold
    3. Identifying Notification Recipients
    4. Timing
    5. Source
    6. Contents
    7. Protection Recommendations
    8. Offered Services
      1. Credit Monitoring
        1. Data Breach Monitoring
        2. Identity Theft Insurance
        3. Incentives
    9. Method of Delivery
    10. Other Notifications
      1. Internal Disclosure
      2. Regulatory Agencies
      3. Law Enforcement
      4. Media
      5. Incident Reporting Agencies
      6. Credit Reporting Agencies
      7. Financial and Other Institutions
      8. Other External Parties
      9. Information Requests
    11. Legal Issues and Requirements
    12. Preparing for Follow-Up
    13. Summary
  12. 9. Closure
    1. Introduction
    2. Lessons Learned/Postmortem Meeting
    3. Incident Impact and Costs
      1. Overall Impact
      2. Personnel Costs
      3. Staff Productivity
      4. Lost Revenue
      5. Victim Notification
      6. Victim Assistance
      7. Call Center
      8. Media Management
      9. Consulting Services
      10. Legal Fees
      11. Regulatory or Legal Penalties
      12. Reputational
      13. Competitive Advantage
      14. Credit Rating and Stock Price
      15. New Controls and Safeguards
    4. Root Cause Analysis
    5. Corrective Action Plan
    6. Internal and External Follow-Up
    7. Closure Report
      1. Preparation
      2. Detection
      3. Evaluation
      4. Response
      5. Closure
    8. Summary
  13. A. Relevant Legislation
    1. Introduction
    2. United States—Federal Legislation
      1. Gramm-Leach-Bliley (GLB)
      2. Health Insurance Portability and Accountability Act (HIPAA)
      3. Sarbanes-Oxley Act (SOX)
      4. Federal Information Security Management Act (FISMA)
    3. United States—State Legislation
      1. California
      2. Other States
        1. Arizona
        2. Arkansas
        3. Colorado
        4. Connecticut
        5. Delaware
        6. District of Columbia
        7. Florida
        8. Georgia
        9. Hawaii
        10. Idaho
        11. Illinois
        12. Indiana
        13. Kansas
        14. Louisiana
        15. Maine
        16. Maryland
        17. Massachusetts
        18. Michigan
        19. Minnesota
        20. Montana
        21. Nebraska
        22. Nevada
        23. New Hampshire
        24. New Jersey
        25. New York
        26. North Carolina
        27. North Dakota
        28. Ohio
        29. Oklahoma
        30. Oregon
        31. Pennsylvania
        32. Rhode Island
        33. Tennessee
        34. Texas
        35. Utah
        36. Vermont
        37. Washington
        38. Wisconsin
        39. Wyoming
    4. Canada
      1. Personal Information Protection and Electronic documents Act (PIPEDA)
    5. European Union
      1. Directive 95/46/EC