Each day it seems like another privacy breach is reported. That doesn't mean, however, that organizations are forgetting to put data security policies in place.
Verizon's 2008 Data Breach Investigations Report, released in June, showed that in 59% of data breaches, the threatened organizations had already established documented security policies and procedures but that they were not actually following or enforcing them.
Here are a few real-world examples. Would your Windows administration group know how to act during a privacy breach like any of these?
- An unauthorized individual hacks into your network. He or she is believed to have accessed files containing personally identifiable information, known as PII.
- Management suspects a Trojan is sending PII outside of the network.
- The information security staff is investigating whether an authorized user is inappropriately accessing and using PII.
- An email containing PII is accidentally or inappropriately sent to someone outside the organization.
Do these scenarios make you a little bit nervous? Let's take a look at what Windows shops can and should do to mitigate or prevent a possible privacy breach.
Preparing for privacy breach response
Privacy breach response activities typically depend on how the PII was accessed. Privacy breach response procedures should include answering the following questions:
Was the PII accessed in an unauthorized manner? Your answer often determines whether privacy breach notifications are needed. If a Windows administrator can produce logs that definitively prove that PII was not accessed in an unauthorized manner, the organization will know that it is not necessary to notify all individuals within the PII database. This ultimately saves an organization time and resources.
How was the PII accessed?The Windows logs will also be valuable in determining how, when and where access occurred. They may also be able to show whether the PII was modified, copied or otherwise accessed.
Remember: If the logs are not properly configured, then, you may not be able to tell in what manner the PII was accessed. Besides being used for breach response decisions, logging access to PII files also demonstrates due diligence and supports compliance with a number of state and federal laws and regulations.
What data is likely to be needed during a privacy breach response?There are unlimited ways in which privacy breaches can occur, so you may be asked to provide any type of data! However, some of the most common types of information used within privacy breach response include, but are not limited to, the following:
- Active network connections to the Windows servers and any available diagnostic data
- Antivirus, anti-spyware and other anti-malware logs
- Email logs
- Installed software logs
- Prefetch file data
- System information and systems logon and logoff logs
- Temporary Internet files
- User account information
- Windows event logs
- Windows firewall configuration settings and exception lists
- Windows setup log
- Windows systems services and programs
How long should you keep privacy breach-related data? This question is not asked enough, which often results in a derailed response and investigation effort when the data is destroyed.
When a privacy breach occurs, Windows administrators should meet with the information security staff and the legal department to determine if the organization's data retention practices require modification. The group should also discuss whether data needs to be preserved for evidentiary or e-discovery requirements. In addition, Windows admins must think ahead and ask their team leaders to make sure their responsibilities are documented in the corporate plan.
Preventing a privacy breach
The best way to prevent a privacy breach is to make PII unobtainable by keeping it encrypted while at rest and while in transit. As a Windows manager, you may not have control over whether PII is encrypted by applications that transmit PII through networks. However, whenever possible, establish ways to ensure it's is encrypted on Windows servers using strong encryption methods.
Is it worth the time and effort to prevent possible privacy breaches? Research shows that organizations that spend resources on data security can recoup their costs in a relatively short period of time. Market analysis firm Forrester Research Inc. says organizations that are considering privacy programs can get a positive return of 38% after the first year with a net positive return within two to three years.
The bottom line is that responding to potential privacy breaches can't be done in a vacuum. Every Windows manager must not only know how to answer some tough questions but also how to collaborate and cooperate with other key positions throughout the enterprise.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of
experience in IT, information security, privacy and compliance and is the owner and principal of
Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in
Information Assurance program and is writing her 12th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in October 2008