How To Audit Your Incident Response Plan

Page 2

Agenda

• Introductions

• Incident Response Plans

• Audit Checklist

• Q&A

Page 3

Introductions: Today’s Speakers

• Ted Julian - Chief Marketing Officer, Co3• Security / Compliance entrepreneur• Security industry analyst

• Michael Bruemmer – Vice President, Experian® Data Breach Resolution • CIPP/US, CHC• IAPP Certification Advisory Board

Page 4

Co3 Automates Breach Management

PREPARE

Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps

REPORT

Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational

preparedness• Generate audit/compliance reports

ASSESS

Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments

MANAGE

Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion

Page 5

Experian® Data Breach Resolution

• Inventory of Systems

• Threat and vulnerability assessment

• Evolution of controls

• Risk Ranking

• Communicating and Monitoring

• Preservation of evidence

• Reconstruction of data sources

• Forensic analysis of preserved or reconstructed data sources

• Searches for suspected kinds of PII

• Aggregation of identified PII

Breach Response & Fraud Resolution

• Incident Management

• Notification

• Call Center Support

• Identity Theft Protection

• Fraud Resolution

• Reporting

Pre-Breach Risk Assessment

Forensics

Page 6

Incident Response Plan

• Crucial to have in place• Streamlines the process• What to Include:

• The Team and Responsibilities• Testing / Fire drills• Third Party Support

• Outside counsel• Compliance• Forensics• Data Breach Resolution Vendor

Page 7

Why Auditing Your IR Plan Is A Must

• Ensures you have accurate, up-to-date information

• Allows the process to be refined

• Identifies errors in advance

• Ensures everything in order before a breach occurs

• Doesn’t cut into crucial response time post-breach

Page 8

7 Checklist Items To Keep In Mind

• Update your internal contact list • Verify that your plan is comprehensive• Double check your vendor contracts• Review notification guidelines(State and Federal)• Check up on third parties that have access to your data• Evaluate IT security• Review staff security awareness

Page 9

Update Your Contact List

• Make sure the contact info for each member is up-to-date• Internal • External

• Note department heads

• People are 100% committed during a breach

• Re-distribute list once updated

Page 10

Verify That Your Plan Is Comprehensive

• Plan Revisions• Major company changes• New departments• Data management policy adjustments

• Ensure Departments Know Their Roles

• Fire Drillls / Rehearsals

Page 11

Double Check Your Vendor Contracts

• Forensics Team

• Attorneys

• Data Breach Resolution Provider

• Law Enforcement

• Current / Accessible

• Ensure They Still Match Your Needs

Page 12

Review Notification Guidelines

• Ensure your plan reflects the latest state legislation

• Notification letter templates address new laws

• Update contact list• State AGs• Government Agencies• Media

• Healthcare Providers: DHHS and OCR contacts

• Response team should understand reporting procedures

Page 13

Check On 3rd Parties With Access To Your Data

• Are they following your protection rules?

• Educate them on any new relevant legislation

• Stress the importance of immediate notification

• Go over the resolution process

• Healthcare companies: HIPAA requirements • Establish Business Associate Agreements (BAAs)

Page 14

Evaluate IT Security

• Re-evaluate where sensitive / regulated data is stored

• Ensure proper access controls are in place

• Check that software and system updates are installed

• Verify that monitoring / reporting systems are working and up-to-date

• Ensure back-ups are securely stored

Page 15

Review Staff Security Awareness

• Are Initial Background Checks valid? Random updates?

• Regular employee Security Awareness Training

• Practice and audit proper information disposal(hard & soft)

• Train staff to identify cyber threats

• Require password changes every three months

• Physical security for all devices

POLL

Do You Have An Incident Response Plan? (be honest)

Page 17

How Often You Should Audit?

• HCCA recommends regular monitoring where PHI handled

• Monitoring is part of any risk assessment plan

• Audit when objective results needed and integrity is critical

• Independent (outside) audits provide the best perspective

• OIG - ‘annual audit to minimize risk’

POLL

How often do you update your incident response plan?

Page 19

When Should You Update Your Response Plan?

• When new legislation passes (state, federal, and industry regulators)

• When response team members leave the company

• When new vendors join the process

• When new security procedures are implemented

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Michael Bruemmer, Vice President, Experian® Data Breach ResolutionMichael.Bruemmer@Experian.comwww.Experian.com/DataBreachBlog: www.Experian.com/DBBlog