Pennsylvania Local
School Districts:
Regional Data Breach
Exercise
19 November 2014
Mike Tassey
Technical Security Advisor
Privacy Technical Assistance Center (PTAC)
http://ptac.ed.gov/
E-mail: [email protected]
Phone: 855-249-3072
2
Interactive Data Breach Exercise
•
Table top exercise that simulates a data breach within a complex
organization
•
Intended to provide an opportunity for attendees to put themselves in
the shoes of the critical decision makers that have just experienced a
data breach
•
You will be divided into teams that each must react and respond to
the scenario as if it were happening in real time
•
Over time, the scenario will be more fully revealed as you discover
more about what happened.
•
Be prepared for the unexpected!
3
Suggestions
•
Think about each of the roles needed in your organization (public
information, data system leadership, attourney, auditors, etc.)
•
Consider assigning these roles to individuals within the team to
increase realism and make the decision making process more
organized
•
Use the chat functionality to ask any questions you may have and a
PTAC navigator will respond to help clarify
•
Things may seem murky at first, the full extent or impact of a data
breach is rarely known up front. Do your best to anticipate what
might happen but don’t get ahead of yourselves.
4
Interactive Data Breach Exercise
Each team will have (01:50:00) to complete
the exercise and develop two key products:
• Response Plan – outline how your agency will approach the
scenario and what resources you would mobilize. Describe
who within the agency would comprise your response team
and identify goals and a timeline for response activities.
• Public & Internal Communications / Messaging – develop
the message you would deliver to your partners, customers,
students & parents, the media, and the public*
*
During the event you may be asked to participate in press conferences about
the scenario. Be prepared to respond to reporters and the media about what is
happening and how your organization is responding
5
Interactive Data Breach Exercise
Background
• You are local school district with 8000 students
• Your organization provides centralized IT services and support
for outlying K-12 schools as well as access to a centrally
managed student information system
• The district has recently installed a new version of the statewide SIS which provides the ability for users / administrators /
faculty to log in individually through the browser and upload
grades, attendance and assessment data
• The rollout has hit some snags integrating with legacy systems
and managing roles and permissions, pushing the
implementation of the new system to only a few test locations
in the district
6
Interactive Data Breach Exercise
Scenario
• Yesterday a computer science teacher notified the
district IT manager that some course grades
appeared to have been changed in the system,
apparently all the students in the course had their
grades changed to reflect much better scores than
they should
• Initial investigation shows that someone had logged
on using the teacher’s login information and
manually changed the grades
• Additionally, the logs indicate that reports were also
downloaded which contained the private information
of many of the school’s students and employees
7
Interactive Data Breach Exercise
• Gather your teams and prepare to cogitate
• Go over the scenario carefully and begin to think about what
you know and do not know
• Convene the group into an incident response team and read
aloud the background and goals
• Begin building your response (we recommend electing a
person to keep notes)
• During the scenario, you may receive additional information
about the breach. Read each of these updates as the
scenario unfolds
• We will occasionally pause to discuss where we are, and
possibly even give a press release
(This exercise works best if all parties approach it as they would a “murder mystery” dinner.
The more the groups synthesize the information and role play, the better the effect and
more useful the exercise becomes.)
8
Interactive Data Breach Exercise
Questions?
9
Interactive Data Breach Exercise
10 Minutes
End
10
Interactive Data Breach Exercise
Where are we?
• Have you begun to build a plan for response?
• Can you make any concrete conclusions?
• Has there really been a breach?
11
Interactive Data Breach Exercise
Scenario Update
• Logs indicate that the login occurred from the
school’s WiFi network after school hours
• In addition to changing the grades in the system,
several reports were accessed which revealed the
private information (including SSNs) of the entire
school district
• Reports have surfaced of students offering to
change grades for money, no names have yet
surfaced
12
Interactive Data Breach Exercise
10 Minutes
End
13
Interactive Data Breach Exercise
Where are we?
• Has the updated information changed your
approach to the scenario?
• Does the fact that the breach includes SSNs change
the way you approach response?
• Think about what controls you could put in place to
avoid a scenario like this?
14
Interactive Data Breach Exercise
Scenario Update
• Two juniors who are in the original computer
science class are rumored to be the culprits
• When questioned, they admit that they located a
sticky note with the teacher’s username and
password which they then used to log in from their
car after school to change the grades
• They say that they also accessed some other
school systems which included a database of
employees (name, addresses, SSNs, employee
numbers, etc)
15
Interactive Data Breach Exercise
10 Minutes
End
16
Interactive Data Breach Exercise
Scenario Update
• The data they accessed contains the personal private
information from 3500 students and 110 employees
• Some of the data about school administrators and
teachers has been published to the students’
Facebook pages and is thus available to the internet
• News of the breach has leaked out because you are
starting to receive calls from parents asking if their
child’s data was accessed and their grades changed
• Your legal counsel advises that State law requires the
notification of victims of a data breach within 15 days
17
Interactive Data Breach Exercise
10 Minutes
End
18
Interactive Data Breach Exercise
Press Conference
• It’s out there, so you must now brief the press and
the community
• Your spokesperson should now give a brief press
conference to address the issue and take a few
questions
• In the audience are reporters from local and national
media, as well as parents, privacy advocates and
activists
19
Interactive Data Breach Exercise
Where are we?
• How did it go?
• Was your message received well?
• Now that it is public, what do you say to your data
sharing partners?
20
Interactive Data Breach Exercise
Scenario Update
• An employee of the school whose information was
involved in the breach has her identity stolen, she
claims it was a result of the Facebook posting of her
private information
• Parents and community privacy advocates are
criticizing the new SIS implementation and
demanding answers on how this was able to occur
• As news of the breach spreads, other districts are
receiving pushback from their communities against
the implementation of the new system and the State
Department of Education is pressing you to respond
quickly to reassure the public
21
Interactive Data Breach Exercise
10 Minutes
End
22
Interactive Data Breach Exercise
Unveil Your Response Plan
• Take us through your response plan, include the
who, what, when and how.
• What were the driving factors in your decision
making process?
• Did your plan evolve as the scenario became more
clear? How?
• In an actual data breach the legal and regulatory
overhead can be large, how do you think your
organizations can prepare in advance to enable the
organization to react to a potential breach faster?
23
ED/PTAC Resources available
•
FERPA Training
•
•
•
•
•
FERPA 101 professional training video
FERPA 201 (Data Sharing) professional training video
FERPA 301 (Postsecondary) professional training video
FERPA 101 For Parents and Students
Data Security
•
•
•
•
•
Data Security Checklist
Data Governance Checklist
Cloud Computing
Identity Authentication Best Practices
Data Breach Response Checklist
24
Contact Information
Family Policy Compliance
Office
Telephone:
(202) 260-3887
Privacy Technical Assistance
Center
Telephone:
(855) 249-3072
Email:
[email protected]
Email:
[email protected]
FAX:
(202) 260-9001
FAX:
(855) 249-3073
Website: familypolicy.ed.gov
Website: www.ptac.ed.gov
25