Embed Size (px)
DESCRIPTION
Lessons Learned from a Breach. Eric van Wiltenburg University of Victoria @ e_vanwiltenburg. Let’s start with some exercise. Hey Eric, aren’t you embarrassed?. “Transparency is an asset.” Eric van Wiltenburg, January 31, 2012. OK, so what happened anyway?. +. +. =. 11845. - PowerPoint PPT Presentation
Citation preview
Lessons Learned from a Breach
Eric van WiltenburgUniversity of Victoria
@e_vanwiltenburg
Let’s start with some exercise
Hey Eric, aren’t you embarrassed?
“Transparency is an asset.”Eric van Wiltenburg, January 31, 2012
OK, so what happened anyway?
+
+
=
11845
• employee names• employee numbers • Social Insurance Numbers• bank account • employee classification code • amount of last deposit
January 2010
January 2012
Lesson
• Having good policies in place is very important, even if nobody reads them
UVic Privacy Policy
Privacy Breach Response Team
• University Secretary• Vice President Finance and Operations• Manager Privacy, Access and Policy• University Legal Counsel • Information Security Manager• Director, Communications• Associate Vice-President Human Resources• Associate Vice-President Faculty Relations• Assistant Director, Campus Security• Executive Director, Government Relations• Vice-President External Relations• Assistant Treasurer • Risk Analyst
FIPPAOIPC
Lesson
• Effective external communication to {organization, staff, community} is important for {salvaging reputation, reassuring affected individuals, ensuring resolution}, even if the internal politics, communications and logistics cause friction.
uvic.ca/infobreach
Regular bulletin updates• Information sent to current and former UVic employees, Jan. 9, 2012• Letter from Vice-president Finance and Operations Gayle Gorrill, Jan. 10, 2012• A message from President David Turpin, Jan. 11, 2012• Jan. 12, 2012 update• Jan. 13, 2012 update• Jan. 19, 2012 update• Jan. 20, 2012 update - Launch of review• Jan. 23, 2012 update - Phishing attacks & fraud investigation• Jan. 25, 2012 update - Preliminary report to board• Jan. 27, 2012 update - Agreement reached on Credit Monitoring Service• Jan. 26, 2012 update - Saanich police release info• Feb. 3, 2012 update - Credit monitoring service available Monday• Feb. 6, 2012 update - Credit monitoring instructions
Lesson
• Bad guys and gals know how to read the news
Lesson
• Understand what “reasonable security arrangements” are
Lesson
• If you don’t need it, get rid of it (or don’t collect it).
• Data minimization
Lesson
• Effective project management helps ensure the last mile is completed.
Lesson
• Keeping momentum once the storm blows over can be difficult
Lesson
• Centralized command and control for privacy and security is necessary, even in a decentralized environment
Lesson
• A crisis can be a platform for change
Lesson
• Having good policies in place is very important, and everybody should read them
Remember…
• It’s not IF you’re going to have a breach, it’s WHEN you’ll have a breach and HOW you respond to it and what you LEARN from it that really matters.
