How to prevent data breaches -- and respond after they occur anyway
Online Trust Alliance issues guide for public and private sectors
- By William Jackson
- Jan 25, 2011
The Online Trust Alliance has released a set of guidelines for preventing, detecting and responding to data security breaches.
The 2011 Data Breach & Loss Incident Readiness Guide is intended as an aid to businesses, nonprofits and governmental agencies in creating data incident plans, with recommendations including best security practices and planning models.
“There is no one size to fit all,” said OTA Executive Director Craig Spiezle. But the recommendations outlined in the report should apply to government agencies as well as to businesses. Despite the growing list of regulatory requirements for using best practices in protecting electronic data, “a lot of agencies haven’t thought through all of this,” he said.
Agencies vary widely in their levels of preparedness, and experience has proved a valuable if not always pleasant factor, Spiezle said.
“Those that are best equipped today are the ones that have had incidents in the past,” such as the Veterans Affairs Department, which suffered a black eye from the 2006 theft of a laptop containing information on millions of veterans, he said.
Interoperability is key to securing data at rest
Nation's toughest personal info law about to take effect
The OTA is a nonprofit group focused on identifying best practices for ensuring privacy and data security. Although it began in 2004 as an industry organization, members today include the U.S. Senate, Commerce Department and the USPS Inspection Service, and it has worked with the Federal CIO Council and the White House task force developing the National Strategy for Trusted Identities in Cyberspace.
Breaches of personally identifiable information that could be used for identity theft or other fraud have become a high-profile problem. It is compounded by the organized theft, sale and exploitation of the data in a growing underground economy. OTA cited reports of more than 400 incidents exposing more than 26 million personal records in 2010, and said that 96 percent of online breaches were preventable using internal controls recommended in its report.
In addition to breaches of personal information, incidents such as the recent release of leaked classified information through WikiLeaks have caused the Office of Management and Budget to require agencies to assess plans and capabilities for protecting classified information.
“While OTA encourages self-regulation and reporting, these trends suggest the need for broader transparency and reporting requirements,” the guidelines state.
The report outlines key questions and recommendations for organizations to consider in developing plans and policies. “Depending on your industry, size and data collected, your requirements may vary and you should consult with professionals to aid you in your plans,” it states.
Although recommendations call for preventative controls, the goal of data incident plans is not invulnerability. Detection of and response to breaches also is required, Spiezle said.
“You will have a loss of data,” he said. “There is never going to be a 100 percent guarantee.”
Planning should begin with risk assessment, which includes a self-audit to determine current levels of preparedness. Policies for data governance and loss prevention are needed, which include data classification, audits for data access, intrusion and breach analysis and auditing, use of data loss prevention technologies, policies to minimize data retention, and inventories of system access and credentials.
Incident-response planning should include creating a response team with relationships with key vendors and government agencies, and plans for communication.
Essential to the success of any plan is follow up and support. “A DIP [data incident plan] will ultimately fail to be executed if the employees charged with its administration are not adequately trained,” the report states. “A successful DIP must be practiced, tested and refined based on past experience. Organizations must have the foresight to allocate staff time and budget for the proper execution of their DIP.”
William Jackson is freelance writer and the author of the CyberEye blog.