Managing Security and Privacy Incidents: Creating a Comprehensive Plan

1

• Managing Security and Privacy Incidents Creating
  a Comprehensive Plan
• Bobby Singh
• Director, Information Security

2
Agenda

• eHealth Ontario Mandate
• Program Introduction
• ESPIM Incident Identification Handling
• ESPIM Communications Plan
• Lessons Learned
• Measurement Metrics
• Key Documentation
• Discussion

3
Why eHealth Ontario?

• Before Many players, silos, limited
  coordination, limited alignment

Now
eHealth Ontario Single point of accountability
Health Services IIT Cluster
Electronic Childrens Health Network (eCHN)
OntarioMD / OMA
Smart Systems for Health Agency
Ministry of Health and Long-Term Care
Local Health Integration Networks
Hospitals
OACCAC
Ontario Telemedicine Network (OTN)
Cancer Care Ontario
Others
3
4
CLINICAL PRIORITIES
5
Who is eHealth Ontario connecting?

• Doctors
• Hospitals
• Pharmacists
• Laboratories
• Public Health Units
• Community care
• Continuing care
• Ministry of Health and Long-Term Care programs

6
eHealth Ontario Enterprise Security and Privacy
Incident Management (ESPIM)

• ESPIM Program Introduction
• ESPIM Incident Identification Handling
• ESPIM Communications Plan
• Lessons Learned
• Note Examples provided in this presentation are
  for illustration only. For security reasons, they
  do not reflect actual eHealth Ontario practices.

7
ESPIM Program Objectives and Scope

• A single program to manage Privacy and Security
  incidents
• To develop and mature a comprehensive
  enterprise-wide incident capability process, to
  effectively and efficiently identify, contain,
  triage, remedy and escalate privacy and security
  issues

8
Steps
9
Strategy IOC to FOC
10
Strategy Assessment
11
Strategy Assessment
12
Strategy Assessment
13
Strategy Assessment
14
Strategy Assessment
15
Joint Application Development (JAD) sessions
16
Joint Application Development Sessions

• 2 day session included members from
• Communications
• Security Operations
• Human Resources
• Change Management
• Network Operations
• Legal Department
• Service Management
• Customer/Help Desk Support
• Privacy and Security Division
• Business/Client Relationship Department
• 20 issues identified 21 decisions documented
• This formed the foundation for building the
  ESPIM program

17
Definitions

• Breach is a failure to perform an obligation
  contractually or by law
• A privacy breach occurs when personal
  information is collected, retained, used or
  disclosed in ways that are not in accordance with
  the provisions of the Act. Among the most common
  breaches of personal privacy is the unauthorized
  disclosure of personal information
• Source IPC Ontario.

18
Key components annual training table top
exercise
19
eHealth Ontario Enterprise Security and Privacy
Incident Management (ESPIM)

• ESPIM Program Introduction
• ESPIM Incident Identification Handling
• ESPIM Communications Plan
• Lessons Learned

20
ESPIM Triggering Thresholds

• Not every security or privacy incident is
  automatically considered an ESPIM incident.
• For a security or privacy incident to trigger an
  ESPIM incident, the following thresholds must be
  met -

21
Incident Examples
22
ESPIM Composition

• ESPIM Oversight Committee Management control
  and oversight of the ESPIM program, along with
  provision of interdepartmental alignment of
  activities will be performed by an ESPIM
  Oversight Committee.
• ESPIM Program Manager is responsible for
  ensuring that ESPIM services are provided
  including the day-to-day activities of the ESPIM
  Program, up to but not including specific
  incident handling.
• ESPIM Incident Response Team (IRT) Lead Drawn
  from the ESPIM Program team, the Security
  department, or the Privacy department, is
  responsible for
• logistical co-ordination of the IRT, both within
  the team and between the team and others,
• incident communications, and
• post-incident analysis activities.

23
Roles Responsibilities

• RACI Charts define accountabilities within the
  organization throughout critical business
  scenarios and will serve as a reference for
  eHealth Ontario in terms of divisional
  accountabilities.

24
Incident Management High-Level Steps
Incident Management
Problem Management
25
Incident Management Activities Distribution
Develop Solution
Implement Roll-out
Detection and classification
Triage and Re-classification
Analyze Cause
Develop Workaround
Service Recovery
Root Cause Analysis
1
2
3
4
5
6
7
8
Division
Dept
Responsible
Consult
Inform
Accountable
26
eHealth Ontario Enterprise Security and Privacy
Incident Management (ESPIM)

• ESPIM Program Introduction
• ESPIM Incident Identification Handling
• ESPIM Communications Plan
• Lessons Learned

27
Steps to Follow

• All of the following must be performed in
  accordance with the parameters defined in the
  ESPIM Communications Plan
• Determine if the communication is intended for an
  internal or external audience.
• Determine audience and develop distribution list.
• Select format and develop content.
• QA content for legal and privacy.
• Determine contact information for distribution
  list.
• Select mechanism (voice, fax, letter, email,
  etc).
• Distribute in accordance with ESPIM
  Communications Plan.

28
eHealth Ontario Enterprise Security and Privacy
Incident Management (ESPIM)

• ESPIM Program Introduction
• ESPIM Incident Identification Handling
• ESPIM Communications Plan
• Lessons Learned

29
ESPIM Lessons learned

• JAD sessions ensured buy-in from most
  stakeholders. Identifying issues and decisions
  made early in the development process helped
  avoid misunderstanding
• Integrated but distributed approach ensured
  appropriate skills are available to the IRT when
  needed
• Defining IOC and FOC helped limit scope. This was
  made possible by the CMMi chart
• Focus on process rather than tool
• Table top exercise highlighted weaknesses in
  process / people that were subsequently fixed
• Separating program development from
  implementation allowed enough time for successful
  implementation
• Development, deployment and training in separate
  Privacy and Security use cases for help desk
  ensured ESPIM was embedded

30
Measurement (examples)

• Quantitative Metrics
• Mean time to initiate response to incidents by
  category
• Mean time to complete response to incidents by
  category
• Number of incidents that require external
  reporting or notification
• Trend reporting on incident resolution time, by
  incident type and severity levels
• Trend reporting on time to close post-incident
  analysis action items, by activity custody holder
  
• Statistical reporting of number of incidents
  handled, by incident type and severity levels
• Statistical reporting on of incidents requiring
  external notifications
• Statistical reporting of number of alerts and
  advisories issued, by type
• Qualitative Metrics
• Summary of incidents handled
• Client level of satisfaction with incident
  handling
• Reporting on business impacts of incidents,
  including losses (and costs where possible)

31
Key ESPIM Documentation

• ESPIM Strategy outlines the approach taken to
  implement the Best Practices Model and the
  Business Requirements, and describes the
  operational and technical issues and challenges
  that will be faced by the ESPIM Program.
• ESPIM Concept of Operations summarizes the
  operational model of the ESPIM Program, including
  the roles necessary to support the program, and
  the structure and reporting of the program.
• ESPIM Operating Directives outline the
  acceptable ESPIM-related practices.
• ESPIM Communications Plan describes the
  ESPIM-related communications (notifications,
  reporting, alerting, and informational notices)
  that will need to performed, along with guidance
  on who and how those communications are to be
  conducted.
• ESPIM Incident Handling Procedures describes the
  specific steps to the be taken by the ESPIM IRT
  during incident handling.

32
Key Components

• Management Support
• Requirements/Needs Analysis
• Table Top Exercise
• Test the Communication Plan
• Test/Use Cases specifically for the program
• Tools/Templates
• Number of Possible Scenarios
• Checklist/Quick Reference Guide
• Single Point of Contact
• Communication.Communication...Communication

33
Discussion
34
Contact Info Bobby Singh 416.586.4231 Bobby.sing
h_at_ehealthontario.on.ca