Who verifies PII br...
 
Notifications
Clear all

Who verifies PII breach investigations are done correctly?

13 Posts
5 Users
0 Likes
678 Views
(@audio)
Posts: 149
Estimable Member
Topic starter
 

In incidents involving PII where a company needs to determine if PII was compromised, who verifies their analysis was correct?

 
Posted : 05/11/2012 5:28 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In incidents involving PII where a company needs to determine if PII was compromised, who verifies their analysis was correct?

It depends. 😯

In a car incident involving vehicles, where a company needs to determine if vehicle structures were compromised, who verifies their analysis is correct?
Like

  • the police patrol intervening
  • the company mechanic
  • the company insurance mechanic
  • an outsourced mechanic
  • TUV (in Germany)
  • a passer by exclaiming "Wow! what a crash!"
  • ….

http//www.urbandictionary.com/define.php?term=vague

jaclaz

 
Posted : 05/11/2012 5:54 pm
(@jackyfox)
Posts: 20
Eminent Member
 

I think in all depends on where the incident happens. In Ireland we have a Data Protection Commissioner who is responsible for this.

http//dataprotection.ie/docs/Home/4.htm

 
Posted : 05/11/2012 6:49 pm
(@audio)
Posts: 149
Estimable Member
Topic starter
 

I think in all depends on where the incident happens. In Ireland we have a Data Protection Commissioner who is responsible for this.

http//dataprotection.ie/docs/Home/4.htm

Thanks. I forgot to mention I meant in the US. o Although, I'm not sure how you could determine what I meant so accurately, and jaclaz is off talking about vehicles. 😉

http//www.urbandictionary.com/define.php?term=inference

 
Posted : 05/11/2012 7:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

and jaclaz is off talking about vehicles. 😉

Sure ) , at least I make some sense on some topic 😯 .

Really, if you look at the nice Irish resource JackyFox posted, you will find
http//www.dataprotection.ie/docs/07/07/10_-_Data_Security_Breach_Code_of_Practice/1082.htm
you will see (if you manage to understand the bureauglish) that there are all different shades of grey.
Compare with
http//reboot.pro/15878/

The contents are full of what I would call ambiguous definitions, such as

If the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and therefore no need to inform data subjects. Such a conclusion would only be justified where the technological measures(such as encryption) were of a high standard.

So, WHICH standard?
A .rar password protected archive?
A Truecrypt archive?
What is the Irish recognized classifying standard board for data encryption?

Once the Office of the Data Protection Commissioner is informed by the securirty breach, the consequences may be devastating

Depending on the nature of the incident, the Office of the Data Protection Commissioner may investigate the circumstances surrounding the personal data security breach. Investigations may include on-site examination of systems and procedures and could lead to a recommendation to inform data subjects about a security breach incident where a data controller has not already done so. If necessary, the Commissioner may use his enforcement powers to compel appropriate action to protect the interests of data subjects.

You do understand how there is a difference between the leaking of the professor's reserved notes on pupils of a country village high school and the whole database of last 5 years of activity of (say) American Express?

The essence of the reply was hinting that for the generic question you asked, you could have gone directly to Wikipedia for a generic answer
http//en.wikipedia.org/wiki/Personally_identifiable_information
(which BTW in the US is subject to local/state laws besides federal ones)
http//en.wikipedia.org/wiki/Personally_identifiable_information#United_States_of_America

jaclaz

 
Posted : 05/11/2012 8:37 pm
(@audio)
Posts: 149
Estimable Member
Topic starter
 

@jaclaz Yeah, I see your point. From what I recall of a lot of data breach notification laws require victims to be notified if it's "reasonable" to believe their information has been compromised, and they must be notified within a "reasonable" amount of time. That's just the world we live in…

I read and searched the links you gave, but didn't find anything relevant. However, I found a better google search and I'm starting to answer my own question..

The PCI Forensic Investigator (PFI) program establishes and maintains rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to ensure they meet PCI Security Standards…

source

It seems PCI has some oversight when it comes to forensics, just like they do to make sure auditors are qualified. That should hopefully prevent some regular IT guy from doing forensics and saying customer data wasn't compromised.

 
Posted : 06/11/2012 1:01 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

However, I found a better google search and I'm starting to answer my own question..

Which one?
The one that you didn't ask (or actually didn't ask properly) here? ?

Really, I don't see this as too difficult (generically) the procedure in case of incident seems more or less the same (at least it is here in Italy when compared to the cited Irish source).

Some data have been compromised or have not (binary on/off).
This data is either "safely" encrypted or it is not (not so binary on/off/maybe).
Whether the company that had the data compromised is a data controller or a data processor, the compromising of the data (if happened) must normally be reported to the "superior" authority.
In the case of a "data processor", the "superior" is easily identified in the "data controller".
Unless particular exemptions apply and in any case if there is any doubt the incident should be reported to the local Governement body/agency/authority or whatever demanded to this (and this changes of course in different countries).
As well unless there is the high standard encryption, which makes the incident "virtual" i.e. with NO consequences to the privacy of the affected people, the incident should be notified to affected data subjects (and the dedicated Governement body/agency/authority which has to be notified anyway should be the one that "clears doubts" about this need)
Once done this (and possibly having sealed the leak/changed procedures/increased security, etc.) the Company has nothing to do but wait for

  1. actions by the dedicated Governement body/agency/authority (if any)
  2. legal actions by the "affeced data subjects" (if any)
  3. [/listo]

    For NO apparent reason
    http//knowyourmeme.com/memes/what-has-been-seen-cannot-be-unseen

    Links here may be more relevant to the US (again, depending on which State)
    http//www.bbb.org/data-security/what-to-do-if-consumer-data-is-stolen/laws-and-regulations/
    This is "serious matter" and you really should ask specifically at a local specialist (lawyer), though I guess you are familiar with the possible related issues (just joking) wink
    http//media.fakeposters.com/results/2012/02/11/sobj2elbw4.jpg

    jaclaz

 
Posted : 06/11/2012 1:51 am
(@audio)
Posts: 149
Estimable Member
Topic starter
 

I got it now, thanks for clearing it up… In the future I'll try harder to make sure my questions meet your standards. wink

 
Posted : 06/11/2012 5:35 am
(@patrick4n6)
Posts: 650
Honorable Member
 

One sentence answer

Your legal department.

 
Posted : 06/11/2012 6:54 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

It seems PCI has some oversight when it comes to forensics, just like they do to make sure auditors are qualified. That should hopefully prevent some regular IT guy from doing forensics and saying customer data wasn't compromised.

I'd be very hesitant to suggest that PCI provides much in the way of oversight. I was on the IBM ISS team for 3 1/2 yrs, during which time we all got qualified/certified, and our company was added to the QIRA list. Also during that time, our team management submitted a letter to Visa, asking to be removed from the list.

The "qualifications" or certification requires that each forensic examiner have an assessor certification, which never made any sense to me. There is no specific certification to ensure the quality of a forensic exam…there is only a template of items that must be filled out when the report is submitted, and I would strongly suggest that the requirements for submitting a report (and the rather narrow margins that can be achieved) work against the examiner, and ultimately the customer.

For example, one of the things we had to fill out in the report dashboard was the "window of compromise". Due to the requirements for submitting the reports, often only the date of initial infection was determined, and the window of compromise was determined to be from that point up until the system was taken offline. Many times, very little work (due to time, skill of the examiner, etc.) is put into determining the actual execution of the malware. This is important, as one exam I did clearly showed that two days after the initial infection, AV "woke up" and quarantined the malware…and that it was 6 weeks before the bad guy came back and re-installed the malware.

Back to the original question, I would suggest that the a more correct answer would be "no one", and a charitable response would be "it depends".

In the 13+ years that I've been actively performing DFIR work (in the US), there's only been one person who has actively questioned my work, and done so in order to help me grow as an analyst (which includes my reporting). The caveat to this is that he came from the industry, so he knew what kinds of things an analyst could look for, look at, and possibly determine….he knew what a "thorough analysis" looked like.

Unfortunately, that's not often the case…in fact, I would suggest that it's pretty rare.

 
Posted : 08/11/2012 5:46 pm
Page 1 / 2
Share: