Re: Procedure Question

["Cuocco, Patricia" <Pcuocco () CALSTATE EDU>]

Please don't take this as the rule in California.  The law is  much more
stringent and requires notice if the confidential data has "potentially"
been compromised, which most of us here have taken to mean that there
was data on the compromised system even if there is no indication that
it was accessed.

That being said, I'll defer to my technical brethren to expound further.

Patricia 


-----Original Message-----
From: Penn, Blake [mailto:pennb () UWW EDU] 
Sent: Friday, August 19, 2005 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Procedure Question


Louisa:
 
If no personal data has been compromised (that is, only the system has
been
compromised) then you really have no legal obligations to disclose the
breach.  The state statutes
(http://www.perkinscoie.com/content/ren/updates/privacy/081205.htm) and
national statute-in-progress (Specter-Leahy Personal Data Privacy And
Security Act of 2005) really only cover situations where personal data
is compromised.  Other statutes such as GLBA, FERPA, and HIPAA all deal
with the security of a particular kind of data (financial, student, and
medical, respectively).

Having worked security in the web-hosting world in the past, I have seen
literally hundreds (if not thousands) of web server breaches.  In most
cases, no notification was made to the customer, and the matter was
handled purely operationally.  That is, the compromises were analyzed,
and the root causes remediated.

Handling incidents such as this operationally is fine in an academic
environment as well provided that you are fully confident that no
personal or organizational data was breached.  The most important action
to take after these incidents is to identify and fix the underlying
problem(s) within your environment, or you just might start seeing
systems get compromised that DO contain sensitive information.  And
that's just not fun for anyone.

__________________________________
Blake Penn, CISSP                              
Information Security Officer           
University of Wisconsin-Whitewater  
(p) 262-472-5513 (f) 262-472-1285
e-mail: pennb () uww edu


***********************************

From: Avitua, Louisa [mailto:lavitua () STMARYTX EDU] 
Sent: Friday, August 19, 2005 12:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Procedure Question

As a new comer to the IT world holding an interim position for a while,
I am in need of understanding procedure for the following:

What is the requirement or responsibility of an institution when a
website has been compromised and analysis show no compromised to
personal data? Is notification to students required or recommended? 

Thank you for your direction.

Louisa Martin
Coordinator for Information Technology
St. Mary's University 
San Antonio, Texas 78228
(210) 431-5005  - phone
e-mail: lavitua () stmarytx edu