Data Breach Exercise: Responding to a School District Breach

Slide Note
Embed
Share

This tabletop exercise simulates a data breach within a school district, putting participants in critical decision-making roles to react and respond effectively. Recommendations include anticipating roles needed, preparing for the unexpected, and considering communication strategies. The background sets the scenario in a school district environment with centralized IT services. Be prepared for the unexpected with this engaging and educational exercise.

owais
owais Follow

Uploaded on Jul 16, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. PASSWORD DISTRICT DATA BREACH EXERCISE [Organization Name] [Date] [Presenter name] [Organization] [Logo] United States Department of Education Privacy Technical Assistance Center 2

  2. PASSWORD DISTRICT DATA BREACH EXERCISE Tabletop exercise that simulates a data breach within a complex organization. Intended to put you in the shoes of critical decision-makers who have just experienced a data breach. 2 United States Department of Education, Privacy Technical Assistance Center 2

  3. PASSWORD DISTRICT DATA BREACH EXERCISE (cont d) You will be divided into teams to react and respond to the scenario. Over time, the scenario will be more fully revealed, and you will discover more about what happened. 2 United States Department of Education, Privacy Technical Assistance Center 3

  4. RECOMMENDATIONS Think about each of the roles needed in your organization (e.g., public information officer, data system leadership, attorney, auditors, etc.). The full extent or impact of a data breach is rarely known up front. Do your best to anticipate what might happen, but don t get ahead of yourself 2 United States Department of Education, Privacy Technical Assistance Center 4

  5. BE PREPARED FOR THE UNEXPECTED! 2 United States Department of Education, Privacy Technical Assistance Center 5

  6. CONSIDERATIONS As we proceed, think about the following: 1. Public and Internal Communications/Messaging. Develop the message(s) you will deliver to your staff, students, parents, the media, and the public. 2. Response Plan. Outline how your agency will approach the scenario and what resources you will mobilize. Describe who will compose your response team. Identify goals and a timeline for your response. 2 United States Department of Education, Privacy Technical Assistance Center 6

  7. BACKGROUND Your school district has {insert desired number} students. Your district provides centralized IT services and support for K12 schools as well as access to a centrally managed Student Information System (SIS). 2 United States Department of Education, Privacy Technical Assistance Center 7

  8. BACKGROUND (contd) The new SIS allows administrators, faculty, and other users to log in through the browser and upload grades, attendance data, and assessment data. The new system has only been implemented in a few test locations in the district. 2 United States Department of Education, Privacy Technical Assistance Center 8

  9. SCENARIO Yesterday, a teacher [personalize for your district] notified the district IT manager that some course grades have been changed in the system. All the students in one course had their grades changed to reflect much better scores than they actually earned. 2 United States Department of Education, Privacy Technical Assistance Center 9

  10. SCENARIO Initial investigation shows that someone logged on using the teacher s login information and manually changed the grades. Additionally, the logs indicate that several reports were also downloaded from other systems, including some that contained private information (like SSN) about the school s employees. 2 United States Department of Education, Privacy Technical Assistance Center 10

  11. INSTRUCTIONS 1. Gather with your team. 2. Go over the scenario carefully. What do you know? What don t you know? 3. Begin building your response. Elect a team member to take notes. This exercise works best if approached as a murder mystery game. The more you synthesize the information and role play, the more useful the exercise becomes. 2 United States Department of Education, Privacy Technical Assistance Center 11

  12. INSTRUCTIONS (CONTINUED) 4. During the scenario, you will receive additional information about the breach. Read each of these updates as the scenario unfolds. 5. We will occasionally pause to discuss where we are, and we will eventually give a press conference. 2 United States Department of Education, Privacy Technical Assistance Center 12

  13. Questions? 2 United States Department of Education, Privacy Technical Assistance Center 13

  14. WORK PERIOD #1 10 Minutes 2 United States Department of Education, Privacy Technical Assistance Center 14

  15. WHEREAREWE? Have you begun to build a response plan? Can you make any concrete conclusions? Does the fact that the breach includes SSNs change the way you respond? 2 United States Department of Education, Privacy Technical Assistance Center 15

  16. SCENARIO UPDATE #1 Logs indicate that the login occurred from the school s Wi-Fi network after school hours. 2 United States Department of Education, Privacy Technical Assistance Center 16

  17. SCENARIO UPDATE #1 Logs indicate that the login occurred from the school s Wi-Fi network after school hours. Reports have surfaced about students offering to change additional grades for money. No names have yet been revealed. 2 United States Department of Education, Privacy Technical Assistance Center 17

  18. WORK PERIOD #2 10 Minutes 2 United States Department of Education, Privacy Technical Assistance Center 18

  19. WHEREAREWE NOW? Has the updated information changed your approach to the scenario? Think about what controls you could put in place to avoid a scenario like this. 2 United States Department of Education, Privacy Technical Assistance Center 19

  20. SCENARIO UPDATE #2 Two juniors are rumored to be the culprits. 2 United States Department of Education, Privacy Technical Assistance Center 20

  21. SCENARIO UPDATE #2 Two juniors are rumored to be the culprits. When questioned, they admit that they located a sticky note with a teacher s username and password, which they used to log in to change the grades. 2 United States Department of Education, Privacy Technical Assistance Center 21

  22. SCENARIO UPDATE #2 (CONTINUED FROM SLIDE 21) Students said that they also accessed some other school systems, including a database of employees that listed names, addresses, SSNs, employee ID numbers, etc. 2 United States Department of Education, Privacy Technical Assistance Center 22

  23. WORK PERIOD #3 10 Minutes 2 United States Department of Education, Privacy Technical Assistance Center 23

  24. WHERE ARE WE AT THIS TIME? How has the updated information changed your approach to the scenario? What other information would be useful? 2 United States Department of Education, Privacy Technical Assistance Center 24

  25. SCENARIO UPDATE #3 The data the students accessed contain personal information for {insert number} students and {insert number} employees. Some of the staff s personal data have been published to the students Facebook pages. News of the breach has leaked out. You are receiving calls from parents asking if their child s data were accessed and their grades changed. 2 United States Department of Education, Privacy Technical Assistance Center 25

  26. PRESS CONFERENCE The news of the breach is out and you must brief the press and the community. Your spokesperson will give a brief press conference to address the issue and take questions. In the audience are reporters from local and national media, as well as parents, privacy advocates, and activists. 2 United States Department of Education, Privacy Technical Assistance Center 26

  27. WORK PERIOD #4 10 Minutes 2 United States Department of Education, Privacy Technical Assistance Center 27

  28. DEVELOPINCIDENTRESPONSE PLAN Use your notes from the scenario discussion. Identify an incident response team (e.g., CIO, Data Coordinator, IT Manager, legal counsel). Outline the steps to identify the source of the breach, catalog the data affected, and identify how it occurred. Should you involve law enforcement? When? What legal requirements exist? What preventative corrective actions should you implement? 2 United States Department of Education, Privacy Technical Assistance Center 28

  29. WORK PERIOD #4 10 Minutes 2 United States Department of Education, Privacy Technical Assistance Center 29

  30. UNVEIL YOUR RESPONSE PLAN Take us through your response plan. Include the who, what, when, and how of your activities. What were the driving factors in your decision- making process? Did your plan evolve as the scenario became clearer? How? How should you prepare to enable a prompt reaction to a potential breach? 2 United States Department of Education, Privacy Technical Assistance Center 30

  31. WRAP-UP Lessons learned from press conference. Incident Response Plans what might work for us? What have you learned? Will it affect your behavior? How could this exercise be more useful to you? 2 United States Department of Education, Privacy Technical Assistance Center 31

Related


Postsecondary Data Breach Exercise: Prepare for the Unexpected!

Postsecondary Data Breach Exercise: Prepare for the Unexpected!

althea
Hazmat Release Reunification Tabletop Exercise Overview

Hazmat Release Reunification Tabletop Exercise Overview

zenon
Effective Method to Protect Web Servers Against Breach Attacks

Effective Method to Protect Web Servers Against Breach Attacks

birr_tt
EXERCISE ADDICTION AND DISORDERED EATING IN ADOLESCENTS

EXERCISE ADDICTION AND DISORDERED EATING IN ADOLESCENTS

bodhi
Senior Wellness Presentation: Managing Diabetes Through Exercise

Senior Wellness Presentation: Managing Diabetes Through Exercise

aubin
Campus Resilience Program Exercise Starter Kit - Hurricane Tabletop Exercise

Campus Resilience Program Exercise Starter Kit - Hurricane Tabletop Exercise

aire
Principles and Frameworks for Exercise Prescription Certificate Course Session 2

Principles and Frameworks for Exercise Prescription Certificate Course Session 2

holt
Essential Steps for Personal Data Breach Management

Essential Steps for Personal Data Breach Management

alayah
Paladin Security Tabletop Exercise Template

Paladin Security Tabletop Exercise Template

navi
COVID-19 Pandemic Tabletop Exercise Overview

COVID-19 Pandemic Tabletop Exercise Overview

sadhbh
Exercise Evaluation Training

Exercise Evaluation Training

teddy
Understanding Breach of Confidence and Privacy Rights in English Law

Understanding Breach of Confidence and Privacy Rights in English Law

teodor
POUGHKEEPSIE CITY SCHOOL DISTRICT ATTENDANCE IMPROVEMENT PLAN 2021-2024

POUGHKEEPSIE CITY SCHOOL DISTRICT ATTENDANCE IMPROVEMENT PLAN 2021-2024

kaizen
Impact of Stress and Exercise on Body Weight and Food Intake in Rats

Impact of Stress and Exercise on Body Weight and Food Intake in Rats

zechariah
Emergency Preparedness Tabletop Exercise for School Staff

Emergency Preparedness Tabletop Exercise for School Staff

milana
Understanding the Domino's Data Breach Incident and Its Implications

Understanding the Domino's Data Breach Incident and Its Implications

yasmine
CNH-Key Club District Positions and Duties

CNH-Key Club District Positions and Duties

ransom
Can You Afford a Data Breach? Understanding the Risks and Consequences

Can You Afford a Data Breach? Understanding the Risks and Consequences

pray
Team Bus Crash Tabletop Exercise Agenda

Team Bus Crash Tabletop Exercise Agenda

anouk
School Emergency Management Tabletop Exercise

School Emergency Management Tabletop Exercise

marina
Overview of American Rescue Plan Act Implementation at Niagara Falls City School District

Overview of American Rescue Plan Act Implementation at Niagara Falls City School District

riyen
Perkins County School District Overview

Perkins County School District Overview

amadeus
Sweetwater Union High School District Special Services Information

Sweetwater Union High School District Special Services Information

clover
Anglophone South School District (ASD-S) Infrastructure Planning Overview

Anglophone South School District (ASD-S) Infrastructure Planning Overview

izabella

More Related Content

Business Continuity Exercise Information and NHS England Emergency Preparedness
Business Continuity Exercise Information and NHS England Emergency Preparedness
Fitness and Exercise After Stroke: Importance and Guidelines
Fitness and Exercise After Stroke: Importance and Guidelines
Comprehensive Exercise Template for Organizational Training
Comprehensive Exercise Template for Organizational Training
Meeting Planning Guidelines for Effective Exercise Conduct
Meeting Planning Guidelines for Effective Exercise Conduct
Special Education District Validation Review (DVR) 2019-2020 Overview
Special Education District Validation Review (DVR) 2019-2020 Overview
Understanding ASB Financial Management Workshop Essentials
Understanding ASB Financial Management Workshop Essentials
Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill
Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill
McCleary School District No. 65 4-Year Budget Summary 2021-2025
McCleary School District No. 65 4-Year Budget Summary 2021-2025
Quarterly School District IT Manager's Meeting - April 15, 2022
Quarterly School District IT Manager's Meeting - April 15, 2022
Financial Management Processes of Soil and Water Conservation District Board
Financial Management Processes of Soil and Water Conservation District Board
Cape Winelands District Overview and Economic Impact
Cape Winelands District Overview and Economic Impact
Evolving 5030 District Projects: Encouraging Innovation, Supporting Growth, and Recognizing Success
Evolving 5030 District Projects: Encouraging Innovation, Supporting Growth, and Recognizing Success
Comprehensive Guide to District and Constituency Election Planning
Comprehensive Guide to District and Constituency Election Planning
Joint Planning Session in Ngororero District, Rwanda: 2020/2021 Review and Priorities
Joint Planning Session in Ngororero District, Rwanda: 2020/2021 Review and Priorities
District Cooling Trends and Companies in Finland
District Cooling Trends and Companies in Finland
Implementing Effective District Leadership in PBIS Teams
Implementing Effective District Leadership in PBIS Teams
Johannesburg Health District Family Medicine Intern Orientation Overview
Johannesburg Health District Family Medicine Intern Orientation Overview
South Winnetka Heights Proposed Conservation District Post-Application Neighborhood Meeting
South Winnetka Heights Proposed Conservation District Post-Application Neighborhood Meeting
Upper Denkyira West District Assembly 2022 Budget Presentation
Upper Denkyira West District Assembly 2022 Budget Presentation
Managing State School Aid Application (ASSA) for Increased Accuracy
Managing State School Aid Application (ASSA) for Increased Accuracy
Privacy Breach Management Guide by Health PEI
Privacy Breach Management Guide by Health PEI
Contempt in the Family Jurisdiction with Respect to Breach of Orders
Contempt in the Family Jurisdiction with Respect to Breach of Orders
Understanding Professional Duties in Accountancy
Understanding Professional Duties in Accountancy
Preparing for EU General Data Protection Regulation with Revd. Mark James
Preparing for EU General Data Protection Regulation with Revd. Mark James