Hi and welcome back to Course 10. This Course 10 is about Managing the security breach. My name is Ralph O'brien. It's a pleasure to be back and talking to you. We're going to take 4 sections in managing the security breach. It sounds like a lot but we really want to go through all stages of a sort of managing a major security breaches, that can often be a make. Or break in terms of when you're dealing with regulators and dealing with data protection issues. So, we're going to start with the first one which is really about incident detection. And I want to bring us back to our case study. I want to bring us back to our case study with Ed Force one. So let's imagine we've done some sort of audits, we've done some sort of audit on our remote workers arm. Ed Force one nurses in people's homes. And that audit has found several security weaknesses. So weakness one when people log in, that's it, there's no more security control. So they can access any patient data, not just their own. The second one is with two printing, you can print out patient records, you can print out people drug usage is and all that type of stuff. You can have paper records lying about. And the 3rd 1 is there's no pork protection, no pork protection. So on their computers, people could plug in USB or other types of devices thus allowing that data transfer. So just take a moment to think about how you might react to that. Perhaps pause the video, take a moment to think about how you might react to that. Okay, welcome back. So, essentially from a lot of people, their first reaction here would be to shut down, stop everything put in the access control, stop the printing. Stop the ports being connected and that's a perfectly understandable response, secure everything. These are security weaknesses. Let's stop them down, let's lock them down. Let's make the business more secure. However, there could be legitimate reasons for each elites. Let's say the nurses need to access other nurses patients records, because that the nurse might be off ill. And therefore we need access to someone's record quickly to save a life. They might need to print off records because they might not be able to take devices into the field. And therefore need to take paper records, give people the correct drug doses, they might need to data transfer for a legitimate function of their job. So I was very tempted to lock everything down. I think security can disable legitimate business functions and too much security. It's actually bad for business or too little. So I think what we have to think about here is actually what's at risk. And I think this is where we come in with security instance as well. What's at risk? How would we get our response proportionate to the level of risk? How do we make sure that our response is proportionate to the level of risk. So what is at stake? What is at risk? What level of incidents are we dealing with here? So this is our instant life cycle. We're going to be talking through detection, assessment, response and learning. So assessment, detection, response and learning that is four stages. You might see an exam question on detection, assessment, response and learning. So we nearly need to first of all begin to detect an incident and then have the things in place in order to deal with it. So what is an incident? We actually have to define what an incident is. What do we tell people we need to know about? We could rely on the GDPR definition here. Now the GDPR definition says, a breach of security that leads to accidental or unlawful destruction alterinization, unauthorized disclosure of or access to the personal data. So a breach of security leading to accidental or unlawful loss, alteration, unauthorized disclosure of or access to the personal data. Now that takes a little bit thinking about actually because, we're so used to thinking about data breaches as disclosure of data. As disclosure of data as someone has leaked data into the public domain or caused data to go into the public domain. And it's been disclosed out to the wider public. Now when we were looking at security we said that's not all security is about. Security can also be about disruption to the data making the data unavailable, making the data damaged as well as disclosure. And this definition covers that. We've got loss and alteration and it doesn't have to be on purpose, either accidental or unlawful. So if we've accidentally given somebody incorrect permissions say a contractor or a processor. They've been accidentally given more data access than they should have. Now that data has never not been disclosed anywhere. That data has not been disclosed anywhere. But it's still a breach under the GDPR, no one's unauthorized disclosed it but it is still an accidental access to personal data. Still a breach under the GDPR, just worth thinking about it doesn't have to be a disclosure of data. To me it becomes really important for us to define as a business. What different levels of breaches, what different levels of security incidents we need and to communicate them to our staff. Where I normally start is with business as usual, stuff we want to know about but probably don't want to do anything about. What I call metrics. Yeah, so metrics what is normal, what is business as usual? And I think it's really important to understand what business as usual is. How many password resets we get, how many viruses are stopped by our antivirus and our technical filters for example. So we need to know what's normal in order to find out what's unusual. Business as usual is really important. If we know our business as usual rates, we can then look and say look we normally have 10 viruses caught every hour. We get to all of a sudden, we've got 50 in 2 minutes. Different unusual. We're under attack. We normally have 10 password resets every week. We've now got 20 in a day. Why, what's different? And these are the sorts of indicators that I think is really useful for us to understand our security environment, after the business as usual. I think there's this sort of talk about an incident. Now incidents are really important to understand and I think most things could be should be categorized incident straight away. And then determining whether it's bigger than that. Yeah, so an instant to me is a potential vulnerability or weakness there's a possibility of a breach. Yeah, we need these things to be reported. We need to understand these in the health and safety. Well sometimes they talk about trip hazards. Yeah, they'll say that they don't want you to report that someone's fallen over and broken the neck. They want you to report that there's a trip hazard that somebody could fall over and break their neck. That's an incident that might need fixing but it might not be a breach, something might have actually happened. And I think in the exam it's very important to understand this difference in an instant and breach. An incident is sort of the potential for something to happen. A breach, something's happened. I mean the IPP used the term confirmed disclosure. I actually don't like that definition myself personally. It's the IP one they use in their exam, because as we've already said the definition of a GPR bridge is not just about disclosure. It could be about the data being lost or becoming unavailable for whatever reason, these things are breaches. So we'll breach to me means you're going to need to take some sort of corrective action. You're going to need to actually understand that some sort of data has been compromised or deleted or disrupted or is out there in the public domain. This is a breach and therefore we need to take actions, some sort of corrective action to fix that breach. And that's when our instant response really kicks in, I'm going to say now and you might not find this an exam. You might just see instant breaching the exam but in the real world, you're probably going to find another couple of escalation points here. And I'm going to say the next one is a major breach. A major breach. Now you're going to know when you're going to get one of these, in terms of escalation and definition. You're just going to need the senior management in a room. Now. [LAUGH]. You're going to have media turning up at your door. It's going to be high risk to the business, you might have regulators coming and knocking the door. You might even have to go into crisis management mode. So major breaches. A major breach definition and finally business continuity. Business continuity, the beach is so bad that your entire business is now at risk. You're into survivability mode. Yeah, you have to go into show short term and longer term recovery in order to fix it. It's that bad. So what do we need to know? We need to have good sources to detect the breach. As we said unusual activity technology reports and alerts. We need our processes second parties to be able to tell us if they have had problems. We need our customers to be able to tell us if they're having problems. We have staff to be able to tell us if they're having problems. So we need these good reporting lines, coming in to tell us all about where these things are happening. We need to understand and they may even come to us and the data protection division. It may come to the security of division, it may come to the IT division. We need some sort of help desk or triage in order that customers, staff vendors, IT systems can start to report all this good stuff. And then we're going to need to be set up to respond. We're going to need to have things in place, things in place, things in place. So those things means good reporting line, good education of our staff, good training and awareness of our staff. What to do if I actually did some corporate security training really. And I thought it was terrible because it didn't give me any specifics. He told me all about security. In fact, he told me all about data protection as well. But he didn't tell me what I have to do for my organization, who I have to talk to. What my responsibilities are specific to me in this organization. So even if you are doing the learning and things like that, they might need to know specifics for the organization. They might even need to practice. I love a good simulation. I love getting senior management room and saying, hey, this has occurred. What do you do? And then having things that are ready to go, having response plans already in place for specific scenarios for specific business unit recovery. I mean we're heading into business continuity here, but you might need specific businesses units to have already prepared actions to do certain things. I mean, it's what the military called actions on or making sure if you fail to plan. You plan to fail right and you might even need to be prepared to capture data in terms of legal discovery. These things might end up going to court, you might need to prove to a regulator what has happened. And what hasn't happened and whose fault it was. And you might even be taking rogue individuals to court and therefore we need anything about evidence preservation as well. We call this in these, modern days forensic readiness. This idea that you are prepared to preserve the evidence in the case of illegal or civil action. So that's what we're going to cover for detection. The next element we're going to go onto is assessment. So once we've detected the incident, it's been about assessing that incident and understanding what we want to do based on that assessment. Thank you.