Last Updated: February 25, 2021
The objectives of the Policy are to enable FVAP to avoid, contain, or mitigate the impact of a data breach or incident on FVAP clients, personnel, business partners, and affected third parties and to enable FVAP to meet applicable legal obligations, including possible notification requirements.
This Policy covers instances of potential unauthorized access to personally identifiable information as well as potential unauthorized or improper distribution of personally identifiable information.
For the purpose of this Policy, personally identifiable information means any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
For the purpose of this Policy, actual breach means the loss of control, compromise, unauthorized disclosure, acquisition or any similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information for anything other than the authorized purpose. This definition also includes the loss or theft of physical documents and/or portable electronic storage that include personally identifiable information.
For the purpose of this Policy, imminent breach means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system.
This Policy applies to actual breaches and imminent breaches involving FVAP personnel, service providers or other third parties who provide a service to FVAP or are authorized to access FVAP’s data stores, including all computers, servers, electronic communication devices, and physical filing systems that are owned or controlled by FVAP to support its business operations.
The basis of this Policy is the requirements defined by OMB M-17-12 and the grant requirements set by the Office on Violence Against Woman.
- ROLES AND RESPONSIBILITIES
FVAP will create a response team in the event of an actual breach or imminent breach. The composition of the response team is the discretion of the FVAP Incident Coordinator. The composition is not fixed but it is designed to be flexible, scalable, and adaptable, based on the size, scope and severity of the actual breach or imminent breach.
- FVAP Incident Coordinator. The position of FVAP Incident Coordinator is occupied by the Finance and Administration Manager for a duration defined by the Executive Director.
Currently, Paul Jones, Finance and Administration Manager serves as the FVAP Incident Coordinator (email: firstname.lastname@example.org; phone: 510-858-7358)
The following are responsibilities of the FVAP Incident Coordinator:
- Coordinate Incident Awareness, Incident Assessment, all Post Incident Activities and communication efforts in the case of an actual breach or imminent breach;
- Maintain the Personally Identifiable Information Data Store Inventory;
- Contact applicable state and federal agencies in the event of an actual breach or imminent breach;
- Ensure that post incident evaluations are conducted and documented;
- Review and update this Policy, as appropriate;
- Provide training with respect to this Policy; and
- All other processes necessary to comply with state and federal notification requirements.
- Maintenance of Personally Identifiable Information Data Store. It is the responsibility of all FVAP personnel to keep data stores current. FVAP personnel are trained to monitor the integrity of FVAP’s data stores and will report any anomaly or potential data breach or imminent breach to the FVAP Incident Coordinator. For more information on FVAP’s Record Retention Policy please click here.
Security Breach Assessment Procedure
Incidence Awareness. FVAP may become aware of security breaches or potential breaches related to personal information by detection on FVAP networks via such methods as system audits, intrusion detection, and network analysis, among others. FVAP may also become aware of a potential security breach by means of an individual(s) reporting a suspected security breach incident. In the case of an individual reporting a suspected security breach, the actions specified in this guideline will not be initiated unless the report can be corroborated using accepted system and/or network monitoring.
Personally Identifiable Information Data Store Inventory. By definition, a data breach or imminent breach must involve one of the Personally Identifiable Information Data Stores maintained by FVAP for business purposes. An inventory of all data stores that contain personally identifiable information shall be maintained. It shall be the responsibility of the FVAP Incident Coordinator to ensure that the applicable data stores are included in the inventory.
This inventory shall include:
- the name of the data store,
- the type of data format
- the name of the server on which the data store is maintained,
- for physical data storage, the location of the data store, information retained therein, and process used to safeguard its contents,
- the name and contact information of the personal information data store proprietor,
- the name and contact information of the personal information data store custodian,
- acceptable levels and methods of data store security,
- all applications that interact with the data store,
- and the types of users who use the applications (e.g., administrators, IT personnel, department directors, general personnel, third party consultants, etc.).
Incident Assessment. For the purpose of this guideline, if a system that houses a data store that contains personally identifiable information is accessed by unauthorized means, it can be presumed that the personally identifiable information stored there has not been compromised if it is concluded that the information was in encrypted form and the unauthorized access did not circumvent such encryption or result in data access. Once the organization becomes aware of a potential compromise, an incident assessment process shall be used to a) determine if an incident actually occurred, b) assess the method and/or causes of intrusion or disclosure, and c) assess the scope of the incident. The assessment should be completed in the most expedient time frame
Appendix 1 contains a proposed Incident Assessment Procedure List.
Security Breach Reporting Procedure
Communication with certain individuals whose personally identifiable information may have been compromised is a requirement of state law. The most appropriate method of communicating an incident to affected individuals may vary depending on the specifics of the incident. Once the FVAP Incident Coordinator has been notified of a potential incident, appropriate law enforcement shall be notified, and provided with the contact information of the individual(s) conducting the incident assessment.
If unauthorized access to personally identifiable information via data breach or imminent breach is confirmed, the FVAP Incident Coordinator shall follow the following procedure for reporting the incident. The reporting procedure should be completed in the most expedient time frame possible after the scope of the breach has been defined and the integrity of the system is restored.
- Where appropriate, notify relevant law enforcement of the incident and provide them with the contact person conducting the incident assessment.
- Contact Office of Violence Against Women within 24 hours after the occurrence of an actual breach, or the detection of an imminent breach.
- Create an entry in a Personally Identifiable Information Incident tracking database.
- The following individuals shall evaluate the result of the incident assessment:
- the FVAP Incident Coordinator;
- the individual(s) who conducted or supported the assessment.
- Upon completion of the evaluation, the above individuals shall determine if notification is required or advisable, and if so, the best method of communicating the incident to the appropriate individuals whose personally identifiable information was compromised. Appropriate communication approaches shall be followed in order to comply with state and federal law and applicable grant requirements. FVAP will follow all notification guidelines set by state and federal law.
- The content for the communication shall be developed, reviewed, and approved.
- With the concurrence of the appropriate law enforcement representatives (to ensure that the investigation is not impeded or compromised) communication of the incident to affected individuals, using the communication approach deemed appropriate, shall commence.
Post Incident Activities
Post incident evaluation and documentation are critical to learning lessons from an incident and ensuring long-term resolution of problems. At the conclusion of each incident, a Post Incident Review will be conducted to evaluate lessons learned, initiate any necessary changes in practices or policy, and collect and archive all documentation related to the incident.
- Post Incident Review. The FVAP Incident Coordinator is responsible for coordinating the Post Incident Review. The Post Incident Review should be conducted after all necessary incident communication, if any, has taken place and after sufficient time has elapsed after the incident such that effectiveness of the communication can be evaluated. The same individuals involved in the Incident Assessment should be involved in the post incident review. The post incident review will include a Lessons Learned Assessment, Policy Changes Based on Lessons Learned, Post Incident Report and Archive of Documentation, and Post Incident Notification.
- Lessons Learned Assessment. At a minimum, the following should be evaluated and documented.
- The process by which the incident was handled to determine if any process changes are required to make the process more efficient or effective.
- The security measures that were in place to protect the compromised data store to determine if security approaches should be changed.
- The result of the communication sent to individuals whose personally identifiable information was compromised.
Lessons learned should be communicated to FVAP through means such as:
- A detailed presentation to the Executive Director that includes details regarding the incident and steps taken to address the incident;
- email to or presentation to FVAP personnel that provides an overview of the incident and steps taken to address the issue; and
- presentation to the Board of Directors that includes an overview of the incident, an overview of steps taken to address the issue, description of archived incident documentation, and suggested policy changes.
- Policy Changes Based on Lessons Learned. Based on the Lessons Learned Assessment, any changes in department or FVAP practices or policy should be initiated by the proprietor, or the custodian, or the FVAP Incident Coordinator.
- Post Incident Report and Archive of Documentation. At the conclusion of the Post Incident Review, an Incident Closure Report will be developed by the FVAP Incident Coordinator and will include a description of the incident, the response process used, the notification process used, and actions taken to prevent further incidents. All documentation associated with the incident including Incident Assessment documentation, communication to impacted individuals, and organizations should be retained in a designated Sensitive Data Incident repository.
- Post Incident Notification. The Post Incident Report shall be provided to all participants in the post incident review process, and to the Executive Director.
Please contact FVAP if you have any questions about the Data Breach Policy at the address or email listed below.
Attn: Paul Jones, Finance and Administration Manager
449 15th Street, Suite 104
Oakland, CA 94612
Incident Assessment Procedure List
- It is likely that the evaluation required to determine whether the personally identifiable information acquired will be different for each data breach or imminent breach. However, evaluation of potential data breaches or imminent threats should include at a minimum:
- review of system logs, where available and appropriate
- evaluation of the type, and typical intent, of the system intrusion,
- any explicit evidence supporting or refuting the concept that the data was accessed,
- identification of data types, file extensions, and directory location,
- and any additional evaluation of network traffic or system state that may help support a conclusion.
- If as a result of reasonable technical evaluation it is concluded that the data store was compromised or it is reasonable to believe that it was compromised, document the method by which this conclusion was reached.
- Contact the FVAP Incident Coordinator and notify him/her/them that a potential incident has been detected.
- Consider appropriate means to prevent ongoing incident, including:
- Disconnect the system from all networks. In the case of servers that house multiple applications, it may be appropriate to only isolate the impacted application. Follow established procedures for notifying system users to expect down-time without disclosing the possibility of a sensitive data incident.
- Disable all non-administrative logins to the system.
- Change passwords to all administrative logins to the system.
- Consider appropriate means to preserve evidence of possible incident, including:
- Notify FVAP network support personnel that all logs relative to the server should be saved.
- Execute a full backup of the entire system.
- If applicable, document the means by which the unauthorized system access was detected and confirmed. If possible, this should include the network address from which the access was initiated and the means by which system access was gained (e.g. user i.d./password used, network port/application compromised, etc.).
- If possible, determine the date and time the compromise began and the date and time that the compromise ended.
- Determine and document the type of individuals stored in the affected data store (e.g. employees, clients, vendors, non-FVAP related, etc.).
- Contact the FVAP Incident Coordinator and provide copies of all documentation listed above and any other clarifying information that may be relevant to the incident.
- After reviewing the above documents and information and consulting with appropriate internal and external subject matter experts, the FVAP Incident Coordinator should determine whether notice should or may be given to individuals whose personally identifiable information is contained in the potentially compromised data store. If yes,
- Determine if the data store contains, or has an associated source of contact information for all individuals whose personally identifiable information is stored. Contact information may consist of current telephone number, current address, or current email address.
- If current contact information exists, document the name of the associated data store, and obtain a listing of contact information for all individuals whose data is contained in the compromised data store. The listing shall relate the name of the individual with the contact information.
- If current contact information does not exist, or if contact information for only a subset of the individuals exists, obtain a list of names of individuals for whom current contact information does not exist.
- System operational capability may be restored, where it was interrupted as described above, as soon as either it is confirmed that a breach did not take place, or as soon as law enforcement and/or appropriate FVAP officer (e.g. FVAP Incident Coordinator) provide direction.