This is Part II of a three-part series on incident response planning as part of your overall information security plan. Part I discussed why an incident response plan is important and Part III details the key elements and outline of a typical incident response plan.
Here in Part II, we’ll focus on seven activities you should consider in order to prepare and organize before you start to write your incident response plan.
1. Conduct a risk assessment. This involves identifying threats, exposures, risks, and likelihoods. No response plan can cover every possible event, but yours should address the risks and threats with the greatest potential of impact on your operations and clients. Look for potential high-value targets and single points of failure, which can cause the greatest exposure. A compelling risk assessment will tie the risks all the way through to their impact on the business (e.g., an unpatched server is a technical risk; when that server is infected with ransomware and your e-commerce capabilities are shut down, that’s a business impact). Risk assessments should be conducted regularly to recognize changes in your business environment, technology, and external threats. This risk assessment should yield an inventory of your digital assets at risk, and a catalog of potential types of security incidents – both internal and external.
2. Identify your risk tolerance. Of course, you want to recover as soon as possible from a data breach or attack. But understanding the criticality and sensitivity of your data and operations is important in helping you decide the level of response. Reflect on what you consider an “incident” to mean. This will help you decide on the appropriate scope and level of detail that your plan will take. Some breaches will demand “all hands on deck” response, while others may not involve personal/financial data or mission critical systems, so your notification requirements may change. Gaining a full understanding of your company’s risk appetite and tolerance for business impact can actually help tighten the scope of your plan, allowing you to focus on what’s really important first.
3. Get executive support and buy-in. An effective incident response plan will require the time commitment and attention from a number of areas in your company. Even today, a perception exists that breach response is “just an IT thing”, so others at the table may not take it as seriously or commit sufficient resources to participating. Getting backing from the top down – meaning the board of directors, the CEO, and the rest of the C-suite – is vital to helping pave the way for you to develop, test, and maintain the plan. Some of the preliminary work you did in your risk assessment and risk tolerance evaluation can help you convince others of the importance of appropriate planning.
4. Identify your internal team. Incident response planning is way more than just the IT group getting together! Of course your team will include IT operations, but other members of your corporate team must be involved in order for your plan to be truly successful. Your communications or media group will need to be involved to shape, control, and contain any messaging to the public. All communications should go through personnel trained and authorized to speak on behalf of the company. You may also choose to have communications handle notifications to your staff, to ensure that your IT team can maximize their focus on the breach. Your legal team will need to be notified and kept apprised of the scope and impact of any breach. Compliance staff will be involved to the extent that reports are required to regional or federal regulatory bodies or other stakeholders beyond your clients (e.g., if you handle credit card information, payment card issuers must be notified). HR may need to be involved depending on the impacts on personnel, ranging from overtime to loss of personal staff data. Your executive group needs to be notified to keep them apprised and have rapid decision-making authority should the need arise.
5. Identify your external team. Outside the company, you may have made arrangements with a third-party cybersecurity firm like ISA to assist in breach response, from containment to breach forensics to recovery. Many firms have retainer agreements in place with law firms to act as “breach coaches” to assist with the various phases of incident response, all shielded by lawyer/client privilege. Law enforcement should be a part of your team as well – your response playbook should include contact information and notification procedures for law enforcement. Also consider what cloud providers, software/hardware vendors, and third-party organizations are integral to your day-to-day operations – they need to be identified and documented.
6. Identify your stakeholders. Depending on the severity of the breach, you will likely need to notify your customers. But you may have many other stakeholders involved as well. They not only need to be notified and kept up to date in the event of an incident, but may require customized communications. For compliance and regulatory reasons, you may need to notify government agencies, the privacy commissioner, payment card issuers, etc. Your parent company or subsidiaries, your board of directors, and your investors will need prompt attention and continuing updates. Your staff need to be updated, but also must be reminded to avoid corresponding with anyone else about the incident – communications must be centralized and controlled appropriately. Your up- and downstream business partners and providers may need to be notified as well, depending on the nature of the breach.
7. Develop communications templates. Once you’ve identified a series of potential incidents and all of those who need to be notified, you can construct communications templates that can be used to accelerate the messaging to those stakeholders. Have you identified how you will reach them? Is a media release appropriate? A web posting might be your first instinct, but if the breach has compromised your website, then you may be scrambling at a stressful time. These templates can be developed before the rest of your plan has taken shape.
Conducting these activities in advance, or at least during the first phase of your plan development, will simplify the construction of your plan and make it much more effective for your organization. These tips should help you get off on the right foot. And always remember that ISA Cybersecurity is just a call or click away to answer any questions, or to assist in the development of your plan. Contact us today to learn more… before a breach happens.