Planning and foresight are essential to any cybersecurity incident
response plan. Follow these steps to make sure you're ready for a data breach.
When your system is compromised, you generally have
one chance to get the response right. Any mistakes made in...
The early moments of a cybersecurity incident can
have a negative, cascading impact that will be difficult -- if not impossible
-- to recover from. Initial actions often determine whether the outcome is
manageable, or chaotic and destructive. Having a predetermined plan is critical
to avoiding those mistakes and mitigating damage.
There are several elements that should be included when developing and
implementing a cybersecurity incident response plan. How you
complete these steps is dependent on numerous variables, including your
company's unique cybersecurity vulnerabilities and regulatory compliance needs.
But generally, your plan can be built by following these steps.
1. Develop goals: Carefully describe the overarching goals of the
plan. Having goals for each section will help those assigned to deliver on the
plan understand the context of their assignment, and the reason for their
actions.
2. Determine the people involved:Be sure those expected to act are not
just identified but fully informed and trained on their role in cybersecurity
incident response. Describe, by role, who will do what in the event of an information security incident or data breach.
Some additional recommendations:
· A single point of contact should manage policies and procedures. This
person should be assigned in advance, and be tasked with ensuring that your
organization has plans in place that are current and viable.
· Establish a Computer Security
Incident Response Team (CSIRT).
The team's job is to quickly and effectively respond to and manage high-level
incidents. CSIRT members should be empowered to make decisions and execute in
the event of an incident. The CSIRT should also have the ability to assign
smaller strike teams to assess the severity and potential impacts of an
individual incident.
3. Identify discovery
mechanisms: Be sure
to identify systems, activities and events that can be monitored or reviewed on
a regular basis. Constant review to identify potential
information security incidents quickly is critical.
4.
Determine cybersecurity incident response triggers: Identify as many common events
that will trigger an investigation as you can. You don't need to cover them
all, but being thorough will help others to understand what they should look
for and how to respond. Some possible triggers include:
· Theft or loss of a computing
device
· Many failed attempts to gain
system access
· Attempts to use old credentials
· Access attempts that are outside
of normal business hours
· Unauthorized access to a system
containing protected data
· Employee snooping or information
capture
5. CSIRT
activation: Identify
how, when and what levels of staff are to be activated depending on the type of
information security incident. Loosely describe incidents that could require a
response from an individual employee, a small cyber strike team and/or the full
CSIRT. In smaller organizations, this may also be decided by executives on a
case-by-case basis. The following are examples of moderate to severe information security incidents, and the appropriate response:
· Virus infection that only impacts
one machine or host (individual with report going to CSIRT).
· Virus that impacts more than one
machine or host (strike team of assigned individuals with report to CSIRT).
· Possible malware infection with
data exfiltration capabilities (strike team with potential to expand to the
full CSIRT).
· Known severe malware database
infection/attack that is believed to have resulted in significant data
exfiltration or destruction (full CSIRT with assigned strike teams based on
needs).
6. Define
breach determination methodology: Describe the methodology of how you will
determine if protected data was compromised based on the type of attack
identified and the classification of
the potentially breached data. For example, determine if there was a
probability of compromise using the four-factor risk assessment methodology
required for healthcare data. This method is helpful for all companies, not
just those in healthcare. Furthermore, it's important to remember that if there
is a compromise then you have likely violated state and federal regulations.
The four-factor test, according to HIPAA definitions 45 CFR 164.402,
assesses:
·
The
nature and extent of the protected information involved, including the types of
identifiers and the likelihood of re-identification;
·
The
unauthorized person who used the protected information and/or to whom
the disclosure was made;
·
Whether
the protected information was actually acquired or viewed; and
·
The
extent to which the risk to the protected information has been mitigated.
7. Define
triggering events: Determine
what will trigger a breach
notification based on regulatory and contractual obligations. These
could be notifications to contract partners, employees, consumers, law enforcement
and regulatory bodies.
8.
Activate the breach response team: This will include members of the CSIRT but
also any additional staff needed to respond in a breach's aftermath. These
staff members can be both internal and external, and could include technical
staff, vendor representatives, legal and compliance officers, public relations
and marketing.
9.
Outline notification actions: Notification requirements vary by federal
statute, state law and
data class. It is important to know the requirements for each class of data and
their associated laws. Because there are so many different requirements, it is
important to examine each carefully. It is strongly recommended that the basic
process and contents be drafted well in advance. Some guidelines on the type of
data to include:
· The organization's name and that
of others associated with the breach, as well as contact information.
· The exact date and duration of
the breach, as well as details on the type of breach that occurred.
· The number individuals affected,
and what data classes and quantity is thought to have been breached.
· Information on how impacted
individuals can review their credit reports.
10.
Detail remediation efforts: After an incident, there will often be remediation
work required to return your organization to normal operations. This could
involve reinstalling applications, rebuilding databases or host machines,
changing network configurations and adding new monitoring services. Remediation
should start as soon as possible to help prevent additional incidents triggered
by the vulnerability, policy or procedure that allowed the incident to occur in
the first place.
11.
Develop reporting and documentation: It is critical that you produce accurate and complete
documentation of the events, actions and results that occur during a
security incident. Be sure to spend time to accurately record exactly how the
incident occurred and the company's response. Keep copies of all communications
and notifications, and document any and all activity related to the breach.
12.
Review policy and procedures: A significant security incident or breach is a
great opportunity to improve data protection
policies and procedures. Take the opportunity to consider what
happened to allow the breach and how the company responded. Then consider and
document ways to improve both.
13. Train and update
staff: Once you have created your cybersecurity incident response
plan, you should train your staff consistently on their role in bringing it to
fruition. If staff members are either unaware of or not familiar with the plan,
you might as well not have one. A lack of training can lead to inaction, delays
and mistakes that are avoidable and incredibly costly. Empower your employees
to be confident and ready to act when the inevitable occurs.
No comments:
Post a Comment