Incident Response Guide is a vital tool that can be used in defense against data breaches.
Inside, you’ll learn why it’s important to have an incident response plan, how to create one and what to do during the first 24 hours of a breach.
We’ll explain what you need to know about notifying your customers, patients or employees. The guide also has the latest information on the HIPAA Omnibus Rule and upcoming federal legislation on breach notification laws. After you create your response plan, it’s important to test and update it. Recommendations for updating your plan are included in this publication, along with some helpful resources.
So please, take a little time to review this guide, and if you don’t have an incident response plan, use this to help create one. It could mean the difference between a breach that causes a brief disruption and one that causes a major meltdown.
Cyber security incident management is not a linear process; it's a cycle that consists of a preparation phase, an incident detection phase and a phase of incident containment, mitigation and recovery. The final phase consists of drawing lessons from the incident in order to improve the process and prepare for future incidents. During this cycle communication with both internal and external stakeholders is of critical importance.
Many organisations may not have the necessary in house expertise and skills to respond adequately to a cyber security incident. When they are facing an incident, they may need to call upon experts to contain the incident and/or to carry out forensic investigations. This does not mean that they cannot do anything themselves. On the contrary, there are a lot of things that can and should be done before an actual incident occurs.
Drawing up an organisation's cyber security incident response plan is an important first step of cyber security incident management. It is also crucial that top management validates this plan and is involved in every step of the cyber security incident management cycle. The following elements should be included in the cyber security incident response plan:
• Identification of the assets that need to be protected;
• Identification and assignment of responsibilities in the context of a cyber security incident;
• In house capabilities or contracts with external experts for incident response and/or forensic investigation in case of an actual cyber security incident;
• The equipment and technology to detect and address a cyber security incident;
• A basic containment strategy: disconnect the systems immediately in order to recover as quickly as possible? Or take the time to collect evidence against the cybercriminal who perpetrated the system?
• A communication strategy for both internal and external stakeholders and for authorities such as law enforcement and the Privacy Commission.
Finally organisations should consider taking out a cyber insurance. The cost of cyber security incidents often amounts to hundreds of thousands or even millions of euros. A reliable cyber insurance will cover at least a part of this cost.
This Guide aims to draw attention to the importance of planning how to manage a cyber security incident ahead of time.
Data Breach Response Guide
"Responding to a data breach is a lot like fighting a fire," notes Gerard Stegmaier, CIPP/US, a partner with Goodwin Procter. "Once the alarm goes off, it pays to have a plan and to work immediately to address the safety of anyone in the building, contain the fire and preserve the scene for the investigators. Safety comes first, then investigation and remediation. Keeping calm, being methodical and ensuring access to the right resources for management always ensures better outcomes."
Seems like an obvious truism, but, "Incident response preparedness is all over the map," notes Co3 Systems' Tim Armstrong. "Some organizations are well-prepared. But more often we find that even Fortune-500 companies that have spent millions of dollars on preventive and detective controls have significant shortcomings handling day-to-day security and privacy events, not to mention a major breach."
Oftentimes, that's because the organization hasn't taken the time and effort to develop the relationships inside and outside the building necessary for rapid and coordinated response.
In the following document, we offer up a way of getting the necessary relationships in place and then outline how best to leverage those relationships once the breach has occurred.
Part I: BREACH PREPAREDNESS: Setting up your incident response team and laying the groundwork for proper vendor management
Part II: LEGAL SERVICES: Your breach coach and beyond
Part III: IT SERVICES: Forensics is more than just figuring out what happened
Part IV: PR SERVICES: Making sure you craft the proper message for the intended recipients-including regulators
Part V: CONSUMER SERVICES: How to make things right, retain your customers and come out the other side relatively unscathed