Tue, Nov 22, 2016
Each day seems to bring news of yet another company dealing with a data breach.
Personally, your first reaction might be to make sure that your data is not among the information compromised. But after that, are you professionally worried because you don’t know — at least, not with any amount of certainty — how your company will respond and recover if your network is hacked?
One of the best ways to gain some peace of mind when it comes to data breaches is to create and regularly test an incident response plan (IRP). Creating an IRP does not have to be a lengthy, intimidating process. In fact, according to the National Institute of Standards and Technology (NIST), an IRP simply provides “the instructions and procedures an organization can use to identify, respond to, and mitigate the effects of a cyber incident.”1 In this article, we will provide a high-level view of how to build an IRP and the types of questions you will want to address as you begin planning.
Getting Your Terminology Right
Incident, event, breach … they all mean the same thing, right? Actually, no, not at all. NIST defines a computer incident as a “violation, or imminent threat of violation, of computer security policies, acceptable use policies, or standard security practices.” While NIST’s definition is a good starting point, many organizations might find that it is too broad for their business. Therefore, for purposes of framing what you are really trying to protect for your organization, it might be useful to expand the NIST definition of an incident to any “violation, or imminent threat of violation, of computer security policies, acceptable use policies, or standard security practices that has significant potential to lead to:
So how is a computer event different from an incident?
According to NIST, “An event is any observable occurrence in a system or network.” For our purposes, what is more helpful is that NIST defines adverse computer events as “… events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.”
Now we come to the term breach. A breach generally describes when an organization has lost control of certain types of sensitive data, i.e., PII, PHI, or customer data. Be very careful when using the word breach in communications around an incident, and speak with your counsel before issuing any public statements about an incident, particularly as an investigation is still unfolding.
Assembling Your Incident Response Team (IRT)
As you prepare to develop your IRP, you should also assemble your incident response team (IRT). Generally, the following professionals should be part of your IRT to ensure coverage of specific incident-related issues:
Building Your IRP – Seven Important Steps
The following steps are based on best practices that Kroll has developed helping organizations build their IRPs.
For an initial test, a tabletop exercise can be a very enlightening process because it demonstrates the readiness of your organization to respond to cyber incidents. The key objectives in the tabletop exercise are:
Outside experts such as Kroll, with significant experience in helping clients prevent, prepare for, and manage breaches, can facilitate both the development of your IRP/ IRT as well as the tabletop exercises. In today’s busy world, we understand that it can be difficult for professionals to dedicate time to a simulation exercise. However, experiencing a data breach without an incident response plan and without an incident response team will be a much longer process — and often carries more significant damage to your company and its reputation. In these days when all networks are under constant attack, having an IRP can help you and your company manage a cyber incident with confidence.
By Lucie Hayward, Managing Consultant Michael Quinn, Associate Managing Director
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
The Kroll Investigations, Diligence and Compliance team consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.