A cybersecurity incident response plan outlines how you will respond to serious incidents, such as a data breach, ransomware attack or other data loss. It also includes procedures for communicating with individuals impacted by the incident.
An effective plan focuses on the four key elements of any incident response: detection, containment, eradication and recovery.
Contents
Detection
Your staff should be able to identify a data breach as quickly as possible. In the wrong hands, sensitive information can be used for everything from identity theft to fraudulent transactions to industrial espionage.
Detection may involve anything from a suspicious e-mail to a sluggish network or database server. You should also be able to detect when an attack has been successful. The best way to do this is by monitoring the activity of your cybersecurity tools and servers or by implementing security alerts based on certain activities.
Once a breach is identified, your response team should be notified immediately. The team leader should be able to initiate action without going through management. This person should also have a backup who can take their place if they become unavailable.
The next step should be containing the breach. This includes isolating the affected computer or server and preventing any additional data loss or destruction of evidence that could make it more difficult to find the cause of the breach.
This is where a good communications plan pays off. Be sure to publish your incident notification procedures and include them in your employee training. Clearly define who needs to be made aware of the breach based on local ordinances and perceived harm, and make sure all notifications are published within mandated (by law) timeframes.
Containment
Once the initial data breach has been detected, it is important to contain the situation. This includes removing active intruders and preventing future unauthorized access. This is done by isolating the affected device, systems or network. It may also involve removing the network cable, restricting wireless access or other similar steps. This should be done in coordination with your forensic experts.
The next step is to secure the evidence, both physically and digitally. This should be done in consultation with your forensic experts and legal counsel. Finally, you will need to review your incident response plans and determine what actions are required in the event of a breach. These are best developed beforehand so key decisions do not have to be made under pressure in a crisis.
One key step in the response plan is to define who is responsible for determining when to escalate the incident to a data breach team. This should be someone with authority and the ability to take immediate action, such as the team leader or a senior staff member. It would help if you also considered how to manage the responsibilities of this role, such as whether it should be an automatic process or only be activated when certain conditions are met. Similarly, you should include a list of people to be notified if a data breach occurs and ensure that these are published within the required (by law) timeframes.
Recovery
A data breach response plan should include a section on recovering from a security incident, including changing access codes and restoring systems. It should also cover legal obligations such as reporting to law enforcement and affected individuals. A good place to start is by evaluating the company’s existing privacy and security policies. This can help you determine whether a new breach response plan is needed or if the existing one will suffice.
As part of this step, you should analyze the incident to determine its cause. This should involve examining logs and talking to those involved in the incident. You should also examine backups or preserved information. This can help identify which data was compromised, where the breach originated, and who accessed that information. This can help you understand the root cause of the violation and make the necessary changes to prevent future incidents.
In addition, you should develop a communications strategy to notify consumers about the data breach. This should include a clear, plain-language plan about responding to consumer questions and what you will do to protect them. Some companies even post these communication plans on their website to ensure that consumers can find the answers they need, minimize confusion or frustration, and avoid phishing attacks tied to the breach.
Eradication
When the investigation has been completed, and a full assessment of the breach has been made, it is time to eradicate any lingering damage. This may include securing physical areas potentially related to the violation, deactivating compromised accounts, changing passwords and locking down systems as needed. Eradication also involves identifying and eliminating the root cause of the data breach, which can be anything from fixing vulnerabilities to improving staff training.
Having a well-documented plan in place allows an entity to respond to a data breach effectively, reduce the impact of the incident on consumers and ensure compliance with local, state and federal laws. It can also help prevent a situation where the company is accused of negligence or breaching a contract.
The data breach response plan should clearly define what constitutes a breach. It should contain contact details for the team leader (and back-ups) with the responsibility and authority to take action. It should also outline the procedures for reporting to senior management. It is helpful if the team has computer forensics and legal and information security expertise to identify the root cause quickly and contain it. Other useful aspects of the plan include a flexible pre-drafted public relations work plan and strategy and a list of remedies to be offered to consumers, often required by law.