Quirky Question #260, Data breach incident response plans
For data breach preparation, what guidance have federal and state regulators issued regarding incident response plans?
Answer: By Melissa Krasnow
Organizations are preparing for data incidents and breaches by developing, updating, implementing, and testing incident response plans. This article provides a checklist of key components of an incident response plan.
Following are items from state and federal sources of guidance:
- “Best Practices for Victim Response and Reporting of Cyber Incidents” (April 2015) issued by the Cybersecurity Unit of the US Department of Justice with a view to smaller, less well-resourced organizations (larger organizations also should consider this guidance) (“DOJ guidance”).
- “Computer Security Incident Handling Guide” (Aug. 2012) issued by the National Institute of Technology (NIST) for use by federal agencies (this guidance also may be used by nongovernmental organizations on a voluntary basis) (“NIST guidance”).
- “Cybersecurity in the Golden State” (Feb. 2014) issued by the California Attorney General, in collaboration with the California Chamber of Commerce and the mobile security company Lookout for California businesses, especially small to midsize businesses (businesses elsewhere also should take this guidance into account) (“California guidance”). (See “Guidance for Managing Cybersecurity Risks.”)
- “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” (March 2005) issued by federal banking regulators for financial institutions (this guidance also needs to be considered by service providers to financial institutions) (“Interagency guidance”).
According to the DOJ guidance, an organization should first identify mission critical data and assets (i.e., “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
A cyberincident response plan should contain procedures that should address at a minimum:
- Who has lead responsibility for different elements of an organization’s cyberincident response, from decisions about public communications, to information technology access, to implementation of security measures, to resolving legal questions.
- How to contact critical personnel at any time, day or night.
- How to proceed if critical personnel is unreachable and who will serve as backup.
- What mission critical data, networks, or services should be prioritized for the greatest protection.
- How to preserve data related to the intrusion in a forensically sound manner.
- What criteria will be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen.
- Procedures for notifying law enforcement and/or computer incident-reporting organization.
The DOJ guidance also provides for the following:
- Having appropriate technology in place that will be used to address an incident.
- Having procedures in place that will permit lawful network monitoring.
- Having legal counsel that is familiar with legal issues associated with such incidents.
- Aligning other policies (e.g., human resources and personnel policies) with the cyberincident response plan.
- Developing proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms that may be required in the event of an incident.
- Monitoring the network for any anomalous activity.
- Conducting a post-incident review to identify deficiencies in planning and execution of the cyberincident response plan.
The NIST guidance addresses incident response policy, plan, and procedures, which this article covers, as well as sharing information with outside parties.
While policy is particular to the organization, typical key policy elements include:
- Statement of management commitment.
- Purpose and objectives of the policy.
- To whom and what the policy applies and under what circumstances.
- Definition of computer security incidents (e.g., a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices) and related terms.
- Organizational structure and definition of roles, responsibilities, and levels of authority (should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements for reporting incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels) and the handoff and escalation points in the incident management process).
- Prioritization or severity ratings of incidents.
- Performance measures.
- Reporting and contact forms.
The plan should meet the unique requirements of an organization relating to its mission, size, structure, and functions, describes the necessary resources and management support and include the following elements:
- Strategies and goals.
- Senior management approval.
- Organizational approach to incident response.
- How the incident response team will communicate with the organization and with other organizations.
- Metrics for measuring the incident response capability and its effectiveness.
- Roadmap for maturing the incident response capability.
- How the program fits into the overall organization.
The organization should implement the plan and review it at least annually to ensure the organization is following the roadmap for maturing the capability and fulfilling its goals for incident response.
Procedures should be based on the incident response policy and plan. Standard operating procedures should be tested regarding accuracy and usefulness and distributed to all team members. Training should be provided for users of standard operating procedures.
The California guidance provides the following practical recommendations:
- Pick an incident team and assign a team leader; this team should include an executive and an in-house counsel if there is one.
- Define roles and responsibilities so that everyone is clear as to who is responsible for what should an incident arise. Communicate to everyone at the business who to contact if they suspect a cyberincident has occurred (or is occurring). Gather afterhours contact information for incident team members and distribute this information to all staff. Consider channels of communications that do not involve business-provided phones and e-mail.
- Outline the basic steps of the incident response plan by establishing checklists and clear action items.
- Prepare specific policies and procedures to implement in specific situations (i.e., each type of incident that the business might experience: a lost computer, smartphone, or thumb drive containing unencrypted data, an external data breach or theft of intellectual property, malware, cyber extortion, etc.); for each scenario, prepare an easily accessible quick-response guide.
- Form relationships with key third parties (e.g., law enforcement and cybersecurity experts) and have their contact information handy.
- Address in an incident response plan procedures necessary to adequately document the details of a particular incident (including a timeline of events, preservation of compromised systems if necessary, as well as who was involved and the response) and the process to review the preventative cybersecurity measures and the plan after every cyberincident. If the incident involved the possible disclosure of unencrypted personally identifiable information or payment card information, consult with a lawyer.
The Interagency guidance addresses the following components of a response program:
- Assess the nature and scope of an incident and identify what customer information systems and types of customer information (i.e., any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution) have been accessed or misused.
- Notify the primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information (i.e., customer’s name, address, or telephone number together with the customer’s Social Security Number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account as well as any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password, or password and account number).
- Notify appropriate law enforcement authorities in addition to Suspicious Activity Report filing obligations.
- Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence.
- Notify customers when warranted.
Finally, where an incident of unauthorized access to customer information involves customer information systems maintained by a financial institution’s service provider, the financial institution is responsible for notifying its customers and regulator; provided, however, the financial institution may authorize or contract with its service provider to notify its customers or regulator on its behalf.
This article was first published on IRMI.com and is reproduced with permission. Copyright 2015, International Risk Management Institute, Inc.