Why You Need a Cyber-Security Breach Response PlanBy Guest Author | Posted 2015-09-10 Email Print
It may be impossible to prevent a breach, but the next best thing is to have a comprehensive response plan that can be swiftly and effectively executed.
The team should also outline the type and frequency of communications going to employees, customers and clients, business partners, the public and the media. Post-breach communications should articulate the cause of the breach, pertinent facts about the damage and risks, what the company is doing to investigate the breach and prevent further damage, and what it is doing to help those affected by the breach.
Develop a Plan for Each Stage of a Breach
An effective breach response plan should focus on each of these four stages:
· Preplanning and preparation
· Discovery and analysis
· Reporting and follow up.
The preplanning stage involves developing a response plan and delineating responsibilities. It may also include identifying which corporate assets need to be protected, determining IT and other risks, and conducting training and dry-run exercises to prepare the response team for a breach.
The response stage includes both the damage assessment and the communication plan. The response team determines the scope of the breach, notifies the appropriate individuals, gathers facts on the breach, conducts interviews, executes the response strategy and begins remedial actions.
In the discovery and analysis phase, the team collects and analyzes the evidence and formalizes the remediation plan. The team also should determine how to collect and preserve evidence for use in prosecution. This may include decisions involving chain of custody, use of digital forensics, processes for document and data reviews, and related initiatives.
The reporting and follow-up stage includes the strategies and tactics that are to be implemented as a result of the breach. These may include a remediation plan with new security measures, a report to shareholders or legislative bodies, or a major change in business processes.
It is critical to note that the most effective response plan is one that stays current, with all responsible parties remaining fully aligned with their tasks and strategies. The response plan should be revisited and, in some cases, modified as the company’s technology and business environments change.
Remember that the best-laid plan that's sitting on someone’s desk—or has not been thoroughly evaulated—is nothing more than a piece of paper.
Most companies have a variety of assets that must be protected. Whether these are financial, informational or brand assets, a cyber-security breach can irreparably harm any or all of them. Companies that proactively plan for a breach are in a much better position to overcome it—both operationally and in the forum of public opinion.
Jim Ambrosini, CFE, CRMA, CRISC, CISSP, CISA, is a managing director with CohnReznick Advisory, where he leads its infrastructure and managed services offerings. His team specializes in analyzing technology infrastructure, evaluating processes and applications, developing strategic plans and deploying flexible solutions. Jim can be reached at 973-618-6251 or firstname.lastname@example.org.