Security Think Tank: Three steps to effective incident response

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/opinion/Security-Think-Tank-Three-steps-to-effective-incident-response

Organisations fall into three categories: those that have suffered a data
breach, those that haven’t (so far), and those that have but think they
haven’t.

As breaches become prevalent and exponentially larger, it begins to seem
possible that an incident could compromise a billion records. Given this
challenging environment, how can companies protect themselves and their
customers?

1. Develop a plan

The mere process of initial planning will reveal gaps in communication,
policy, technical capability, roles and responsibilities that may require
urgent attention.

Any robust plan must involve multiple departments, including information
security, legal and compliance, human resources, communications and vendor
management. A core team of cross-departmental representatives should be
selected to take the lead in responding to incidents.

2. Practice makes perfect

Breaches will impact numerous departments, and all must be prepared to act
quickly. eBay was heavily criticised for its response to a recent data
breach, taking days to tell users to change passwords and appearing
disorganised in its public communications.

Simulation exercises can prevent this confusion by engaging with all the
key stakeholders identified in step 1 to help to set clear expectations and
post-breach actions and responsibilities.

3. Respond decisively

Triage of compromised systems is crucial, and the accurate documentation of
response activities is necessary for legal and law enforcement purposes.
Once the basic facts have been established and initial forensic
investigations are complete, it is time to go public. Customers and
partners expect honesty about what has happened to their data, and prompt
and clear communications during crisis situations are essential.

Creating and testing response plans may attract interest from senior
management, particularly if the organisation or a competitor has suffered
an incident where reputational damage is likely.

Resources such as the ISF Information Risk Analysis Methodology (IRAM) can
assist with developing incident management plans to avoid making a
difficult situation even worse.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!