Tips for handling your first security breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/article.php?id=1949

When it comes to data breaches, the risk for organizations is higher than
ever before - from the calculable costs of leaked data to the less tangible
effects on the companies' brands and customer loyalty. Therefore, with
targeted security breaches on the rise, defining an action plan is critical
for every security practitioner.

Getting breached does not determine whether or not you have a good security
program in place, rather how you respond to one does. Before you begin to
stress out about how to keep your head (and your job) intact when the worse
case scenario happens, here are the top five tips for handling an
organization's first security breach.

Expect to have quality time with executives

Prepare yourself for some quality time with the executive team. During a
security breach, you will find yourself interacting with an entire group of
people that previously were merely names on your corporate organization
chart. The executive management team will expect you to make confident
decisions quickly. This will often drive you crazy because you are an
engineer and as you know, the unknown always outweigh the known. You will
be sought after to make decisive, quick assessments regarding the
information and data that you have collected and be prepared to be held
accountable for them afterwards.

Make sure you establish and record a timeline of events


Create a complete and detailed timeline of events because your
responsibility is to determine "how" this happened. A comprehensive list of
everything that happened within your network is crucial information that
your management team needs from you. This is not an interpretation of "why"
this happened. Additionally, know that this collected data will be
essential for legal, PR and the board members, and will be the primary
deliverable that the rest of the workflow is derived from.

Set clear expectations and don't succumb to the endless requests for updates

Do not succumb to the endless requests for hourly updates because it can
impact the organization's productivity. Although you should expect to
receive constant status update requests, you should not update too often
because it can negatively affect your work. Make sure that the analysts are
given enough space to conduct their actual analysis. You might insist that
hourly status calls occur, but understand that a 15-minute phone call every
hour can actually rob and interrupt you of 25 percent of your productivity
in conducting actual forensics work. Do not be afraid to push back and give
yourself time to gather and report accurate information. After all, your
responsibility is to enable informed executive decisions at this point.

Keep calm
Stay calm and do not panic. During a security breach, things are going to
get a little crazy. During a time of crisis, do not worry about offending
others by not being nice to them rather be more concerned about not adding
to the insanity. Be prepared to make some decisions that may be above your
typical job responsibilities. Inevitably, you will be required to task
others that you normally do not have authority over, on the understanding
that you will answer for it later on if needed. As long as you make this
clear, then any reasonable person will support you on this.

Do not hesitate to ask for advice and support


Do not be reluctant to ask for help or support. It's okay. As the long
hours and sleepless nights count up, just know that there is an end.
Eventually you will have discovered all there is to discover, the executive
team will have collected all of the data that is required to do their job
and life will return to normal once again. If public disclosure of your
security is required, know that it is a double-edged sword. For example,
you may experience great catharsis in knowing that the truth is out in
public, but you must realize that the PR-spin engine will be operating in
full speed and so you will be under a mountain of non-disclosure. Also,
know that if you work for a large organization, they often have employee
counselors readily available to discuss legal matters. Take advantage of
these employee counselors because you shouldn't underestimate the value of
having someone you can obtain advice from.

In this day and age, it is an accepted truth that it is just a matter of
time before your organization is breached - what is important is how you
handle it. Remember to breathe and to manage your stress accordingly and
know that you will come out of this situation with an experience that you
cannot learn in any lab or any simulated exercise.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!