How to prepare and plan for Incident Response

Due to the increasing frequency of information security breaches, senior management is being asked to evaluate the risk of a security breach in their environments and put appropriate measures in place to protect against them. As a result, in a recent Forrester Research survey, security and risk management professionals rated "protecting customer data" and "protecting sensitive corporate data" as their top priority for the next 12 months. Here are some lessons learned that organizations should keep in mind when devising a plan against information security breaches.

Carefully plan a layered defense approach

An attacker has many potential avenues from which to attack, and this is perhaps the biggest concern for any organization. If you miss just one such avenue, that may be enough to cause a security breach. Taking a layered approach to security breach planning eliminates some of this risk by ensuring other layers of defense can compensate when an organization cannot provide absolute security through one discipline. IT professionals understand this concept, but unfortunately apply it through technology only. For example, they would say, "I have multiple inbound gateways for email and malware, and have anti-virus and anti-malware suites on my desktops." What they often forget is that there is another dimension to this layered approach, the people and process layer. Organizations need to train employees to watch out for social engineering attacks, and establish processes for dealing with security breaches.

Establish and test your processes

It is amazing to see how many businesses do not have a plan or a process to respond to information security breaches. Many have an incident response plans that focus on operations and getting systems up and running, as apposed to minimizing the risk to information assets. Then again, the incident response plan is rarely a living breathing document; it is typically on a shelf gathering dust. Management should ensure that security breach planning is a core part of the incident management plan. It is also essential that this plan is tested regularly. Have the response team practice responding to various scenarios and work under stimulated stress conditions. Having mock tests trains the organizations to work effectively as a team under very stressful conditions. These tests can also highlight areas of deficiency and will help keep the plan current, accurate and in line with real-world scenarios.

Build external relationships

Security breaches often require involvement on the part of external entities such as the local police, Secret Service, regulatory authorities and forensic specialists. It's important to build these relationships up front. If an enterprise has to spend time searching for the proper law enforcement contacts immediately following a breach, not only does it lose invaluable time, but it is also rushed when evaluating and selecting a partner that fits its needs.

Publicly acknowledge a breach as soon as the facts are verified

Many companies have been penalized by regulators for not communicating about breaches in a timely fashion. Many others that were quick to come out in public were embarrassed when later investigations found the size and scope of those breaches to be much bigger than initially reported. Customers and regulators tend to be more forgiving of businesses that report breaches quickly. Still, organizations should ensure that they have verified all the facts before going to public.

Understand legal and jurisdictional requirements up front

It's essential for an organization to involve legal experts up front and understand the requirement constraints before initiating a response. For example, the data breach laws in the U.S. dictating how an enterprise should acknowledge, report and respond to a security breach vary from state to state. In other parts of the world, organizations may not need to acknowledge a breach publicly, but may still have to collect evidence and consider all of the forensic requirements involved.

Empower the team to make decisions

Due to the sensitivity of these issues, the security response team should typically consist of senior level people within the organization. Although it's important to keep them abreast of the situation, they are typically not the ones who deal with operations at the ground level. Therefore, the breach team should have a healthy mix of decision makers and technologists. Valuable time is often lost in how you respond to a breach, because the right person at the right level is not available to authorize the proper action. Organizations should empower the breach team members to make critical decisions, such as bringing down a critical server or blocking corporate access to the Internet, without fear of retribution if the situation requires them to do so.

Not just lessons learned but root cause analysis

Breach investigations should go beyond easy remedies and look for the real cause of the failure in controls. Typically after the breach, management is more willing to spend money to get things right, and therefore the investigation should identify the root causes and recommend a phased approach to address those root causes. Once the mitigation plan is developed, it is essential to document, track and ensure that the changes are implemented in a timely fashion.

Measure security policy compliance

Most organizations can honestly say they have a pretty good set of security policies and procedures. Where most businesses fail is in implementing these policies and procedures. This becomes an important factor in data breaches. When a organization has a data breach, the leading question that most external assessor, regulator or law official will ask is whether the proper policies were being followed. If it is learned they were not being followed, that organization will be considered negligent in it's responsibilities. It is essential for organizations to measure their policy compliance on yearly basis. Implementing solid policies requires processes, procedures and standards that need to be established within the organiztion, including ones for how you will respond to a security breach.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com

Very Best Regards,

Michael Desrosiers
Founder & Principal Consultant
m3ip, Inc.
Managing Your Security and Risk Needs
(O)508.995.4933
(C)774.644.0599
(F)508.995.4933
mdesrosiers@m3ipinc.com
http://www.m3ipinc.com