The sophistication and targeted nature of attacks continue to increase, the number of compromised records continues to rise, and organized crime is surfacing more often. With WikiLeaks and PlentyOfFish at the center of media attention as the latest in data breaches, security professionals have good reason to fear information security breaches, and in turn have a contingency data breach response plan.
Most breaches that occur can and could have been easily avoided or mitigated if the organization had a proper data breach response policy in place. A detailed data breach response plan not only decreases the likelihood of attack, but can also substantially reduce the amount of organizational chaos and valuable time wasted in mopping up the mess.
The following 10 high-level identifiers should help your organization build a robust data breach response plane in order to reduce the business impact of such occurrences.
1. Use existing means to identify and protect sensitive data
Many companies establish elaborate classification schemes and data-handling guidelines for their assets that are too complicated to follow. Although data classification is important, it should not be a hurdle in protecting sensitive data. Leverage existing efforts such as Business Impact Analysis (BIA), Threat Risk Analysis (TRA), or Disaster Recovery (DR) exercises that seek to identify and protect critical areas and sensitive data. It’s likely that some if not most of these exercises have already been done in the organization but not documented and made be available to other clusters of organizational members.
The key theme here is the classification of assets in terms of High, Medium, and Low. There are many frameworks out to suit each organizational preference.
2. Determine the state of your IT environment and identify the potential areas of risk
This step focuses on the most critical areas by taking a close look across the people, process and technology domains and by performing a high-level risk assessment (conceptual). Talk to the business owners to determine which services are essential and then hold a workshop with both the business owners and the individuals who handle sensitive data. They usually know where the most common vulnerabilities lie.
Additionally, consider hiring an external party to do an assessment and help your organization identify the highest areas of risk. This is helpful for large or non-traditional organizations in which it is difficult to map the environment, or when there is disagreement within the organization regarding asset classification.
It is important to focus on critical risk areas first.
3. Establish processes to reduce unintentional errors
A majority of breaches occur due to human error and non-technological vulnerabilities and failures. Organizations can reduce the risk of unintentional breaches with well defined and frequently measured processes. For example, patch management processes, server hardening guidelines, corporate desktop images, etc. Recognizing the various types of human errors that your organization faces and accounting for them is crucial to this step.
4. Plan a layered defense approach
This step examines the addition of security controls in a layered approach. Having these control layers increases the likelihood of keeping an attacker at bay. As a first line of defense, employees should be trained or made aware of social engineering. Furthermore, security professionals should ensure technical capabilities exist to augment the risk mitigation process (e.g. encryption, authentication, etc.). Lastly, process capabilities need to exist to make it easier for the other two layers to function. If you ask people to encrypt their email but have no process/documentation in place which explains how, nobody will follow it.
5. Empower the response team
The majority of response time is often wasted waiting for management approval and authorization. This frustration can be avoided by empowering incident management teams to make decisions on the spot without fear of retribution. Allowing the response team lead to provide managerial updates as a point of contact will allow the rest of the team to tackle the current incident without managerial bottleneck.
Data breach response plans should also be aligned with existing business continuity or incident handling plans. This way, the response team is able to make timely and effective critical decisions and coordinate activities across teams.
6. Test you plan regularly and address gaps quickly
Every organization has some sort of data breach response plan (whether they are aware of it or not). During testing, document action items, lessons learned, and assign remediation and follow-ups to ensure any inefficiency is identified and mitigated before an actual incident occurs.
7. Develop a communication plan
Work with the various departments at your organization’s disposal such as communications, legal, and human resources in developing the best way to communicate the breach to internal employees, the public (if necessary), and those directly affected.
8. Establish internal and external relationships
It is important to develop relationships with forensic companies, legal and public relation firms to avoid wasting time by searching for contacts when a breach occurs. Creating these partnerships in advance allows enough time to conduct an evaluation and find a partner that fits the organization’s specific needs.
9. Provide appropriate tools and training to responders
Responders need to be properly trained and comfortable with the systems and tools within the organization. Creating cross-functional response teams will not only allow for a diverse skill set, but also foster documented knowledge transfer between employees with specialties in specific areas.
10. Treat your people as your last line of defense
Employees should be made aware on how to behave once the incident response plan is activated. It is important to hold refreshers like fire-drills on how to handle sensitive information and remind employees not to become lax or complacent based on the nature of their data sharing relationships. It is important to always stay vigilant.