In the past few years, the Department of Defense’s (DoD) regulations have mandated that DoD contractors and subcontractors rapidly report cyber incidents to the government. That trend continues and may spread to civilian agencies in the future.
To facilitate a coordinated and expedited response and to comply with regulatory and contractual requirements, every company should have a well thought out cyber incident response plan, so that the incident response team can focus on executing the response plan rather than trying to address the incident on an ad hoc basis.
Here are some tips to follow:
Tip #1: When developing a plan, companies should first consider what types of cyber incidents should trigger a response. Limiting a cyber “incident” solely to instances where the IT department has determined that there was an actual exfiltration of data may be imprudent. The DoD may consider the definition of cyber “incident” to be broader.
Tip #2: The plan should also identify the incident response team (such as head of IT, CIO, general counsel, risk manager) and, the roles/responsibilities of each and their levels of authority. For example, who has authority to shut down servers or share incident information with outsiders? The incident response team should be broad enough to include all resources that might be needed, such as outside legal counsel experienced in breach response, human resources (needed if the incident involves identifiable personal information or an insider is involved in improper activity), outside forensic experts, and media consultants.
Tip #3: The plan should also include policies for internal reporting (e.g., when should the CEO or Board be notified?).
Tip #4: The plan should be specific enough to guide the team through the processes and protocols for analyzing the incident, documenting the investigation, gathering and preserving evidence (such as using forensic imaging), involving law enforcement, remediating the problem, recovering from the incident, and external reporting, such as to the federal government and to your insurance carrier. Without a detailed plan, there are risks; for example, a well-meaning IT person might delay reporting up the chain of command until the incident is “handled,” or might take steps to remove malware without preserving evidence.
Tip #5: The plan must identify a single spokesperson to address any public inquiry from the press or any other outside questioner.
Tip #6: Make sure that all employees know who in the company to notify in the event they discover or suspect that an incident has occurred.
For more information on the challenges of rapid reporting of cyber incidents, see my interview in PubKCyber.