It is not often that you find yourselves amid a data crisis, but when you do, you’ll be thankful for all the prior effort you put into designing a response plan.
This article will examine the basic approach to data breach response planning and the steps involved.
What is Data Breach Response Planning
A data breach response plan is a set of policies and procedures that your organization has in place in the event of a data breach. The breach can result from a malicious attack or accidental loss; while the motivations may differ, the outcome is usually the same.
The extended version of a data breach response plan is an incident response plan (IRP). They vary slightly because an IRP is made of proactive and reactive measures, while a data breach response plan includes only reactive measures. A data breach response plan is executed during the data breach event. In contrast, an IRP is part risk assessment and part response plan, thus including proactive measures.
This article will explore proactive measures as part of the data breach response plan to give you a complete picture.
Lastly, the complexity of a data breach response plan will increase depending on the business information system’s intricacy. It could involve many moving parts if the network is global or if the organization is heavily data-dependent. But the bare-bone framework and steps laid out in this article will be enough to get you started.
Who Should You Include in The Data Breach Response Plan
A successful data breach response plan should involve some critical members of the organization.
This preliminary team will be responsible for carrying out the plan when an event occurs.
- Security Team: this team is the plan’s crux and will be the primary point of contact during the event. The sec-team is usually a dedicated cybersecurity department, but many organizations do not have the resources to support an in-house sec-team. In this case, it is possible to outsource the security responsibilities to a managed security service provider (MSSP). You should develop a partnership with an MSSP and include them as part of the response plan.
- IT Department: generally speaking, any time a breach event occurs on the organization’s information system, the department responsible for the IT infrastructure will be involved. Any back-end developers and engineers will need to form part of the response team and communicate the infrastructure’s idiosyncrasies to the sec team.
- C-suite and Decision-Makers: top-level management and any other decision-makers will need to be part of the team. They will be the ones that need to communicate any relevant information to the local data protection authorities or any federal entity.
- Data Protection Officer/ Privacy Officials: in the cases where the data breach involved any personally identifiable information (PII), the GDPR will require a DPO to take charge (if dealing with EU data subjects). And state laws such as the CCPA will require a privacy officer to form part of the response team.
- Affected Departments: there is a high chance that a breach will result from human error. This could be due to a lack of security awareness; whatever the case, the department responsible for the leak or breach will have to be included, so the rest of the team can identify the source.
You’ll want to keep the team relatively small to remain agile in a rapidly changing environment. Also, all information exchange will have to be held on a “need to know” basis, limiting attackers’ potential to access defense information.
Data Breach Response Steps
As mentioned at the start of the article, you can break the plan down into two categories.
- Proactive Measures
- Reactive Measures
The meat of the data breach response steps will come from reactive measures. But as a form of preparedness and completeness, you should include proactive measures. Proactive security will deliver the best results.
The proactive measures are a form of risk management and preparedness. These are the steps you should take before the information system is up and running. Security should form a pillar in the structure of your organization. But for a response plan, the two components of proactive protection are:
Preparation: These are all the steps you will want to take before implementing a data response plan. In the best of cases, this preparation could eliminate the need even to execute a response plan. It includes:
- Staff training: having staff that is security-aware will limit the chances of a successful social engineering attack.
- Pen-testing: regular penetration testing will ensure that vulnerabilities are exposed and patched. It will also keep your organization on its toes, providing its ability to respond promptly to a data breach.
- Developing security policies: you should establish security policies like password management and account management to limit any avenues for accidental loss of data or limit attack channels.
Identification: in conjunction with the preparation step, your organization should continuously identify threats and incidents on the information system. Most think that the detection of threats is a reactive measure as it involves discovering if a breach has occurred. But if your organization is proactively identifying events, they will know if a violation has occurred and simultaneously expose vulnerable access points. In this step, you will want to:
- Identify threats: using forums and keeping up to date on threat intelligence for your industry.
- Use Security Incident and Events Management (SIEM) software: SIEM systems are an excellent tool for proactive security. They will flag anomalous events and give you an indication of whether you’ll need to take action.
- Vulnerability Scanning: it is best if your organization is consistently scanning the information system for potential vulnerabilities. Knowing your vulnerabilities means the attacker does not get the jump on you.
The two steps under proactive measures are a loop function feeding into each other and regularly conducted. These steps will mitigate the chance of a breach but will not eliminate it. When an infringement is identified, you can move into reactive measures.
When you are in full-blown disaster mode, you will want to execute the response plan; outlined in the section below.
- Containment and Notification: you will need to contain the breach as best you can. Isolate the affected part of the information system. Here you should gauge the extent of the violation and the risk to any interested parties. Once you have assessed the risk and extent, you will have to decide if it is time to notify the relevant authorities.
- Eradication: Once you have contained the breach, you will need to identify the root cause. Finding the root cause will allow you to eradicate the breach’s source and stop any further data loss or destruction.
- Recovery: The next step will be to start the recovery of the information system by reconnecting or rebooting any isolated systems or devices. It is paramount that the business information system returns to standard functionality as soon as possible. The longer it remains offlines, the higher the cost of the breach.
- Lessons Learned: The final step is to revise the situation and learn how you can improve your cyber resilience from what has transpired. Ensure that you thoroughly document the process. This documentation will provide measures for any future events.
Get The Right MSSP
Data breach response planning is one of the many offerings of an MSSP. The hardest part is choosing the right one.
You can make that easy, too, by choosing to partner with RSI Security. We are the nation’s primer cybersecurity provider, and we have a track record of offering top-end managed services.
Take care of your data breach response needs and get in contact with us today.