Incident Response Guide is a vital tool that can be used in defense against data breaches.
Inside, you’ll learn why it’s important to have an incident response plan, how to create one and what to do during the first 24 hours of a breach.
We’ll explain what you need to know about notifying your customers, patients or employees. After you create your response plan, it’s important to test and update it. Recommendations for updating your plan are included in this publication, along with some helpful resources.
So please, take a little time to review this guide, and if you don’t have an incident response plan, use this to help create one. It could mean the difference between a breach that causes a brief disruption and one that causes a major meltdown.
Download The Report
Data Breach Response Guide
By Experian Data Breach Resolution 2014-2015 Edition
Cyber security incident management is not a linear process; it's a cycle that consists of a preparation phase, an incident detection phase and a phase of incident containment, mitigation and recovery. The final phase consists of drawing lessons from the incident in order to improve the process and prepare for future incidents. During this cycle communication with both internal and external stakeholders is of critical importance.
Many organisations may not have the necessary in house expertise and skills to respond adequately to a cyber security incident. When they are facing an incident, they may need to call upon experts to contain the incident and/or to carry out forensic investigations. This does not mean that they cannot do anything themselves. On the contrary, there are a lot of things that can and should be done before an actual incident occurs.
Drawing up an organisation's cyber security incident response plan is an important first step of cyber security incident management. It is also crucial that top management validates this plan and is involved in every step of the cyber security incident management cycle. The following elements should be included in the cyber security incident response plan:
• Identification of the assets that need to be protected;
• Identification and assignment of responsibilities in the context of a cyber security incident;
• In house capabilities or contracts with external experts for incident response and/or forensic investigation in case of an actual cyber security incident;
• The equipment and technology to detect and address a cyber security incident;
• A basic containment strategy: disconnect the systems immediately in order to recover as quickly as possible? Or take the time to collect evidence against the cybercriminal who perpetrated the system?
• A communication strategy for both internal and external stakeholders and for authorities such as law enforcement and the Privacy Commission.
Finally organisations should consider taking out a cyber insurance. The cost of cyber security incidents often amounts to hundreds of thousands or even millions of euros. A reliable cyber insurance will cover at least a part of this cost.
This Guide aims to draw attention to the importance of planning how to manage a cyber security incident ahead of time.
IAPP: Data Breach Response Guide
"Responding to a data breach is a lot like fighting a fire," notes Gerard Stegmaier, CIPP/US, a partner with Goodwin Procter. "Once the alarm goes off, it pays to have a plan and to work immediately to address the safety of anyone in the building, contain the fire and preserve the scene for the investigators. Safety comes first, then investigation and remediation. Keeping calm, being methodical and ensuring access to the right resources for management always ensures better outcomes."
Seems like an obvious truism, but, "Incident response preparedness is all over the map," notes Co3 Systems' Tim Armstrong. "Some organizations are well-prepared. But more often we find that even Fortune-500 companies that have spent millions of dollars on preventive and detective controls have significant shortcomings handling day-to-day security and privacy events, not to mention a major breach."
Oftentimes, that's because the organization hasn't taken the time and effort to develop the relationships inside and outside the building necessary for rapid and coordinated response.
In the following document, we offer up a way of getting the necessary relationships in place and then outline how best to leverage those relationships once the breach has occurred.
Part I: BREACH PREPAREDNESS: Setting up your incident response team and laying the groundwork for proper vendor management
Part II: LEGAL SERVICES: Your breach coach and beyond
Part III: IT SERVICES: Forensics is more than just figuring out what happened
Part IV: PR SERVICES: Making sure you craft the proper message for the intended recipients-including regulators
Part V: CONSUMER SERVICES: How to make things right, retain your customers and come out the other side relatively unscathed
VISA Breach Response Guide: What to do if Compromised
Visa is dedicated to promoting the safe and sound long-term prosperity of the Visa payment system. To that end, Visa aims to ensure the timely resolution of external data Compromise Events, drive notification of at-risk accounts to stem fraud impacts, and synthesize forensic evidence, intelligence, and fraud analysis to formulate remediation plans that strengthen payment system security.
Protecting the payment ecosystem is a shared responsibility. Any entity that stores, processes, or transmits payment card data or has access to those systems or data, is required to adhere to and maintain compliance with all Payment Card Industry Data Security Standard (PCI DSS) requirements.
Visa’s What to Do if Compromised (WTDIC) document is a requirements-based guide that applies to entities that suspect or have experienced a Compromise Event of their payment systems, or payment systems they service or support. This includes, but is not limited to, all Visa Member financial institutions (i.e. Issuers, Acquirers), Merchants, Processors, Gateways, Agents, Service Providers, Third-Party Vendors, Integrator Resellers and any other entities, as well as other payment system participants, operating or accessing a payments environment.
WTDIC establishes procedures and timelines for reporting and responding to a suspected or confirmed Compromise Event. To mitigate payment system risk during a Compromise Event, prompt action is required to prevent additional exposure, including ensuring containment actions and remediation, such as ensuring that proper PCI DSS and PCI PIN Security controls are in place and are functioning correctly
Download The Report
How To Save Reputation after a Data Breach
The First 24 Hours Checklist
Panicking won’t get you anywhere once you’ve discovered a data breach. Accept that it’s happened and immediately contact your legal counsel for guidance on initiating these 10 critical steps:
Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach.
Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plans.
Secure the premises around the area where the data breach occurred to help preserve evidence.
Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the computer until your forensics team arrives.
Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.
Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation.
Review protocols regarding disseminating information about the breach for everyone involved in this early stage.
Assess priorities and risks based on what you know about the breach.
Bring in your forensics firm to begin an in-depth investigation.
Notify law enforcement, if needed, after consulting with legal counsel and upper management
Source: Experian Data Breach Guide