It is vital to understand where compliance fits into a companyís incident response process and put in place a clear procedure to meet the specific obligations for reporting incidents. This means knowing when and how to notify law enforcement or specific industry regulators and, for multinational companies, navigating through the regional variations, complex privacy laws and notification requirements.
Establishing policies to share with other parts of the business affected by a breach Ė whether PR, business continuity, risk or customer services teams Ė is therefore crucial. Although it is not always essential to share information about a breach with a companyís customers and partners, it will be necessary to define and communicate a policy internally. It all depends on the nature of the incident and how early the IT team can understand and communicate what it is and what remedial action is being taken.
As security breaches naturally result in some finger pointing, organizations should take advantage of internal collaboration to nurture the incident response process. There is real value in using high visibility exercises such as rapid response communication drills and tabletop exercises, which involves simulating potential incidents to improve awareness and define roles and responsibilities beyond the information security teams. As a result, organizations will often see a heightened sense of joint responsibility for effective resolution.
Donít do it alone
Mature incident response does not necessarily mean spending more on technology. Most organizations already have in place the technology they need and this includes data loss prevention, perimeter defenses, and log management.
What is often required is a trusted provider to help them implement an incident response plan by developing the process and people to effectively respond to an incident. This might involve working with customers to establish what skills they already have, what they would need if they were breached, and where they would go for help.
The beauty of outsourcing is that it provides and augments the in-house skills of an organization and enables that organization to focus on building and developing its business, while the outsourcer provides the information on risks to enable the board to understand, prioritize and manage risks and make informed decisions.
If a business with no in-house capability suffers an incident, a trusted provider that is deployed would be instrumental in developing its incident response plan. The consultancy might involve:
Establishing incident management capability Ė incident handlers and technical analysts determine the process structure to handle the incident on the clientís behalf.
Analyzing forensics and containing the incident Ė analysts investigate, identify, analyze and contain the cause of the incident.
Providing incident resolution Ė rapid response team provides support and guidance to the client to resolve the incident.
Wrapping up the incident Ė trusted provider closes the incident and wraps up affected on-site activities.
Delivering incident report and roadmap Ė support team supplied report, post incident, along with a tactical roadmap of recommendations to reduce future risk.
Moving from reactive to proactive
Itís evident that faster, more efficient incident response will minimize the impact and cost of an incident and protect a companyís data. By enforcing a dedicated response team, and maximizing the value of existing technology investments, every business can plan and execute a mature incident response strategy well. After all, if it is your company that is targeted, you will want to see the fastest and most efficient return to business as usual.