McAfee Learnings

Incident Response

*Incident Response *

After a data breach has happened, it is critical to act strategically and quickly to regain security, preserve evidence and protect your brand (Experian, 2014). During this phase, you will want to be sure you record every detail of the breach that you can, this would include your response efforts, breach findings, the exploit, who, what, when, where, and why if you can answer those questions as well as any conversations with your legal counsel and law enforcement, if possible.
Checklist: The first 24 hours

After a breach has been identified, it is important to remain calm and immediately notify your legal counsel for guidance on initiating these 10 critical steps as adapted from Experian:

  1. Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach.
  2. Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan.
  3. Secure the premises around the area where the data breach occurred to help preserve evidence.
  4. Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the computer until your forensics team arrives.
  5. Document everything known thus far about the breach: Who discovered it, who reported it, twhoom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.
  6. Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation.
  7. Review protocols regarding disseminating information about the breach for everyone involved in this early stage.
  8. Assess priorities and risks based on what you know about the breach.
  9. Bring in your forensics firm to begin an in-­‐depth investigation.
  10. Notify law enforcement, if needed, after consulting with legal counsel and upper management.

Once you have started on the 10 initial steps, it’s important to ensure your preparedness plan is on track for these next steps.

Fix the issue that caused the Breach

  • Get with your forensic team to ensure they find and delete any hacker tools identifies on your systems.
  • Try to locate any other potential security gaps or risk and address them as well.
  • Have a clean machine you can put online while you work to cleaning the affected systems.
  • Conduct multiple system penetration tests to ensure this type of breach cannot happen again.
  • Document, when and how the breach was contained.

Continue working with Forensics

  • Try to determine if any countermeasures, such as encryption, were enabled when the compromise occurred.
  • You will want to ensure you also conduct an analysis of back up, preserved or reconstructed data sources as well.
  • Determine the number of suspected people affected and the type of information compromised.
  • Then you will need to align the compromised data with customer names and addresses for notification.

Identify legal obligations

  • Revisit federal and state regulations governing your industry and type of data lost.
  • Determine all entities that need to be notified (i.e. customers, news, government agencies, regulation boards, etc.)
  • Ensure all notification occur within the appropriate time frames.

Report to Upper Management

  • Prepare a data breach report for upper management
  • The first report should include all of the facts about the breach as well as the steps and resources needed to resolve it.
  • Create a high-level overview of the priorities and progress, as well as problems and risk.
  • Never send sensitive information such as DOB, SSN, etc. unnecessarily to vendors supporting the breach.

Identify Conflicting Initiatives

  • Make the response team and executives aware of any upcoming business initiatives that may interfere or clash with response efforts.
  • Decide whether or not it’s appropriate to postpone these efforts, to focus on the breach.*

Alert Your Data Breach Resolution Provider

  • Contact your pre-­‐selected vendor to choose the business services for your company and protection products for individuals affected in the breach.
  • Determine how many activation codes you will need for the protection products based on the number of people affected during the breach.
  • Draft and sign a data breach resolution agreement if you don’t have one in place
  • Engage your vendor to handle the notifications and set up a call center so that affected individuals will have access to customer service representatives trained on the breach.
  • Work closely with the account manager to review incident reporting and metrics.

Keep Your Response Efforts on Track
Resolving a data breach requires a great deal of time, and coordinated effort between your response team, law enforcement, executives, forensic firm and data breach resolution providers. Staying organized and documenting every step and decision should be your top priority. Don’t lose sight of your priorities and act quickly.

Legal Notice
The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment