business: response, Part 3: Coordination
Incident Response to Data Breach, Part 2: Response
by Brent Kirkpatrick
(Date Published: 11/20/2017, revised 4/25/2018.)
Suppose the breach were to be of one computer and one file under the permissions of one user. This means that the attackers did not gain root access. In such a case, one IT person may be able to detect the damage, determine the extent of the breach, and respond to the problem. If the issue was file permissions being set wrong, the response and recovery can be implemented by a single person.
Does paperwork always need to be generated? No. In some cases, excessive paperwork can hamper the response. In all cases, someone technically competent to asses the problems needs to be involved with protection, detection, and response. The amount of paperwork and the levels of management to notify are a judgment call.
Suppose the breach were to involve a large database containing all the company's customer data. Then the response needs to proceed simultaneously at multiple levels of management. The technical people can iteratively work to protect, detect, and respond while the upper levels of management work to notify customers and coordinate multiple departments. For example, the legal and public relations people would be needed to document the incident and draft announcements to effected customers.
As you involve people in handling the breach, remember to consider who will exercise discretion. For example, outside lawyers may work under attorney-client privilege, while inside lawyers have different responsibilities. IT people and incident response teams may or may not be subject to non-disclosure agreements. These tools allow the leadership to influence when and how the breach is discussed.
One crucial question is whether the team wants to pursue a technical response or a non-technical response to the breach, or both. For example, in the Equifax case, the company decided to offer a high-tech solution to the compromise of customer credit data---a lifetime credit lock. This was a technical solution to a technical breach that may have required using hacked computers to implement. A non-technical solution would have been to encourage all the customers to manually review their credit records with an eye for signs of fraud. This solution is non-technical and requires human effort, but it has the advantage of not involving hacked computers. Equifax could have rolled out a customer service effort to aid customers in this effort. Given the volume of phone calls they ended up handling, they many have been able to roll out both the technical and non-technical services with the same cost to the company.
Clean-Up (TM). Incident response driven by data.
Incident Response, Part 1: Planning