Security Think Tank: Three steps to effective incident response

What does a good information security incident response plan look like?

Organisations fall into three categories: those that have suffered a data breach, those that haven’t (so far), and those that have but think they haven’t. 

As breaches become prevalent and exponentially larger, it begins to seem possible that an incident could compromise a billion records. Given this challenging environment, how can companies protect themselves and their customers?

1. Develop a plan

The mere process of initial planning will reveal gaps in communication, policy, technical capability, roles and responsibilities that may require urgent attention. 

Any robust plan must involve multiple departments, including information security, legal and compliance, human resources, communications and vendor management. A core team of cross-departmental representatives should be selected to take the lead in responding to incidents.  

2. Practice makes perfect

Breaches will impact numerous departments, and all must be prepared to act quickly. eBay was heavily criticised for its response to a recent data breach, taking days to tell users to change passwords and appearing disorganised in its public communications. 

Simulation exercises can prevent this confusion by engaging with all the key stakeholders identified in step 1 to help to set clear expectations and post-breach actions and responsibilities.

3. Respond decisively

Triage of compromised systems is crucial, and the accurate documentation of response activities is necessary for legal and law enforcement purposes. Once the basic facts have been established and initial forensic investigations are complete, it is time to go public. Customers and partners expect honesty about what has happened to their data, and prompt and clear communications during crisis situations are essential.

Creating and testing response plans may attract interest from senior management, particularly if the organisation or a competitor has suffered an incident where reputational damage is likely. 

Resources such as the ISF Information Risk Analysis Methodology (IRAM) can assist with developing incident management plans to avoid making a difficult situation even worse.    

Dave Clemente is a senior research analyst with the Information Security Forum

Read more on incident response

Security Think Tank: Planning key to incident response

Security Think Tank: Incident response – prepare, test, and test again

Read more on Data breach incident management and recovery