Incident response
Putting in place is an implicit requirement of the security principle and the breach rules. A good incident response plan needs senior approval, a governance model, clear decision-making principles, defined roles, rehearsal (table-top exercises), metrics, comms templates and regular updates. Organisations must build incident detection capability - attackers can hide for years, so compromise testing with forensics is needed. A clear classification/taxonomy avoids misclassifying when an incident becomes a legally-defined breach. Plans also handle fallout, including a litigation posture and a communications plan.
The need for is implicit in the security principle and the breach disclosure rules. Response sits on a long continuum - from detection, through immediate post-detection activities, into the long term - and a plan must define which parts it covers.
- Core requirements of a good plan: senior approval; a governance model; principles for decision-making; defined roles; predictive outcome analysis; compulsory reporting-up of 'unusual' events; a multidisciplinary/multijurisdictional expert view at detection (possibly including forensics and law enforcement); table-top exercises; performance metrics; public messaging templates; benchmarking against peers; and a schedule to keep the plan current
- Build genuine incident detection - and run compromise testing with advanced forensics, because attackers can lie unnoticed on a network for years
- Maintain a taxonomy and classification scheme so everyone knows data sensitivity - misclassification can lead to wrong decisions on treatment and breach disclosure
- A well-rehearsed plan contains a playbook of pre-defined triage and remedial steps for the most likely incident categories
Handling the fallout means dealing with third parties (law enforcement, insurers) and breach disclosure. Disclosure to the regulator can trigger investigations; disclosure to individuals brings inbound queries and complaints. As the organisation approaches contentious legal business, it needs a litigation posture, reflected in the plan - covering internal/external legal advisers and legal professional privilege - plus a communications plan on who speaks to the media and what is said publicly. The chapter reassures: 'Even good programmes with good controls get hacked' - there is no need for panic; it is better to know, analyse and respond.
A classification/taxonomy scheme lets you know quickly when an incident rises to the level of a breach by legal definition. Misclassification leads to wrong conclusions on treatment and disclosure.