Develop a Communication Plan
One of the most important facets of data loss incident management and response is communication. Adequate communication for the purpose of data recovery, business impact control, and public relations considerations requires reaching out to various internal and external entities. Figure 2 depicts communication points you should consider during preparation, response, recovery, and post-recovery operations. Your data loss incident management communication plan should include names, phone numbers, and when to contact each entity listed. I’m not going to discuss all of these entities; the following is a look at some of the most critical.
Media – In our description of the member of an IRT, we included a public relations professional. Sending the right message to the media is absolutely essential if you hope to effectively deal with the fears of customers and investors. In addition to the public relations representative, all other members of your IRTs should also be trained on how to respond to inquires from the press.
Law Enforcement – Develop a relationship with local, state, and federal law enforcement prior to the occurrence of an incident. Use this opportunity to understand how each agency can help and how they prefer you process evidence or a potential information security crime scene if data has been stolen. Once an incident occurs, coordinate contact with law enforcement through senior management, human resources, and if appropriate, your legal department.
Incident Reporting Organizations – Although reporting an data security incident to an organization like the United States Computer Emergency Readiness Team (US-CERT) at http://www.us-cert.gov/, is not necessarily going to improve the quality of your recovery, it will provide information to a central database that law enforcement agencies and businesses can use to identify and mitigate threats or vulnerabilities.
Organization’s ISPs – Your ISPs, or Internet Service Providers, are an important resource during an attack via the Internet. If you’ve taken appropriate steps during preparation activities, your ISPs can assist by quickly blocking suspect traffic. In addition, an ongoing relationship with your ISP can result in frequent reviews of what steps they’re taking to proactively prevent known attack traffic from reaching your network perimeter.
Owners of Attacking Addresses – In many cases, the systems used to attack your network and data may be infected machines on an unsuspecting organization’s network. Make sure at least one person in each IRT knows how to quickly locate the owner of an IP address by using a service like ARIN (http://www.arin.net/). A quick call to the address owner can accomplish two objectives. First, the owner can block all outgoing traffic associated with the attack. Second, the owning organization can take steps to rid their network of the malware; this will help prevent future attacks.
Software Vendors – Before, during, and after an attack, one of the most important communication points is the vendor who supports the target or damaged application or operating system. The vendor can help identify the existence of potential vulnerabilities, recommend critical security patches, translate log entries, provide assistance during an attack, and help with recovery efforts.
Affected External Party – Affected external parties might include customers and suppliers. Your organization has a responsibility to practice due diligence to prevent the effects of an attack or data loss from migrating to entities connected to your network. Notifying IRTs at connected organizations is a good start. Further, you should let your customers and suppliers know if there will be an interruption in service or product delivery. Finally, if the attack involved the potential compromise of regulated or other sensitive information about employees or customers, it’s critical (and in some locations mandatory) to notify all affected parties. Prior to communicating with any external party, be sure to clear the content of the communication through senior management and your legal department.
Data security Incident management preparation might consume significant time and resources. But it provides the foundation necessary to adequately perform the tasks in the remaining incident management steps.
In Part 2, we examine how to detect and analyze a data security incident.