All organizations depend, at least in part, on their data to carry out day-to-day operations. Yet new, high-profile data breaches are reported every week, and the costs of those breaches continue to rise
The core elements of an incident response program are straightforward and quick to establish. Let's take a look at the critical processes within an incident response program that may be easily implemented in your organization.
A structured response assures consistent incident research and action. Responses to security incidents that may involve data loss typically follow a workflow such as this:
Of course an Incident Response Program needs to be established before an incident is detected and a response is needed. Let's start there.
Here's how to quickly establish an incident response program:
New incident discovery comes from many different sources:
The best place to start? Employee awareness. Make sure your workforce understands the security risks to the business and what to look for. It's easy to overlook an anomaly when you believe everything is safe.
Second line of defense -automation. Monitoring tools, including analytics of anomalous traffic or user behavior, are invaluable.
Finally, keep an eye out on social media. Bad news travels fast. You don't want to be the last to know.
The triage process begins as soon as a data incident is detected and it involves research to understand the situation and to determine which actions need to be taken and when. Ask the following questions:
"Containment" refers to all efforts to stop, contain, and control the incident and data loss. These actions need to be taken as soon as practically possible to prevent further data compromise.
As soon as the necessary steps have been taken to contain and control an incident, document all the actions taken and produce a response plan. Your plan may include:
It is important to understand the root cause, nature, and scope of the incident before creating the response plan.
After completing the activities in the response plan, review the status of the incident and summarize the lessons learned. Post-incident actions can improve future data security practices.
It makes sense to select a risk posture when it comes to post-incident action. In some cases, many actions will need to be undertaken, not all of which will provide the same levels of improvement, equivalent increases in security, or relative returns on investment.
The operation of your organization depends on its data.
Build an effective detection and response plan so that you can avoid fines and remediation costs, protect your organization's reputation and employee morale, and maintain business.
The simplicity of the incident response process can be misleading. We also recommend tabletop exercises as an important step in pressure-testing your program.
To learn more, please visit the Trust and Transparency Center.