Be Prepared | Plan How You Will Respond to a Security Incident
by Kathleen Grote, Information Security Officer
You’ve heard the saying, “It’s not a matter of IF, but WHEN." This saying refers to being prepared for WHEN a security incident occurs. It is not wise to assume your business will not suffer some type of business-impacting security incident. How prepared you are to respond to a security incident may mean the difference between a nuisance event versus a full-blown disaster event.
The best method to demonstrate preparedness is having a written, practiced security incident response plan, like we do at FHLBank Topeka. Decision makers should rely on the written plan to use as a guide while responding to an incident. The plan helps decision makers determine the severity of a security incident. The severity level should inform following decisions such as; who should be informed, what data is at risk, who controls communications to employees, board members, regulators and the media? When should law enforcement get involved? Which regulations are impacted? Do you have an actual data breach? Be aware that using the term “breach” implies your legal counsel is heavily involved in response activities.
As you can see, many stakeholders have a role to play in appropriately managing and responding to a significant security incident. Marketing, Legal, Human Resources, Information Technology, Operations Risk, Business Continuity and data owners all have critical roles during incident response. If any of these areas don’t have a response plan in place before an incident occurs, a full-blown disaster is just one ill-advised decision away.
OK, everyone has a written plan, now what? The “fun” begins! Security incidents occur through many vectors. Did someone click on a link in a phishing email? Did that action lead to a malware infection which damaged and deleted critical files? Did someone respond to a fake email with a file attachment containing confidential customer information, including Personally Identifiable Information? Did an “insider” leak confidential information knowingly or unknowingly?
Each scenario presents its unique risks and challenges. Bringing everyone to the table (hence the term table-top exercise) to practice their roles in responding to specific scenarios provides a “no-fault” environment where skills and confidence are enhanced. Discussions at table-top exercises are the basis for creating “playbooks." Playbooks are used to guide decision makers as they respond to specific scenarios.
Information Technology plays a key role in cybersecurity incidents. Technology tools prevent some vectors from being exploited and other tools detect when some vectors have already been exploited. Remember, not all security incidents are cyber related. Table-top scenarios should include events such as a lost mobile device or unauthorized entrance into secured areas.
Be sure to write a plan, practice the plan and update the plan regularly to build confidence and demonstrate commitment to continuous and safe business operations.
Refer to the National Institutes of Standards and Technology (NIST) Special Publication 800-184, Guide for Cybersecurity Event Recovery at this link for more information.