Incident Response: Communication is Key

January 1, 2008

When an incident hits an enterprise’s IT infrastructure, the response team must also address internal and external communication needs in addition to technical issues such as investigation, containment and recovery.

When an incident response team is faced with a potential security breach or data loss, there are myriad concerns to address. Many incident management plans address technical issues such as investigation, containment and recovery. But, it is essential that each phase of the plan also covers communication – a key requirement for effective incident response.

The incident communication strategy must cover compliance-related issues, media communications and internal communications. And, it must strike a balance between openness and protection. Revealing more information than necessary could result in undue escalation or exposure of an exploitable weakness that has not yet been remedied. However, withholding information can cast your organization in a negative light and create the impression that you have something to hide.

Keeping appropriate people informed and reminding them of their responsibilities to maintain the confidentiality of any related information can diffuse rumors or speculation, according to David Brown.

COMMUNICATION-RELATED COMPLIANCE ISSUES

Following California’s SB 1386 in 2002, a majority of states have passed laws requiring disclosure of data security breaches. Understanding the legislation that is relevant to your organization and the impact it has on incident reporting should be a part of the planning process rather than a reactionary exercise during an actual event.

Beyond the chief security officer and the chief information officer, including an organization’s legal department or counsel on the incident response team is strongly recommended to help with these increasingly complex issues. Criteria to consider when interpreting legislation include the scope of individuals affected, the specific data types included and the required method of disclosure.

There are few similarities among the various state laws, other than that they apply to agencies, businesses or individuals doing business in the respective states, and they require some form of notification in the event of a breach. Different states’ definitions of concepts such as “personal data” and “security breach” can vary widely. Notification requirements vary as well. For example, Arkansas SB 1167 requires that consumers be notified of a security breach affecting data in electronic or physical form, while Florida’s HB 481 does not require notification “if after appropriate investigation or consultation with law enforcement, (the) person (responsible has) reasonably determined (that the) breach has not and will not likely result in harm to individuals.”

In addition, disclosure announcements and incident communications themselves must not create a violation of any regulation or privacy requirements -- an astute spy can potentially take bits and pieces of seemingly harmless, unclassified information and deduce a state secret.

HANDLING THE MEDIA

Establishing a rapport with media outlets is as important to incident response as a relationship with law-enforcement agencies. Your organization must be prepared for all levels of attention from local news to national wire services. (See the News & Analysis article in the November issue of Security Magazine. – Editor)

Advanced preparations for press releases, announcements or disclosure statements should be coordinated with the business unit responsible for communications, such as public relations, marketing or corporate communications department. Including a representative of this department on the incident management team is advisable; as a part of the team, they’ll be involved from the beginning of an incident, allowing them to personally witness the entire process and convey more complete information. A dedicated technical liaison should be identified to assist with translation of detailed data into language that is clear and understandable by the intended audience -- remember that a statement might not be reported in its entirety, and sound bites are often taken out of context creating far more damage than the incident itself.

INTERNAL COMMUNICATION

Internal communication flow must also be addressed in the incident management plan. This includes incident response team members, management and the general employee base. Keeping people informed about facts surrounding the incident at the appropriate level and time and reminding them of their responsibilities to maintain the confidentiality of any related information can diffuse rumors or speculation. It will also help to minimize the risk of information being inadvertently released to outside entities, which could endanger an investigation or cause negative publicity.

COMMUNICATION CAN MAKE ALL THE DIFFERENCE

An incident communication strategy that covers compliance related issues, media communications and internal communications will ensure timely delivery of appropriate information to both internal and external stakeholders. A well-prepared and well-executed communications plan can make the difference between accolades from the public, the press, and colleagues, or seeing your organization’s name in negative headlines.

David Brown is a managing consultant, security advisory services at Forsythe Solutions Group. Brown has expertise in the areas of security architecture design and review, vulnerability assessment and penetration testing, policy and procedure assessment and development, security technology training and security project management.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.