Guidance for Incident Response Plans

DOJ Guidance

According to the DOJ guidance, an organization should first identify mission critical data and assets (i.e., "Crown Jewels") and institute tiered security measures to appropriately protect those assets.

A cyber-incident response plan should contain procedures that should address, at a minimum, the following.

• Who has lead responsibility for different elements of an organization's cyber-incident response, from decisions about public communications, to information technology access, to implementation of security measures, to resolving legal questions.
• How to contact critical personnel at any time, day or night.
• How to proceed if critical personnel is unreachable and who will serve as backup.
• What mission critical data, networks, or services should be prioritized for the greatest protection.
• How to preserve data related to the intrusion in a forensically sound manner.
• What criteria will be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen.
• Procedures for notifying law enforcement and/or computer incident-reporting organization.

The DOJ guidance also provides for the following.

• Having appropriate technology in place that will be used to address an incident.
• Having procedures in place that will permit lawful network monitoring.
• Having legal counsel that is familiar with legal issues associated with such incidents.
• Aligning other policies (e.g., human resources and personnel policies) with the cyber-incident response plan.
• Developing proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cyber-security firms that may be required in the event of an incident.
• Monitoring the network for any anomalous activity.
• Conducting a post-incident review to identify deficiencies in planning and execution of the cyber-incident response plan.

NIST Guidance

The NIST guidance addresses incident response policy, plan, and procedures, which this article covers, as well as sharing information with outside parties.

Policy

While policy is particular to the organization, typical key policy elements include the following.

• Statement of management commitment
• Purpose and objectives of the policy
• To whom and what the policy applies and under what circumstances
• Definition of computer security incidents (e.g., a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices) and related terms
• Organizational structure and definition of roles, responsibilities, and levels of authority (should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements for reporting incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels) and the handoff and escalation points in the incident management process)
• Prioritization or severity ratings of incidents
• Performance measures
• Reporting and contact forms

Plan

The plan should meet the unique requirements of an organization relating to its mission, size, structure, and functions, describes the necessary resources and management support and include the following elements.

• Mission
• Strategies and goals
• Senior management approval
• Organizational approach to incident response
• How the incident response team will communicate with the organization and with other organizations
• Metrics for measuring the incident response capability and its effectiveness
• Roadmap for maturing the incident response capability
• How the program fits into the overall organization

The organization should implement the plan and review it at least annually to ensure the organization is following the roadmap for maturing the capability and fulfilling its goals for incident response.

Procedures

Procedures should be based on the incident response policy and plan. Standard operating procedures should be tested regarding accuracy and usefulness and distributed to all team members. Training should be provided for users of standard operating procedures.

California Guidance

The California guidance provides the following practical recommendations.

• Pick an incident team and assign a team leader; this team should include an executive and an in-house counsel if there is one.
• Define roles and responsibilities so that everyone is clear as to who is responsible for what should an incident arise. Communicate to everyone at the business who to contact if they suspect a cyber incident has occurred (or is occurring). Gather afterhours contact information for incident team members and distribute this information to all staff. Consider channels of communications that do not involve business-provided phones and email.
• Outline the basic steps of the incident response plan by establishing checklists and clear action items.
• Prepare specific policies and procedures to implement in specific situations (i.e., each type of incident that the business might experience: a lost computer, smartphone, or thumb drive containing unencrypted data, an external data breach or theft of intellectual property, malware, cyber extortion, etc.); for each scenario, prepare an easily accessible quick-response guide.
• Form relationships with key third parties (e.g., law enforcement and cyber-security experts) and have their contact information handy.
• Address in an incident response plan procedures necessary to adequately document the details of a particular incident (including a timeline of events, preservation of compromised systems if necessary, as well as who was involved and the response) and the process to review the preventative cyber-security measures and the plan after every cyber incident. If the incident involved the possible disclosure of unencrypted personally identifiable information or payment card information, consult with a lawyer.

Interagency Guidance

The Interagency guidance addresses the following components of a response program.

• Assess the nature and scope of an incident and identify what customer information systems and types of customer information (i.e., any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution) have been accessed or misused.
• Notify the primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information (i.e., customer's name, address, or telephone number together with the customer's Social Security Number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account as well as any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password, or password and account number).
• Notify appropriate law enforcement authorities in addition to Suspicious Activity Report filing obligations.
• Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence.
• Notify customers when warranted.

Finally, where an incident of unauthorized access to customer information involves customer information systems maintained by a financial institution's service provider, the financial institution is responsible for notifying its customers and regulator; provided, however, the financial institution may authorize or contract with its service provider to notify its customers or regulator on its behalf.