IAPP Practical Privacy Series Recap

December 3, 2015

IAPP Practical Privacy Series Recap: Common Shortcomings of Incident Management and Breach Notification Procedures

The International Association of Privacy Professionals (IAPP) always does a wonderful job of inviting speakers with a variety of backgrounds to their sponsored events to deliver a comprehensive perspective on the issues pertinent to IT security and privacy. After attending the Practical Privacy Series’ Data Breach program in Washington D.C., it was clear that across all major industries, professionals from the legal, IT, and business ranks are consistently seeing the same shortcomings in enterprise incident management and breach notification procedures. These shared observations, forged into the listing of recommended best practices below, feature important aspects of adequately planning for, reacting to, and communicating IT security and privacy incidents.

Publish an incident response plan with distinct definitions

Your incident response plan should be available to all personnel and clearly define key terms. It’s become all too common for policies and procedures to use words like “incident”, “event”, and “breach” interchangeably to the point that it’s confusing and negatively modulating the escalation process. Some situations aren’t getting the attention required right away and some are being blown out of proportion. Based on industry standards, the use of “events” should refer to activity worthy of examination, “incidents” should refer to matters concerning IT operations, security, privacy, and “breaches” should refer to instances where unauthorized entities acquired unsecured information.

Log and review system activity

Undeniably, timeliness in the course of incident management is top priority. On the whole, the longer it takes to identify, diagnose, and remediate a security or privacy situation, the more harm can be done. In this vein, failure to log and monitor system activity was clearly the biggest point of concern for those speakers who were veterans of crisis management and breach investigation because it’s the most effective way to detect suspicious events early. This is an observation I too have had in the field on more than one occasion. A continual review of login history, powerful account actions, significant transactions, etc., performed at a frequency commensurate to the size of your IT environment, is merely an investment of personnel and time. Do it.

Leverage risk assessments to accelerate your incident management process

To focus and drive your procedures from the point of incident identification, leverage the results of your most recent risk assessment. Your risk assessment exercise should involve mapping the IT landscape, determining where significant and sensitive data resides, and classifying all possible risks on a scale of criticality. Instead of immediately kicking off the long and arduous incident management process, first consider what the impact of the incident is based on the type of threat and nature of the effected information; you’ll most likely be able to expedite incident analysis. Furthermore, you may not even have to fully go through all of the hassle if you identify the situation is of lower risk.

Establish clear lines of communication

To promote efficiency during the incident management process, outline very clear lines of communication for your personnel. In your incident response plan, do not simply designate the responsibilities of ambiguously named teams in your organization; detail the roles and contact information of each specific point of contact (and their backups) involved in the process as well as the recommended way to reach them. Prepare your personnel by acquainting them with those points of contact in advance. Also, stress the importance of persistence to your personnel when trying to escalate incidents.

Involve your legal counsel early

When IT security and privacy incidents are identified, many organizations are waiting too long to involve their legal arm because they feel like circling in the lawyers means the situation at hand is grave. Don’t do that. Only your counsel is able to present all of the legal obligations and considerations that must be accounted for.

Please carry these takeaways with you in hopes that they can help tune your incident management and breach notification process. Continual improvement is critical as new threats emerge and laws and regulations are promulgated. By keeping a modern set of procedures, you’re investing in the welfare of your enterprise and in the preservation of your reputation.

Previous Article
Difference Between a HITRUST Validated Report and a HITRUST Certification
Difference Between a HITRUST Validated Report and a HITRUST Certification

What is the difference between a HITRUST validated report and a HITRUST certification? The HITRUST Validate...

Next Article
System Usability, Security, and Privacy: A Beautiful Union
System Usability, Security, and Privacy: A Beautiful Union

Originally published on The Compliance & Ethics Blog