Hackers, competitors, crime
syndicates, and nation states all want your
data. It is important to have security
safeguards and controls but what do you do if
you've been hacked?
Incident Response Plan
Every organization should have a formal Incident
Response Policy and an Incident Response Plan.
These documents provide a managed approach to
responding to a security incident. In
addition to other relevant factors, ensure your
Incident Response Plan includes:
- Identifying the primary systems involved
- Determining how the attack was carried out
- Researching the steps needed to mitigate or remedy the situation
- Determining if a suspect exists (e.g. employee, contractor, outside entity)
- Collecting and preserving evidence including log files and physical evidence
During the process staff should document
decisions and actions taken including:
- Incident: notification, classification, and declaration (a formal Incident is declared)
- Incident response: alert, triage, response, recovery, and maintenance
The Incident Response Plan
should include steps to determine if the security breach did,
will in the future, result in harm to the
individuals whose information was breached.
Situations where there is a presumption that no
reasonable risks exist include: the breached
data was rendered unusable, unreadable, or
indecipherable through a security technology
(e.g. encryption) or methodology generally
accepted in the information security industry.
In some instances notice about the breach is
required to be made to various individuals,
organizations, and agencies:
- Customers. Notify customers of the security breach within 30 days of its discovery. Such
notice may be provided by telephone, in writing, or via e-mail (if the individual consented to
receive such notice via e-mail). Customer breach notification must include a description of the
type of breach, a toll-free number that individuals may use to contact the company, and contact
information for the major credit reporting agencies and the Federal Trade Commission (FTC).
- States. Each state has data security/breach notification laws. Determine if state Attorney
General Offices need to be notified.
- Media. Provide notice to the media in any state where more than 5,000 residents were the subject
of the breach.
Note that state laws may vary.
- Department of Homeland Security. Determine if the incident must also provide breach
notification to the Department of Homeland Security.
- Federal Trade Commission. If the organization is exempted from notification requirements, an
organization using the risk assessment exemption must notify the FTC of its exemption along with the results
of the risk assessment performed.
Steps Consumers Can Take
If your data breach included consumer information, individuals can take these steps to minimize their future risks:
Ensure each account has a unique password
Where possible, activate multi-factor authentication (e.g. text message or phone call with code) on logon screens
Delete e-mails that may have messages from financial institutions, service providers, etc.
Be wary of phone calls or e-mail messages that request sensitive information
Additional information on identity theft,
security safeguards, and templates:
All it takes is one security
breach to compromise your data.
security audits help organizations identify,
manage, and reduce their risks of a data breach by ensuring the
proper security controls are in place.
Security Blog menu
Tags: data worth | align security |
security controls | network security audit