[BreachExchange] THE RIGHT STUFF: BUILDING AN EFFECTIVE CYBERSECURITY INCIDENT RESPONSE TEAM

[Inga Goddijn]

http://www.insidecounsel.com/2017/10/17/the-right-stuff-building-an-effective-cybersecurit?slreturn=1508263317

I.   A Multi-disciplinary Team-based Approach to Incident Response

A well thought-out and practical incident response plan is a key component
of any comprehensive information security program. But, organizations often
make the mistake of categorizing the incident response plan as an “IT
issue” or a “legal issue.” A cybersecurity incident that results in a
breach is an “issue” that affects several parts of the organization. Thus,
the plan to respond to an incident should involve several parts of the
organization.

For those of you who are not sports fans, please indulge me for a moment.
An incident response plan involving only one department of an organization
is like a basketball team where every member plays the same position. Like
a team full of centers, the resulting plan may be so focused on defense and
blocking that proactive steps such as early contact with law enforcement
may be seen as too “risky” to include. As lawyers, we can often be so
focused on the legal ramifications that we miss some of the practical
business considerations of incident response. For example, as lawyers, we
may want public communications to state the bare minimum regarding a
breach; only what is legally required. But, making a minimalist statement
may result in a public relations backlash for failing to disclose critical
information in a timely manner. We need the other positions on the team to
put our advice in context and achieve a “winning” result. An effective
incident response plan is both a product and a tool of a multi-disciplinary
incident response team (“IRT”).

Like building a successful sports team, crafting an effective IRT includes
(1) identifying the necessary internal and external IRT members, (2)
considering the strengths and weaknesses of each position, assigning roles
and responsibilities accordingly, and (3) training the team members through
practice to work together toward a common goal. Several publications can
provide the basis for an adequate incident response plan. See, e.g.,
National Institute for Standards and Technology (NIST) Special Publication
800-61 or the International Standard Organizations (ISO)/International
Electrotechnical Commission (IEC) 27035. Instead of focusing on the content
of the plan, which is covered by those publications, this article will
focus on assembling a team to (A) craft the incident response plan that
will be most effective for the organization and (B) execute that plan in
the event of a cybersecurity incident.

II.    Identifying the Necessary Team Members and Their Strengths and
Weaknesses

An effective IRT often includes the following members:

Position

Internal Member(s)

External Counterpart(s)

Information Technology (“IT”)

   - Chief Information Security Officer (if the CISO sits within IT)
   - IT Management Personnel


   -  Technical Forensics Consultant
   - Co-location Facilities Contact

Legal and Compliance

   - General Counsel or Designee
   - Privacy Officer
   - Chief Information Security Officer (if the CISO sits within legal or
   compliance)
   - Human Resources Personnel

         Outside Counsel

Business Management

   - Chief Executive Officer, Chief Information Officer or Designee
   - Board Liaison

         Outside Counsel

Public Relations

Chief Marketing Officer or Communications Manager

         Public Relations Firm

Risk Management

Risk Management Specialist

         Insurance Consultant

A.     Information Technology
1.     Internal IT Department

The IT department of an organization is probably the most frequently
thought of team member when it comes to responding to cybersecurity
incidents. In many ways, the IT department (or security department embedded
within the IT department) is the base of the pyramid in incident response
planning. It will likely have the largest number of IRT members and will be
relied upon for information on which other team members will act. The IT
department will likely serve as the primary point of contact for many of
the external IRT members. For example, the IT department will coordinate
with the technical forensics consultant to determine the operational impact
of a cybersecurity breach and remediate the effects. The IT department may
also provide outside counsel or a consultant with the names of individuals
that the breach may have affected for purposes of compliance with breach
notification laws.

The internal IT department may also be the first IRT member to receive
notice of a cybersecurity incident through channels such as managed
security services logs or reporting from other personnel. As a result, it
is important that a lead IT member be appointed to ensure that only one
individual will initiate the call tree to notify other IRT members. This
same IRT member may be responsible for initial triage of the incident or
setting up a help desk support line for affected personnel.

            2.        Technical Forensics Consultant

Although an organization’s internal IT department has the strength of
knowing the intricate details of the infrastructure, that knowledge can
bias the internal IT department’s focus during incident response.
Therefore, an external IT expert, such as a technical forensics consultant
is an important member of the IRT. The technical forensics consultant can
bring an objective perspective to finding the source of a breach as well as
industry knowledge of threats faced by its other clients. This consultant
also liaises with legal and public relations regarding communications with
regulatory bodies and affected individuals about the nature and potential
impact of a breach.

            3.         Co-location Facilities

A defensive strategy against threats such as ransomware attacks and
distributed denial of service (DDOS) attacks includes storing backups of
critical data offsite at co-location facilities. Having a representative
from such facilities as a member of an IRT can help the organization put
internal IT infrastructure in place to restore data from those backups with
minimal downtime. This member will work closely with the internal IT
department in the event of a loss of data or loss of access to data. The
co-location facilities contact may also assist a technical forensics
consultant in determining the undisturbed state of affected databases
through comparisons between the pre-incident back-ups and affected systems.

B.      Legal and Compliance

          1.          General Counsel or Designee

The lead lawyer on the IRT should be an attorney that has a broad view of
the business and legal needs of the organization. Often, this attorney is
the general counsel, chief legal officer, or deputies of these attorneys
that have a wide range of responsibilities. Because of the general
counsel’s holistic view of the legal needs of the organization, he or she
will be able to effectively coordinate with business management, IT, and
other IRT members to provide information regarding applicable laws and
regulations based on the activities and industry of the organization.

          2.                  Privacy Officer

Although data privacy and information security are often mentioned in the
same breath, important distinctions exist between these two subjects. For
example, the principles of notice and consumer choice are data privacy
principles but are not necessarily principles of information security.
However, a good data privacy program requires good information security to
fulfill an organization’s duties under regulations such as the Health
Insurance Portability and Accountability Act (HIPAA) Privacy Rule. For
instance, Section 164.514 of HIPAA requires a covered entity to “use
appropriate safeguards to prevent use or disclosure of the information
other than as provided for by [a] data use agreement.” An organization’s
privacy officer will likely be familiar with such data use agreements as
well as other promises made to consumers or employees in privacy policies.
As an IRT member, the privacy officer can help to ensure that these matters
are addressed in the incident response plan. During an incident, the
privacy officer can also be a resource for the marketing and communications
IRT members when crafting messages to address any potential breach of the
promises made regarding limitations on disclosure of consumers’ or
employees’ personal information.

          3.                  Human Resources

In many organizations, the human resources (“HR”) department is the group
that will be responsible for communicating policies such as components of
the incident response plan to employees, as well as enforcing information
security policies through dismissal of employees or other disciplinary
action. Thus, including HR personnel, especially senior personnel, on the
IRT may increase the likelihood that an incident response plan will be
followed. In addition, phishing attacks are often targeted at HR personnel
of large organizations because HR personnel have extensive access to
sensitive personal information of employees. Therefore, including key
personnel of the HR department on the IRT may prevent those attacks from
being successful by educating that personnel and making the HR department
an integral part of the organization’s information security program. The HR
IRT member may also work with other IRT members during or after an incident
to craft communications to employees.

         4.                  Outside Counsel

In certain circumstances, attorney-client privilege may not attach to
communications between in-house counsel and members of an organization,
especially where in-house counsel routinely provides both business and
legal advice. See, e.g., In Re Vioxx Products Liability Litigation, 501 F.
Supp. 2d 789, 797 (E.D. La. 2007) (noting that “[i]t is often difficult to
apply the attorney-client privilege in the corporate context to
communications between in-house corporate counsel and those who personify
the corporate entity because modern corporate counsel have become involved
in all facets of the enterprises for which they work”). Therefore,
including outside counsel as a member of an IRT can provide a more secure
umbrella of attorney-client privilege by making clear that communications
involving outside counsel relate to legal advice. See, e.g., In Re Grand
Jury Proceedings, 517 F.2d 666, 670 (5th Cir. 1975) (holding that
attorney-client privilege applies to communications sought “for the purpose
of securing primarily either (i) an opinion on law or (ii) legal services
or (iii) assistance in some legal proceeding”). This protection facilitates
a more open flow of information between IRT members and may expedite
resolution and decision-making. Outside counsel can also provide input
regarding data privacy and information security laws and regulations. But,
only through coordination with IRT members such as the general counsel’s
office and the IT department, can outside counsel help determine which of
those laws and regulations apply to the particular incident.

C.     Business Management

Senior management such as the Chief Executive Officer or Chief Information
Officer can endorse the incident response plan in a manner that encourages
every employee of the organization to respect the importance of following
the plan. Other members of management may be on the IRT to carry out
administrative duties related to crafting the plan and during an incident,
but senior management will often be the IRT member that will provide the
face of the organization to the public. Business management IRT members
will also likely coordinate with the other IRT members to provide a
dashboard of information about an incident and liaise with the board of
directors of the organization.

D.     Marketing and Public Relations

          1.       Marketing or Communications Department

The reputation of an organization may not be on the balance sheet but it is
a valuable asset that can be lost very quickly if a cybersecurity incident
is not handled properly in the eyes of the public. Thus, IRT members from
an organization’s marketing or communications department should work
closely with the other IRT members to craft messaging throughout the
response to an incident. For example, these team members can work with IT
and legal to develop a script for incident call center staff as well as any
breach notification communications. These internal IRT members have insight
into the organization’s communication style and can help provide brand
consistency throughout the incident response.

        2.         Public Relations Firm

While internal marketing and communication IRT members have unique insight
into the organization’s style and brand, an outside public relations firm
can bring experience and “lessons learned” from responses to incidents for
other clients. This external IRT member can provide intelligence about the
public’s current appetite for certain information and may have established
relationships with media outlets that can help the organization control the
timing of announcements about the incident.

E.       Risk Management

           1.       Risk Management Specialist

An internal risk management specialist can provide the IRT with quick
analyses related to the organization’s risk profile; both the current risk
profile and how the organization has managed risk in the past. This IRT
member would also be the primary point of contact for the outside insurance
consultant discussed below. As the internal risk manager, this specialist
can place any cybersecurity insurance in context with other insurance
procured by the organization and help determine the appropriate limits for
such coverage.

          2.        Outside Insurance Consultant

If an organization is considering procuring cybersecurity insurance as part
of its incident response plan, an outside consultant can provide valuable
assistance both before, during and after a cybersecurity incident. This
outside consultant would be separate from the organization’s insurance
broker, whose goal of protecting its employer or underwriters may conflict
with the best interest of the organization during an incident.

This consultant can assist an organization in understanding the myriad of
insurance policies that are referred to generally as “cyber-insurance”. For
example, coverage such as a Network Security and Enterprise Privacy
Liability covers certain third party and first party costs related to
disclosure of personally identifiable information maintained by the
organization (such as its employees or customers), while coverage such as a
Network Interruption Policy can cover first party costs related to systems
that are unavailable due to a DDOS or ransomware attack. During a response
to an incident, this outside insurance consultant would coordinate with
risk management and legal to determine when and if the insurer should be
notified. Many cyber-insurance policies have a maximum time period for
notification of the carrier after a “breach.” See National Association of
Insurance Commissioners & Center for Insurance Policy and Research, Report
on the Cybersecurity Insurance Coverage Supplement, at 4 (Aug. 27, 2016),
(stating that insurers have protected themselves by placing specific time
limits from when an incident or breach occurs); Neal McCarthy, Integrate
Cyber-Insurance into Your Cybersecurity Incident Response Plans,
SecureWorks (Jan. 16, 2017), (stating that some cyber-insurers require
notifications incidents before knowledge of an actual breach); Israel
Martinez, Cybersecurity Insurance: What You Really Need to Know, Middle
Market Growth (Apr. 6, 2016), (detailing the difference between a breach
and incident and how some cyber-insurers require notifications of
incidents). Not every cybersecurity incident is a breach and unnecessary
notification of the insurer may signal that the organization is a higher
risk client and should be charged a higher premium. On the other hand, a
delay in notification because IT personnel want to investigate more, could
result in a loss of coverage if the policy’s notice period begins upon
discovery of an incident and not determination of a breach. Id.

III.  Training the IRT through Practice Toward a Common    Goal

A.       Defining the Goal

Because each organization’s needs are different, every organization will
not have the same IRT structure. And, it may not be advisable from a
cost-benefit perspective for certain organizations to have all of the IRT
members described in this article. An organization will need to determine
the right players for its team based on the primary goal of its incident
response plan. For an organization that collects and stores significant
amounts of consumer data, a primary goal of its incident response plan may
be to minimize any loss of customers due to an incident. For an
organization that the government has designated as critical infrastructure
(e.g., a refinery), the primary goal of its incident response plan may be
to minimize or eliminate the risk that any breached data could be used to
initiate physical property damage or injury of personnel.

B.       Training through Practice

            Once the primary goal and other goals of the incident response
plan are clearly defined, the key to success is to practice achieving those
goals. For IRT members, these practices are often called “tabletop
exercises.” Tabletop exercises involve scenario gameplay that walks the IRT
through every step of the plan from incident identification through any
remediation and breach notification. To ensure readiness and address any
turnover in the IRT members, tabletop exercises should be performed
regularly (e.g., once per year or every six months). Practice for employees
that are not members of the IRT would include training and education about
incident prevention (e.g., phishing tests), how to report an incident, and
how to continue conducting business during an incident (e.g., education
about responding to requests for comments from the media).

            Practice may never make perfect but it does make better.
Lessons learned from tabletop exercises enable refinements to the incident
response plan and reduce the chance of paralyzing panic during an actual
incident. As suggested above, teamwork is key to determining the
appropriate response to a cybersecurity incident, whether or not the
incident is an actual breach. IRT members effectively working together is
truly its own success.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171017/5123357b/attachment.html>