Developing an incidence response plan can help organizations be better prepared when a data security breach occurs,
and internal auditors can become an active part of the response process.
Why
Is An Incident Response Plan Necessary?
Carol Stucki, CISA, CICA, PMP
Manager of Financial Systems, LDS Church
A security breach is the unauthorized acquisition of data
that compromises the security, confidentiality, or integrity of personal information maintained by an organization. The data
could consist of credit card and financial account numbers, medical information, Social Security numbers, insurance information,
and a person's credit history report. The unlawful access to this kind of data can lead to loss of profits, lack of public
confidence in the organization, and legal ramifications stemming from noncompliance with data privacy laws. Having an incident
response plan that addresses different data security breaches can minimize the damage a company may incur when information
is exposed. The following example can help to illustrate how a security breach can affect an organization.
Visa, Master Card, American Express, and Discover Card
require companies to notify them, affected customers, and the necessary credit and law enforcement agencies when a security
breach occurs within 24 hours of the incident. Failure to notify agencies or customers can result in large fines, company
restrictions, and even the prohibition of using credit card services in the future. Companies using Visa or MasterCard, for
example, can pay fines as high as US $500,000. Table 1 puts these fines and restitution costs into perspective:
Unfortunately, many companies still lack a coordinated
approach to respond to a data security breach. An incident response plan that addresses how the organization will respond
when a breach occurs can help reduce fines and restitution amounts. For instance, companies that have a response plan but
fail to detect or report a breach may be fined by Visa, MasterCard, or American Express. The next section provides different
steps internal auditors can recommend for organizations that wish to create an incident response plan, but don't know where
to begin. These steps include determining how to respond to the breach, identifying what kinds of data could be impacted,
putting together the plan's creation team, drafting the plan, and formulating and contacting the response team.
Important Data Security and Breach Notification
Laws
In the United States, 32 states currently have breach notification
laws. These laws generally follow the California model, which recommends that victims be notified when their data is compromised.
Below is a list of the main data notification laws impacting the way organizations work in the United States and member countries
of the European Union (EU).
· California Civil Code 1798.82. This law requires companies
that conduct business in California and own or license computerized data containing unencrypted personal information to notify
California residents of any security breach of their unencrypted personal information.
· The U.S. Health Insurance Portability and Accountability
Act (HIPPA) of 1996. This legislation provides guidance regarding the proper ways to protect personal health information through
the act's Privacy and Security rules. Furthermore, the act requires any entity collecting, storing, or transmitting medical
data to implement policies and procedures to address security incidents.
· The U.S. Gramm-Leach-Bliley Act (GLBA) of 1999. This
act includes provisions to protect a consumer's personal financial information that is held by a financial institution. GLBA
gives authority to eight federal agencies and all 50 states to administer and enforce the act's Financial Privacy and Safeguards
rules.
· The Organization for Economic Co-operation and Development's
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These guidelines were established to protect
individuals from the automatic processing of personal information, such as the unlawful storage of personal data, the storage
of inaccurate personal data, or the abuse or unauthorized disclosure of such data.
· Safe Harbor. The European Union and the United States
have different approaches to data security. To bridge this gap, the U.S. Department of Commerce and European Commission created
the Safe Harbor framework. The Safe Harbor enables U.S. companies to conduct business with member countries of the EU without
interruption, as long as U.S. organizations comply with the framework's seven principles.
Other national and international laws exist that companies
need to take into consideration when implementing compliance activities and creating an incident response plan. Auditors need
to become familiar with these laws to ensure the company meets their requirements before a breach occurs.
What to Consider When Creating a Plan
Before the plan is drafted, the company needs to determine
how it will respond if a security breach occurs and what kinds of data could be exposed. The way the plan is drafted depends
of these two crucial steps.
Determining How to Respond to the Breach
First, the company needs to identify what it will do after
the incident is detected. This will help to decide the type of plan that is created. An important decision to make is whether
the company will prosecute the person(s) responsible for the security breach, because this will determine the information
that is included in the plan.
If the company decides to prosecute, the plan needs to
identify how evidence will be collected and documented, so that evidence is not compromised and the information is obtained
correctly. Otherwise, the chain of evidence could be broken and the prosecution's case may not hold up in a court of law.
For example, if the company does not follow forensic procedures while collecting the evidence, the judge may consider the
evidence inadmissible in court, defense lawyers may argue the evidence's validity, and the case may be damaged.
The company also needs to determine if it will attempt
to trap the culprit or just prevent further damage. Although catching a culprit can be a complicated process, it will enable
the company to have a stronger case if it decides to prosecute. Whether or not to catch the culprit needs to be decided before
the plan is created, based on how the company wishes to proceed, which depends on the company's mode of operation and type
of work.
Identifying What Kinds of Data Could Be Exposed
Second, the company needs to determine what kinds of data
could be impacted if a breach occurs. This risk assessment is based on what type of work the company does on a daily basis
and can be conducted by the internal auditor, information security officer, or appointed security staff. For instance, if
a company accepts credit card purchases, a credit card data breach should be taken into account as a possible risk. If the
company processes insurance claims, the risk assessment should consider any possible breaches of personal and medical data.
The kinds of data that might be exposed during a breach
also depend on how the company conducts business transactions. For example, if the company uses the Internet to collect information,
it will have different security issues to consider, such as how to capture and protect the data collected via the Internet.
Therefore, the company will need to assess the different risks that are likely to happen, categorize risks based on their
level (i.e., low, medium, or high), and prioritize how each risk will be remedied when a problem arises.
Putting Together the Plan's Creation Team
Once the organization knows how to proceed in the event
of a breach, and scenarios are outlined that address the high-risk areas identified in the risk assessment, the company should
put together a team to create and test the response plan. The team, which reports to senior management, should consist of
subject-matter experts on each of the company's business processes, internal auditors, legal advisors, and systems security
staff.
To develop the plan, the team should first learn what other
companies in the same industry are doing. Getting examples of actual incidence response plans will assist companies in determining
what their plans need to include. The American Institute of Certified Public Accountants (AICPA) and The Canadian Institute
of Chartered Accountants (CICA) have posted an incidence response plan template, Incident Response Plan — Template for
Breach of Personal Information, which can be found on their sites. The incidence response plan is available for a fee to any
interested party. In addition, various U.S. universities, including the University of Texas, University of Illinois, and Yale
University, have posted their security response plans on the Internet.
The creation team also should determine what best practices
to include as part of the plan. For information on incidence response best practices, companies can check out Visa's What
to Do if Compromised (PDF, 176KB), available free of charge on the company's Web site. The document outlines how Visa expects
to be notified when a data breach takes place and provides advice on how to perform a forensic investigation if an incident
is discovered. In addition, California's Department of Consumer Affairs has posted useful information for companies looking
to comply with California's data notification law, Civil Code 1798.82. The document, Recommended Practices on Notice of Security
Breach Involving Personal Information (PDF, 94KB), also gives examples of letters companies can send to customers.
Drafting the Plan
Once the plan creation team is established, the company
can begin drafting the plan. Effective incidence response plans should incorporate the following elements:
· Scenarios that cover what kinds of data the company handles
on a daily basis and how it collects that data.
· The completed risk assessment, including all of the risk
scenarios and vulnerabilities identified.
· Who to contact based on the kind of risk. Contact information
should include the person's title, name, phone number(s), and e-mail, as well as an alternate contact name.
· A complete list with the name and contact information
for the entire response team and any backups.
· Escalation protocols (i.e., how to proceed when the breach
is identified, such as when and who to call for more help).
· How to preserve and record evidence and examples of the
kinds of evidence that need to be gathered.
· Sample notification letters to send to customers after
the incidence is discovered.
· Sample press releases to send to the news media.
· Information on what to tell senior managers and how to
notify them.
· Information on what to tell partners, including credit
card companies, law enforcement agencies, and business partners, and how to notify them.
· A plan for testing the response scenarios.
· Change control procedures to keep the plans updated.
After the plan is created, it needs to be tested and altered
based on the test results to determine whether the plan is effective and supported with the appropriate company resources
and staff. Changes to the plan should be made based on the company's change management policies and procedures.
Formulating and Contacting the Response Team
The company might need more than one response team, depending
on the scenarios identified during the plan's creation. However, some of the same members may be on more than one team. Possible
members of the response team include the company's:
· Internal auditor, IT auditor, fraud auditor, or forensic
specialist.
· Systems security staff, such as SANS certified staff
in cyber forensics.
· Data privacy officer.
· Legal counsel.
· Business analysts with expertise in the areas identified
in the risk assessment.
· Public affairs staff.
· Credit card relationship owners (e.g., treasury or accounting
staff).
· Human resources staff.
· Operations or facilities staff.
Each team member will perform different tasks based on
their roles, for instance:
· Internal auditors can conduct a risk assessment that
estimates the potential liability of a breach to the company; evaluate the company's internal controls to determine whether
information systems and third-party data are secure; review the incidence response plan to determine whether it enables the
company to comply with internal and external regulatory mandates; and enhance systems security through the recommendations
of best practices.
· Systems security staff can detect the problem and the
systems affected, as well as help to determine the amount and type of data that were breached.
· Data privacy officers can interpret and enforce the company's
policy and act as the point of contact to the organization's legal counsel on data privacy issues.
· Legal staff can act as the point of contact between the
company and other regulatory agencies, and advise the company on the appropriate method of collecting and documenting evidence.
· Business analysts can inform the company on what data
was affected by the breach and how it was used.
· Public affairs employees can provide statements to the
press, company partners, and customers.
· Treasury or accounting staff can act as liaisons to credit
card agencies and financial institutions.
Escalating the Breach
Because most breaches are not initially recognized, education
on how to spot, report, and escalate a potential breach is needed. For instance, someone will notice a server is performing
slowly or some file is not accessible, which will prompt the person to call the help desk or IT department. As a result, the
help desk's or IT support staff need to be able to identify whether something has happened. A list of data breach "clues or
symptoms" can be created and given to help desk employees so they can better assess whether a breach has occurred.
After the help desk or IT support staff is contacted, they
should notify the systems security team, who should be able to determine what actually occurred and whether private or confidential
data was on the breached system, file, or transmission. If systems security staff finds anything unusual, they should contact
the next person on their list — the incidence response team plan coordinator. The plan coordinator will contact all
members of the response team, as well as third parities — such as law enforcement agencies, customers, state agencies,
credit reporting agencies, and possibly the media.
