Brochure
Executiv Execut ive e bre breach ach response playbook How to successfully navigate the enterprise through a serious data breach
Brochure | Executive breach response playbook
Introduction No matter how eective the technical response to an enterprise data breach, it ’s the executive suite that drives th e public’s perception in times of crisis. In fact , it is t he executive team’s leadership that will help guide the entire enterprise response after the breach—which could last for days, weeks, months, and even years depending on lawsuits and regulatory response. Executive team to-do list • Prepare a data breach response plan. • Ensure the executive team can execute it. • Have a solid understanding of the situation.
Although it’s never easy to respond to something as challenging as a publicly disclosed data breach, it can be done if the executive team gets the information they need in time. That is, if the technical information is accurate and comprehensive enough to make eective decisions, and all of the communication channels are in place and ready. Sounds straightforward, but it’s not always. It takes executive leadership to make sure t he resources and the plans are in place to execute well. And it takes considerable practice. This playbook will help get you there.
• Know what is at risk. • Plan responses and processes for all constituencies.
In most organizations, senior leadership, including the CEO, are seriously underprepared for the job. A recently HP- commissioned survey from the Ponem on Instit ute, “The Importance of Senior Executive Involvement in Breach Response,” shows how systemic the challenge is at most organizations: A startling 57% of CEOs have not been trained on what to do after a data breach, and more than 70% of executives think that their organization only partially understands the information risks they’re exposed to. There’s a serious disconnect here. According to the Ponemon Institute report, The Importa nce of Senior Executive Involvement in Breach Response, senior executives know that their involvement in the incident response process is critical to success—but they don’t believe that they are accountable for data breaches. In this report’s sur vey, 79% of respondents say executive-level involvement is necessary to achieve a successful data breach response, while 70% believe board-level oversight is also crucial. Unfortunately, the same survey found that only 47% are up to date on their internal data breach response processes, and only 45% think they are actually accountable. Perhaps most troubling is that only 44% believe that their own enterprise’s incident response process is either proactive or mature. Many great resources are available that are geared toward the technical response that organizations must perform when faced with a data breach incident; however, little has been written on how the executive team should prepare to respond. The goal of this pa per is to help ll that gap and provide executive leadership with the ideas and tools they need. Perception. Priorities. Protection.
Figure 1. How prepared is your organization to deal with data breach? 35%
33% 31%
30% 25%
As gure 1 shows, senior executives believe the current state of breach preparedness is more reactive (immature) than proactive.
20% 17%
15%
15% 4% 10% 5% 0% Level 1
Level 2
Level 3
Level 4
Level 5
Level of readine ss: From 1 (low) to 5 (high) Source: Ponemon Institute “The Impor tance of Senior Executi ve Involvement in Breach Response” September 2014.
2
Brochure | Executive breach response playbook
The importance of establishing a game plan Many enterprises are already breached, and they don’t realize it. Look at many of the recent and widely publicized data breaches. These organizations had been inltrated for months, with data being continuously stolen, before the successful attacks were identied. There’s no avoiding it. The probability is that you will be breached, and not once or twice but multiple times over the upcoming years. Without an executive data breach response plan that is designed to work in tandem with your organization’s more technical digital investigations and response plans, any data breach incident can go from bad to worse very quickly—especially when it comes to maintaining the trust and condence of your customers, partners, and shareholders. In fact, if the executive team does not plan for the data breach—and be able to execute that plan—it is, in eect, planning to fail i n its abilit y to react swift ly to the legal, regulatory, customer, employee, and shareholder fallout. The risks associated with executive missteps during the days after a data breach disclosure are not unlike responding to any other type of disaster. The team needs to have a solid understanding of the situation, know what is at risk, and be able to speak to each constituency. Many executive-level risks are associated with data breaches. For insta nce, your team needs to know whether to announce the data breach and when the timing is right to do so. There’s risk in waiting too long to tell the pu blic—both from regulators’ and public backlash— and there’s also serious risk associated with announcing too soon. If the right processes are not in place a nd the executive team doesn’t understand the nature of the breach, the known facts can change, and public statements will have to be altered accordingly. Not good. Conversely, knowing how to talk with the technical teams and understanding the potential business impact and the technical cause can help you execute the right course of action. That course assures employees, customers, and shareholders that the enterprise can—and will— safely navigate through with minimal costs or impact to delivery of customer services. Additionally, public disclosures of certain t ypes of data breaches are becoming mandatory. In the United States, nearly every state has a data breach notication law regarding personally identiable nancial account information involving its citizens. The E.U. is working on its own data breach notication requirements under the ePrivacy Directive. There are also data breach notication laws and guidance that involve disclosing patient health data and even for publicly traded companies, should a breach involve data that could aect revenue. That’s why it is critical to have your executive data breach response playbook in place. Because in the event of a data breach emergency, such as the triggering of a ny of the regulatory mandated responses above, you need to know precisely what to do and who your key players are. If you don’t have this in place and ready to go ahead of time, you waste valuable time—the vital time needed during a crisis—and are forced to build the plan on the y, which exponentially raises the danger of highly public missteps. For all of these reasons, having your executive data breach response plan in place will provide the means for successful leadership through crises.
3
Brochure | Executive breach response playbook
Successful leadership through the breach Although most of the conversation centering aroun d data breaches today focuses on the technical enablement of the breaches, there’s always much more to it than that—especially when a breach involves signicant or sensitive data. The type of data and their quantit y are important. In fact, there are many other considerations. More often than not, there is a criminal investigation, an e-discovery process, and countless other pressing media, employee, shareholder, and especially customer considerations. Each constituency has dierent immediate needs. While law enforcement is going to want to keep breach details and anything relating to its investigation quiet, the media will want to know details and will push hard for them. Industry and government regulators are going to have questions of their own. The call center is going to need to know what information to provide customers to help keep them calm and even take measures to protect their identity if necessary. Legal will want to be t ightlipped, too, while your PR teams will want to be more communicative. They have good reason, too; media reaction is crucial. And shareholders are going to eagerly await news of any potential impact on earnings. It’s a ne needle you are going to have to thread, because each constituent’s concerns and needs are real and will have to be met properly and at the right time. One of the most important things that hav ing the response plan in place does for your organization is enable executives to focus on these messages. That surely beats being reactive and forced to assemble the team, carve out responsibilities, lines of communication, and various plans of action. With the plan in place and everyone knowing what to do, executives can speak to employees, shareholders, and customers with the necessary condence that the situation is under control. This will greatly help you avoid potential missteps that hurt trust and condence in the organization. Remember that employees, partners, shareholders, and customers will be looking at how executives are going to respond: Have they taken ownership of the situation, what are t hey going to do about it, what actually happened, and how will it be resolved? Basically, what the world is looking for is leadership. And this is just as tr ue in a data breach as any other type of emergency or crisis.
4
Brochure | Executive breach response playbook
Into the breach: Scenario exercise ideas Data breach situations can unfold in countless ways, and conditions similar to the scenarios that follow can occur in any organization. They show how small missteps can potentially grow into big public mishaps. Take a look at these scenarios. Then ask yourself how prepared your organization is to respond, what processes you have in place to respond, and how well other team members would be prepared. Are you prepared to respond? Your POS system is breached and millions of credit cards stolen.
Breach scenario #1: A large national retailer ’s point-of-sale (POS) system is breached, with millions of credit cards stolen It all started simply enough. A virtual server crashed. It was only by luck that an observant administrator noticed something strange within the error code. Eventually, the related logs and an image of the virtual server made it to an internal security analyst, who identied the problem: A small, mysterious piece of software was actually an exploit designed to breach an inventory system that was connected to the retailer’s national POS network. If credit card data les were breached, it would require a public disclosure. The breach was too close to credit card data for comfort, and the preliminary forensics examination couldn’t determine if the attack was successful. Also, the potential credit card breach couldn’t have come at a worse time. A string of retail breaches had just been announced over the holiday period. Tens of millions of people had been aected. As a result, the retailer’s credit card securit y was all over the news. The press was not going to let go of this story. Days later, the investigation into the log les still had not provided as clear a picture as the digital forensics and incident response team would have liked. But it was determined that t he initial breach occurred at least three years ago. The good news is that the most recent attack activit y was thwarted. The bad news is that although the complete attack trail isn’t clear, the attackers did manage to access the POS system and capture credit card payment data as it was being processed. It was not known what other data may have been aected. The appropriate law enforcement agencies will be notied soon. Now the executive team must prepare for the public announcement to customers and shareholders. And they must give employees the information they need to service customers and a nswer their questions in a way that keeps morale high. In t he meantime, the digital investigation teams will keep digging for more details and facts that can be established.
Are you prepared to respond? You discover that your proprietary processes and customer IP were stolen.
Breach scenario #2: Contract manufacturer discovers its proprietary processes and customer intellectual property stolen An international contract manufacturer noticed an overseas competitor was producing product in a way that precisely resembled its own. An analysis conrmed that the competitor was using certain plans and even software code identical to what it was producing. If that wasn’t bad enough, the intellectual property of several of its customers had also been stolen somehow. If the situation isn’t handled properly, the manufacturer could be forced out of business. Following a signicant investigation, it became apparent t hat a disgruntled employee had walked out with proprietary information on a ash drive. An investigation into the ty pe of data stolen, who had access to that scope of information, and other fac tors narrowed the list of potential thieves to a few. When examining a number of employee laptops, it became clear which laptop was used. Data from multiple servers were copied to the notebook’s drive and subsequently copied to a USB ash drive. Customers would have to be notied—and so would shareholders. A breach of this magnitude could drive away customers—current and future— and signicantly impact revenue.
5
Brochure | Executive breach response playbook
Are you prepared to respond? A large le of patient records from your hospital was posted online.
Breach scenario #3: Regional hospital awakes to data breach nightmare The scenario begins when the director of communications reports that a journalist f rom one of the weekly business magazines called to say a large le of patient records has been posted somewhere online. The news hit fast and spread wide. Thousands of records were dumped in a popular le-sharing site: Patient names, contact information, and insurance information were in one set of les; patients’ prescription histories and some doctor visit information in another. It’s a PR nightmare, but one that happens all too often—before there’s a chance for an investigation to even get under way. How did the breach occur? What can be said to patients whose information was leaked, as well as those who have not been aected? What will the regulatory fallout be? The team needs to be assembled, and answers need to be uncovered—quickly. Any conversation with the media would have to be punted until more details were known. Meanwhile, regulators called, wanting to know details about the incident. But th e hospital can’t answer much more than verify that the data les appear to be authentic and from their organization. The next call was to law enforcement. In the hours and days that followed, the source of the breach was identied as being the result a web server inltration. The decisions and steps made in the upcoming days will have a profound impact on how regulators react, as well as the trust that is saved or lost in the eyes of patients. The next section can help you determine how your organization would respond. You’ll be able to identify any gaps in your process and how you should remedy them if a publicly reportable breach occurs.
Building an efective executive data breach response plan Much of the discussion about data breach response commonly focuses on the technical response. The executive data breach plan centers on what is known to have happened technically and what this damage will mean from a business perspective, a nd then eectively managing any negative impact and put ting forward the best public response possible. This requires that good processes and communication be in place, along with the ability to eectively execute the plan. You need to assemble a core team of executive leaders to help manage the response. In many cases, it would be the same team charged with managing a business continuity plan in the face of any type of disaster. Although many other types of disasters may be managed by your chief operating ocer or equivalent, your CISO or CIO would manage the incident internally since this is a data breach. These executives know (or should know) where critical and regulated data resides and what sy stems manage these data and processes. Dealing with the executive data breach is the same as if they’d owned the IT recovery should a hurricane or other disaster disrupt IT systems. This puts CISOs in the best position to manage the technical, legal, regulatory, and executive teams. Figure 2. Process and technique eciency improvement framework Monitor/ detect
Triage
Respond
Lessons learned
6
Incident closing
Brochure | Executive breach response playbook
Although the CISO or CSO owns the internal response, it ty pically is the CEO and executive leadership that set the tone for the public response. To succeed, you’ll need a cross-functional team that is comfortable working together. Usually this is a senior team that includes general counsel, internal audit, human resources, and corporate communications. They all need to be working in concert. Here’s the plan that must be in place and always ready to be put into action should a breach disclosure become necessary: Continuous monitoring and detection —Your IT and security teams are always on the lookout for bad things to happen. IT security-related events are detected from many dierent internal and external sources—and early detection is the key to identifying and responding to an issue not only quickly, but eectively. For executives, it’s important that when a breach that will require a public disclosure is detected, the proper executives and internal resources must be notied. The phases of the plan • Monitoring and detection • Triage • Respond
The triage phase—This phase is intended to quickly analyze all available information so that security events can be categorized and correlated. This way the organization can most accurately determine the severity and prioritization of events, and assign the event to the proper team(s) for remediation and response. Triage also provides a single point of contact for answering technical questions that arise. The triage process is instrumental for coordinating the technical response groups and creating your nal response plan.
• Incident closing
The respond phase—The respond phase includes the steps taken to address, resolve, or mitigate an incident. During t his phase, you will need an incident coordinator who will conduct overall response and direction. There are four classes of responses required for an incident: • Technical response. The technical response is designed to focus on the actions t he technical sta takes to analyze and resolve an event or incident. Technical sta includes the IT groups required to assist with remediation of the event or incident. This phase can involve several groups or departments within the IT organization to coordinate and provide technical actions to contain, resolve, or mitigate incidents as well as the actions needed to repair and recover, if necessary, aected systems or data. • Management response. The management response highlights activities that require some type of management intervention, notication, interaction, escalation, or approval as part of any response. It may include coordinating with corporate communications as it relates to a ny human resources, public relations, nancial accounting, audits, and compliance issues. • Communications response. These are activities that require some measure of communications to the corporation and internal and external constituents. Corporate communications should always be consulted prior to any communications being released. In many cases, management will direct the release of breach information. This includes issues related to any human resources, public relations, nancial accounting, audits, and compliance issues. • Legal response. The legal response, if required, would work with outside regulators, third parties, and other parties. I n addition, their input would be required for any external communications to assure that such communication is in accordance to company policy and supports any statutory or regulatory requirements.
Incident closing—After the incident has been contained, eradicated, or mitigated, it is critical that your organization complete the collection of all of the information they can about the incident and conduct an after-incident report. During the incident closing process, the incident team must take steps to properly nalize all documentation, including all analytics and nal reports. Additionally, the incident team must take every precaution to preserve all information obtained as part of this process using proper chain-of-evidence procedures, because this information may be required in certain legal responses. After this close-out process is complete, the incident coordinator will conduct a lessons-learned session to identify eciency improvements in either processes or techniques used for remediation.
7
Brochure | Executive breach response playbook
The data breach communications plan: Break glass in case of emergency The prospect of a data breach crisis is itself a crisis. And when it comes to your external response, the communications plan is essential. In fact , the legacy of the crisis—how people will remember the incident—won’t be the technical details or how awlessly your teams did or didn’t execute the plan internally. It will be how well, or poorly, the company communicated this response externally. After the data breach is conrmed and it’s a publicly reportable event, crisis communications teams need to assess the situation, gain a solid understanding of the critical conditions, review the plan of action and adjust as necessary based on facts of the incident, then communicate publicly. Even as the event unfolds, the response must be continuously evaluated regarding how well the plan is going—or not going. When the incident is underway, gather all of the facts that you can: What type of data? How many records? What was the cause? When did it happen? Is the situation rectied? If n ot yet, when will it be? And what steps are underway to bring about the best resolution possible? Of course, if the breach is sizable, you will have to assemble the core breach response team, which consists of senior IT leadership, legal, communications, and others. You will have to share the story (what you can, at rst) with the outside world—what happened, how the breach will aect them (such as the n eed to change passwords, protect themselves against identity theft, change credit card numbers), and how you are managing the situation. The negative side of the story is what happened and what risk has been created. The positive aspect of the story is what is being done to resolve the situation and to mitigate its impact. To the outside world, you want to focus as much as possible on what steps are in place to x what has been broken. This means the majority of what you communicate will be about your mitigation eorts, and what steps will be and have been taken to make sure it doesn’t happen again. This is why your plan is so importa nt: All the steps you can take, or the steps you need to decide whether or not to take, must be determined in advance.
8
Brochure | Executive breach response playbook
Respond efectively when breaches happen When it comes to security breaches, it’s not a matter of if but when they will occur. What separates enterprises when it comes to publicly reportable breaches are how the enterprise responds—their ability to identify what happened and why, rapidly respond to stop the attack, and communicate to employees, partners, shareholders, and customers in a way that maintains and even builds trust. HP helps organizations to establish the processes they need for optimal breach management. We rapidly deploy a highly skilled and experienced information security team and comprehensive security technology to help enterprises establish visibility, remediate issues, and put tactics into place that guard against future incidents. Forensic readiness: We can help you create a proactive plan to help your teams identify valid and malicious changes and produce the best possible digital evidence in the event of security incidents. This minimizes disruption and maximizes the technical information you need to make the best post-breach decisions possible. Security incident and breach response: Expert monitoring is always availa ble, providing detection and countermeasures through rapid, predetermined incident response. In the event of a breach, HP will dispatch a team of security experts on location to immediately contain the breach. We also help assess, investigate, and provide recommendations to reduce future vulnerability. E-disclosure: Following an incident, you’ll need accurate data capture, logging, and audit trail reporting for use in legal and regulatory investigations. Our specialists, many of whom have law enforcement experience, will help you through this collection process. Data recovery: One of the most challenging parts of a breach can be data recovery. Mitigate data loss or deletion consequences by designing and implementing processes for backup and recovery. Our experienced security services teams are on call 24x7 to act as your vir tual team or as an extension to your team to get you back in business. When a data breach occurs, HP will rapidly deploy an exper t and experienced information security team so you gain swift visibilit y into the incident, and you can respond condently to the marketplace and all of your constituents in a way that maintains trust . And, just as important, we can help you put into place ta ctics and technologies that will greatly reduce the risks of future incidents.
9
Brochure | Executive breach response playbook
Figure 3. Incident checklist
Before, during, and after checklist The time an incident occurs is not the time to plan and organize. It is a time for action. Here are some simple steps for you to consider and processes that need to be in place before, during, and after a breach event:
Before an incident Identify the individual owner and responsible party for all incidents. Identify core team responsible for all incidents (including individuals from legal, corporate communications, and HR). Ensure proper monitoring and tracking technologies are in place (such as firewalls, IPS, and anti-virus). Provide media training to the proper individual(s). Provide a company-wide process for employees, contractors, and third parties to report suspicious or suspected breach activities. Provide company-wide training on breach awareness, employee responsibility, and reporting processes.
During an incident Record the issues and open an incident report. Convene the core team.
Set up a technical bridge to discuss needs required to restore operations. Set up a management bridge or communication schedule to provide updates to executive management. Triage the current issues and communicate to executive management. Identify initial cause and activate needed specialists to respond to the current issues to restore operations.
Retain any evidence and follow a strict chain of evidence to support any needed or anticipated legal action. Communicate to affected third parties, regulators, and media (if appropriate)
After an incident Update the incident report and review exactly what happened and at what times.
Review how well the staff and management performed in dealing with incident. Determine whether or not the documented procedures were followed.
Discuss any changes in process or technology that are needed to mitigate future incidents. Determine what information was needed sooner.
Discuss whether any steps or actions taken might have inhibited the recovery. Determine which additional tools or resources are needed to detect, triage, analyze, and mitigate future incidents. Discuss what reporting requirements are needed (such as regulatory and customer). If possible, quantify the financial loss caused by the breach. Report findings to executive management.
10
Brochure | Executive breach response playbook
Why you need to act today Security-related and non-security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New t ypes of incidents emerge frequently. Preventative activities based on t he results of risk assessments can reduce the number of incidents, but not all incidents can be prevented. That’s why a breach management response capability is vital for rapidly detecting incidents, minimizing loss and destruction, reducing business outage and customer impact, mitigating weaknesses that can be exploited, and restoring information systems services. The purpose of this framework is to establish processes and procedures to prevent, detect, investigate, respond to, recover from, and remediate all incidents that threaten or target an organization, its aliates, or subsidiaries. But it is important to recognize that this program is only the foundation to a good security strategy. Other components must be built upon this foundation, including: • Monitoring an ecosystem with proactive tools, such as IDS/IPS, rewalls, anti-virus, a nd Security Information Event Management (SEIM) • Eective alerts based on controls in place from the monitoring tools but that also recognize external data points and correlate big data elements • Routine testing of the technologies deployed as well as the processes that support sound breach management • Feedback mechanisms from testing or an actual breach event to examine needed updates to technologies and processes as well as strategic planning to avoid future disruptive incidents Our call to action is simple: Take the necessary steps to implement the program outlined in this simple guide. We are here to assist your organization with the most complete security portfolio in the market. We can work with you to improve your security processes and operations at every step.
Learn more at hp.com/enterprise/security See the Ponemon Institute report, The Importance of Senior Executive Involvement in Breach Response
11
You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
