6 Steps to Create an Incident Response Plan

It is important to understand the difference between a security incident and a data breach. For example, the recent LinkedIn data scraping is a security incident, but not a data breach since classified information was not leaked. However, how your organization responds to a breach is your incident response (IR). It also includes how your organization identifies a breach, what steps are taken to contain it, and recover from the breach. Given the degree of sophistication that hackers are able to achieve, clearly no organization is breach proof. Therefore, it is critical that you should have incident response planned in advance. Here is how you go about it.

Plan Your Response Before a Privacy Breach Occurs

Every organization should prepare a document which clearly outlines the procedure to be followed in the event of a breach; what steps need to be taken in such an event; and most importantly, whose responsibility it will be to see the response plan through. Once the document is ready, all concerned personnel should be trained to ensure that everybody is on the same page as to who has access to what. Breaches often occur when there are modifications to access controls, or when someone who has left an organization continues to enjoy access. It is vital to monitor access continuously to prevent security incidents.

Go step by step:

The first step is obviously creating a framework which identifies sensitive assets after conducting a comprehensive risk assessment. The security team needs to know which security incidents they must focus on. This includes continuous monitoring of all PCs and laptops connected to the corporate server. In case of a health facility, or hospitality unit, all removable and fixed devices linked to the central server should be identified. Establish access controls with multi-level authentication to ensure that someone logging in even casually does not gain access to classified data.

Containment and Eradication Should Follow Identification

The first step the IT security team should take as soon as suspicious activity is identified (it takes only one careless employee opening an attachment from a malicious source, or clicking on a link to expose the entire network); the affected segment should be isolated, and delinked from the rest of the network to contain the breach. Following that, a thorough cleansing should be carried out to remove all malware which needs to be identified and destroyed. All healthcare covered entities are required to follow a prescribed regimen to report a breach to the Secretary of HHS. There is an official guidance shared by the HHS on how to render unsecured protected health information (PHI) unusable, unreadable, or indecipherable when viewed by unauthorized individuals, which all covered entities would do well to read, and act upon.

List the Activities During IR, and the Chain of Communication

The security team should know the proper sequence of actions, and who should be informed when during the incident response activities. There should be thorough documentation at every step of the way to establish due diligence in case of audit or litigation. When sensitive data pertaining to the organization is breached, the after effects will be felt at every level as there is sure to be an adverse impact on revenues. If a computer security incident response team (CSIRT) is created when drawing the company’s security and data privacy policies and procedures, you will have given your organization a head start.

If You Think You Don’t Need an IR Plan, Think Agai

Regardless of the industry vertical you operate in; you should understand that no organization is too small or too big to be attacked. You need the IR plan to protect your data, reputation, your customers’ trust, and your bottom line. Secure offsite backup of data ― cloud, or simply a physical site different from where the main operations are carried out―coupled with proper identity and access management to avoid insider threats, identifying anomalies which point to suspicious activities, and leveraging logs and security alerts to detect malicious activity will save you many headaches down the line. Your IT department needs to ensure that the security patches, which many software manufacturers keep releasing periodically, are run regularly.

Follow These Six Steps When Drawing Up an Incident Response Plan

  • Use qualified, routinely trained cybersecurity personnel to manage cybersecurity threats and responses. These can be third party actors.
  • Notify the NYDFS about all cybersecurity events that carry a “reasonable likelihood” of causing material harm.
  • Limit and monitor access privileges granted to users

Consequences and Penalties for NYDFS Cybersecurity Regulation Violations

Currently, there are no details regarding the fines a covered institution will incur for violating the NYDFS Cybersecurity Regulation. However, the NYDFS clearly states that penalties will be placed on covered institutions that fail to comply with the Regulation.

In March of 2021, the New York Department of Financial Services fined a mortgage bank $1.5 million for violating the Cybersecurity Regulation.

How Papaya Can Help Keep Your Company in Compliance

In order to avoid paying a hefty fine to the NYDFS and incurring other penalties that can harm your organization, it’s vitally important to have a well-organized system for complying to all aspects of the NYDFS Cybersecurity Regulation. This is where Papaya can help.

Here at Papaya, we offer a software solution designed to keep your organization in compliance with the NYDFS Cybersecurity Regulation. Our software helps you easily organize, manage, and reduce your cybersecurity risk with the NIST Cybersecurity Framework

Papaya helps your organization align with all five core functions of the NIST Cybersecurity Framework:

  1. Preparation: Put very simply, the first step is the preparation of the plan which outlines the policy, the response strategy, and documentation of both, communication to the concerned personnel, training them, and establishing access controls.
  2. Identification: To respond to any kind of event, it must be identified. This process can be kick started by monitoring, and subsequently notified when it is identified.
  3. Containment: Identification needs to be followed up with containment and recovery. The segment which has been impacted should be isolated, and de-linked from the network.
  4. Eradication: Once an incident occurs, your CSIRT can swing into action to carry out root cause analysis, which is vital to identify vulnerabilities, and take corrective or mitigatory action. All malware should be removed, and every system should be secured.
  5. Recovery: Recovery is not simply plugging the holes, but also testing and verifying to be able to restore normal operations at the earliest
  6. Learn from the incident: The IR is wasted unless your CSIRT learns how to improve its performance, and establishes a benchmark for future comparisons. Consider the fact that the severity of cyberattacks are increasing, while organizations are taking longer to identify and respond to them.

Takeaway: You do not want to be one of those organizations which are clueless about the kind of response plan they must have in place when hit by a data breach. Recognize the dangers of an outsider lurking in your IT systems, and the golden opportunity you are offering to steal your data, and/or cripple your organization.You should act accordingly.