IAPP Practical Privacy Series Recap: Common Shortcomings of Incident Management and Breach Notification Procedures
The International Association of Privacy Professionals (IAPP) always does a wonderful job of inviting speakers with a variety of backgrounds to their sponsored events to deliver a comprehensive perspective on the issues pertinent to IT security and privacy. After attending the Practical Privacy Series’ Data Breach program in Washington D.C., it was clear that across all major industries, professionals from the legal, IT, and business ranks are consistently seeing the same shortcomings in enterprise incident management and breach notification procedures. These shared observations, forged into the listing of recommended best practices below, feature important aspects of adequately planning for, reacting to, and communicating IT security and privacy incidents.
Publish an incident response plan with distinct definitions
Your incident response plan should be available to all personnel and clearly define key terms. It’s become all too common for policies and procedures to use words like “incident”, “event”, and “breach” interchangeably to the point that it’s confusing and negatively modulating the escalation process. Some situations aren’t getting the attention required right away and some are being blown out of proportion. Based on industry standards, the use of “events” should refer to activity worthy of examination, “incidents” should refer to matters concerning IT operations, security, privacy, and “breaches” should refer to instances where unauthorized entities acquired unsecured information.
Log and review system activity
Undeniably, timeliness in the course of incident management is top priority. On the whole, the longer it takes to identify, diagnose, and remediate a security or privacy situation, the more harm can be done. In this vein, failure to log and monitor system activity was clearly the biggest point of concern for those speakers who were veterans of crisis management and breach investigation because it’s the most effective way to detect suspicious events early. This is an observation I too have had in the field on more than one occasion. A continual review of login history, powerful account actions, significant transactions, etc., performed at a frequency commensurate to the size of your IT environment, is merely an investment of personnel and time. Do it.
Leverage risk assessments to accelerate your incident management process
To focus and drive your procedures from the point of incident identification, leverage the results of your most recent risk assessment. Your risk assessment exercise should involve mapping the IT landscape, determining where significant and sensitive data resides, and classifying all possible risks on a scale of criticality. Instead of immediately kicking off the long and arduous incident management process, first consider what the impact of the incident is based on the type of threat and nature of the effected information; you’ll most likely be able to expedite incident analysis. Furthermore, you may not even have to fully go through all of the hassle if you identify the situation is of lower risk.
Establish clear lines of communication
To promote efficiency during the incident management process, outline very clear lines of communication for your personnel. In your incident response plan, do not simply designate the responsibilities of ambiguously named teams in your organization; detail the roles and contact information of each specific point of contact (and their backups) involved in the process as well as the recommended way to reach them. Prepare your personnel by acquainting them with those points of contact in advance. Also, stress the importance of persistence to your personnel when trying to escalate incidents.
Involve your legal counsel early
When IT security and privacy incidents are identified, many organizations are waiting too long to involve their legal arm because they feel like circling in the lawyers means the situation at hand is grave. Don’t do that. Only your counsel is able to present all of the legal obligations and considerations that must be accounted for.
Please carry these takeaways with you in hopes that they can help tune your incident management and breach notification process. Continual improvement is critical as new threats emerge and laws and regulations are promulgated. By keeping a modern set of procedures, you’re investing in the welfare of your enterprise and in the preservation of your reputation.
About the Author
A manager with Schellman, Zach Schmitt has a concentration in IT security and privacy in the Washington D.C. attestation and compliance practice. He is a member of the International Association of Privacy Professionals (IAPP) and endeavors to share his observations and feelings on the certain evolution of data security and privacy. Zach is a graduate of Virginia Tech and has BAs in Accounting & Information Systems and Marketing Management.