Breach Response 101: Educate Your C-Suite & Board of Directors

Between the Q1 market response to retailer breaches and the Heartbleed Bug Vulnerability, organizations of all sizes are assessing and reviewing their internal and external incident management policies, standards and procedures. The pace at which incidents can go viral requires communication to be coordinated at all levels within an organization. A challenge for many companies is helping executives understand the scope and type of privacy and security incident response plans their organizations maintain and the extent to which they are tested and updated.

Risk committees, audit committees, and Boards of Directors likely all have different perceptions and understanding of what procedures exist. However, when CFO’s and CEO’s are required to testify in Congress, with televised and internet coverage, they need more than talking points in speaking to incident response.

While most organizations have specific organizational readiness plans for different types of incidents, executives are likely more familiar with the differences between disaster recovery and business continuity plans, than the subtle nuances between security incident response, crisis communication, and incident notification.

Keep it Simple: Structure key messages on the types of incident processes and key concepts that exist within your incident management program

Develop an education plan for all levels of management to identify and differentiate the common components included within incident management processes. Create the elevator pitch and succinct definition of the key components in your incident management approach so that all levels of management can describe in simple statements what processes exist.

  • Understand the Basics of Security Incident Response Plans
    Purpose: Quickly respond to a suspected or detected breach to protect sensitive data and information
  • Explain the scope and nature of Crisis Communication Plans
    Purpose: Ensure a timely, effective communication response to an incident that protects the brand and business
  • Incident Notification Procedures
    Purpose: Understand and follow all notification obligations and requirements following a privacy or security incident

Effective incident management is based on an incident lifecycle and requires integration between multiple processes. A common misperception is that incident response is a straightforward and sequential process. The reality is that privacy and security incident management requires three dimensional thinking and close coordination and communication between all participants in each process.

Conduct Lessons Learned Events

Most organizations conduct periodic tabletop or testing of their incident response plans. However, sometimes the best learning is by experience. Either from real-life incidents, or taking examples that went well and doing the “what if?” comparison if things had gone differently. By practicing or discussing the linkages between plans, helps you mature your incident management processes throughout the incident lifecycle.

  • Focus on your crown jewels – know where your biggest risks are, and focus your planning on the scenarios that could have the biggest impact
  • Follow your data – know where your data is, and who is accountable for security, operations, and management
  • Don’t forget about social media – PR and communications team need to be involved not only in “real” events, but in “reel” events, where you practice it like you were filming a movie. With the pace at which news goes public, integrate communications into your test planning
  • Update call trees and escalation processes – Organizations change all the time. Knowing who to notify, who to inform, and how to communicate is critical to success. Make sure you know who is Responsible, Accountable, Consulted, and Informed (RACI) for all phases of incident management.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Forward Banker