Data breaches: Be prepared or prepare to pay

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.federaltimes.com/article/20141003/CYBER/310060009/Data-breaches-prepared-prepare-pay


Earlier this year, hackers attempted to access the Office of Personnel
Management’s database files of thousands of workers seeking high-level
security clearances. It wasn’t the first such cyber attack from abroad
against a U.S. agency, and it certainly won’t be the last. Fortunately, the
alleged perpetration was detected and quickly blocked, and agency officials
gave assurances that there had been no loss of personally identifiable
information. But, as we know, not every cyber attack is so successfully
thwarted. Could your agency act as promptly and as successfully? Unless
your agency has an extra $5.4 million on hand, the average cost these days
to repair a critical data breach, you should read this short primer on
data-breach preparedness.

Meeting these increasing threats begins with one key proactive step: The
creation of a response team led by a team leader that will develop a
data-breach plan that must be updated, audited and tested every six months.
Team members should include the agency director or an appointee from the
senior executive service, as well as members of the security and public
affairs offices and, of course, the IT staff.

The team creates a response team roster for its members and supervisors
that will include names, contact information, proper precautions and
procedures. The team leader is the intermediary between the members and
managers, coordinating the overall response, managing timelines and
documenting all efforts to repair the breach. The security and IT members
instruct personnel on how to secure their offices and equipment promptly,
take infected machines offline and preserve evidence of the breach for
possible legal action. Additionally, consider contracting with a private
data-breach resolution vendor — in advance of a breach — that will assign a
dedicated account manager to your agency and step in to assist when a
breach occurs. Your manager will handle escalations, tracking and reporting
of the breach as well as offer secure services, such as notification, call
centers and protection products for victims.

In addition to an agencywide training focus on breach preparedness and
resolution, team members have specific responsibilities, including working
with employees to integrate data-security awareness in their daily work
habits. The teams also should develop data security and mobile policies and
keep them current, invest in proper cybersecurity devices and firewall
protection, and limit the types of both hard and electronic data that
employees can access on a need-to-know basis.

Once a breach is detected, quick action by the team can help mitigate the
incident and its consequences. The team promptly implements the response
plan, engages the proper resources and tracks the remediation efforts. The
IT staff and security personnel take the lead in plugging the breach and
bringing the machines back online after they are fully scrubbed for viruses
and other possible malware infections.

It’s important to create a data-breach incident checklist to collect,
document and record as much information about the incident as possible and
the specific steps taken to fix it, including why the steps were taken. If
your agency has confidential or highly classified data, the security team
member will call in relevant law-enforcement agencies to identify
compromised data without compromising evidence.

Depending on the size and nature of the data breach, it may also become
necessary for the public affairs team member to alert the media and the
public. Keep in mind that it’s your agency’s responsibility to comply with
laws and regulations on citizen and law-enforcement notifications, which
can be a requirement under certain circumstances. Therefore, it’s important
to review and stay up to date on both state and federal laws governing data
breaches in your industry as well as state notification requirements. Such
steps help limit the damage to personal data, preserve the agency’s good
name and save it from the embarrassment of having to acknowledge the breach
after the fact. Those affected should be contacted through the agency’s
call center, by email or through the U.S. Postal Service, and told how the
breach might affect them and what steps they need to take to safeguard
their personal information.

Remember, by being prepared for a data breach, you can mitigate its
malicious intent.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!