INVITATION TO CYBERSECURITY 120 help determine what happened and who is responsible. Next, key leadership needs to be informed so they can start carrying out the plan. Part of the leadership could include members of the board of directors and legal counsel. There are people that specialize in cybersecurity incident response—they show up on site immediately after an incident and help the organization investigate and recover. This is a field of cybersecurity adjacent to ethical hacking and cyber defense—workers in this field know the tricks of the hacking trade and are experts in cyber forensics. If the organization has a contract with such an individual or company, they would need to be contacted right away. It is important in this step that everybody can be reached. Email could be down due to the incident, and even if not, people may not be checking their email, so phone calls, text messages, and other methods of communication need to be identified. Minimally, peoples’ personal phone numbers need to be readily available. If numerous people need to be contacted, a call chain can be established that gives different people responsibility for contacting others. The next phase is to communicate. Communication will continue through the remainder of the response and recovery as progress is made and updates become available. Leadership must decide who else needs to be informed, when, and what level of detail needs to be shared. At some point, all the employees of the organization might need to be made aware that an incident has occurred. They may be asked to not come into the office until further notice. It is also possible that customers need to be notified. This could be through a mass email, a social media post, or through a notice posted on the company website. The company also needs to determine how they should respond to media requests. What should an employee say if a reporter contacts him? If he is not coached ahead of time, he may divulge sensitive information or make inappropriate statements that make the situation worse. After communicating, the next phase is a detailed assessment. How did the incident happen? Is it contained? Is the original vulnerability fixed? This could be facilitated by a company that specializes in incident response and by law enforcement. Lastly, the organization can begin reconstituting. As they do this exercise and imagine what it would take to become fully operational again in the wake of an incident like this, they can determine what corrective controls would need to be in place. The final part of the process is performing a post-mortem. A post-mortem in a business context is a review of an incident after the fact to improve the process going forward. While a post-mortem after an incident will always identify things that could have gone better, too many “I wish we had thought of that” moments indicate poor preparation and a deficient DRP. This overview covers only the basics of a DRP. An actual DRP would need to be more detailed and cover more aspects of the incident response and recovery process, including when and how to notify law enforcement. The point of a DRP is that these plans are made before an incident occurs, when the right people are in the room and there is no
RkJQdWJsaXNoZXIy MTM4ODY=