The Right Stuff: Building an Effective Cybersecurity Incident Response Team
I. A Multi-disciplinary Team-based Approach to Incident ResponseA well thought-out and practical incident response plan is a key component of any comprehensive…
October 17, 2017 at 08:21 AM
15 minute read
The original version of this story was published on Law.com
I. A Multi-disciplinary Team-based Approach to Incident Response
A well thought-out and practical incident response plan is a key component of any comprehensive information security program. But, organizations often make the mistake of categorizing the incident response plan as an “IT issue” or a “legal issue.” A cybersecurity incident that results in a breach is an “issue” that affects several parts of the organization. Thus, the plan to respond to an incident should involve several parts of the organization.
For those of you who are not sports fans, please indulge me for a moment. An incident response plan involving only one department of an organization is like a basketball team where every member plays the same position. Like a team full of centers, the resulting plan may be so focused on defense and blocking that proactive steps such as early contact with law enforcement may be seen as too “risky” to include. As lawyers, we can often be so focused on the legal ramifications that we miss some of the practical business considerations of incident response. For example, as lawyers, we may want public communications to state the bare minimum regarding a breach; only what is legally required. But, making a minimalist statement may result in a public relations backlash for failing to disclose critical information in a timely manner. We need the other positions on the team to put our advice in context and achieve a “winning” result. An effective incident response plan is both a product and a tool of a multi-disciplinary incident response team (“IRT”).
Like building a successful sports team, crafting an effective IRT includes (1) identifying the necessary internal and external IRT members, (2) considering the strengths and weaknesses of each position, assigning roles and responsibilities accordingly, and (3) training the team members through practice to work together toward a common goal. Several publications can provide the basis for an adequate incident response plan. See, e.g., National Institute for Standards and Technology (NIST) Special Publication 800-61 or the International Standard Organizations (ISO)/International Electrotechnical Commission (IEC) 27035. Instead of focusing on the content of the plan, which is covered by those publications, this article will focus on assembling a team to (A) craft the incident response plan that will be most effective for the organization and (B) execute that plan in the event of a cybersecurity incident.
II. Identifying the Necessary Team Members and Their Strengths and Weaknesses
An effective IRT often includes the following members:
Position | Internal Member(s) | External Counterpart(s) |
Information Technology (“IT”) |
|
|
Legal and Compliance |
| Outside Counsel |
Business Management |
| Outside Counsel |
Public Relations | Chief Marketing Officer or Communications Manager | Public Relations Firm |
Risk Management | Risk Management Specialist | Insurance Consultant |
A. Information Technology
Internal IT Department
The IT department of an organization is probably the most frequently thought of team member when it comes to responding to cybersecurity incidents. In many ways, the IT department (or security department embedded within the IT department) is the base of the pyramid in incident response planning. It will likely have the largest number of IRT members and will be relied upon for information on which other team members will act. The IT department will likely serve as the primary point of contact for many of the external IRT members. For example, the IT department will coordinate with the technical forensics consultant to determine the operational impact of a cybersecurity breach and remediate the effects. The IT department may also provide outside counsel or a consultant with the names of individuals that the breach may have affected for purposes of compliance with breach notification laws.
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Trending Stories
- 1Wine, Dine and Grind (Through the Weekend): Summer Associates Thirst For Experience in 'Real Matters'
- 2The Law Firm Disrupted: For Big Law Names, Shorter is Sweeter
- 3The 'Biden Effect' on Senior Attorneys: Should I Stay or Should I Go?
- 4BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 5'You Are Not Alone': 120 Sex Assault Victims Plan to Sue Sean 'Diddy' Combs
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250