Article
Developing a Data and Cyber-security Incident Response Plan
A cyber-incident response plan customized for your organization’s operations and systems is critical to managing response efforts and to mitigate damage from a data or cyber-security incident. The accompanying checklist provides a good start for what should be included in the response plan, but a truly effective plan includes more details, particularly assigning individuals to specific responsibilities.
Ensure that requirements of MCIT coverage are part of the response plan:
- Notify MCIT of the incident through the online member portal as soon as practicable. Be sure to assign specific individuals to do this and ensure they have active credentials for the member portal. In a ransomware incident, immediately call MCIT in addition to submitting electronic notification.
- Provide and maintain:
- Physical security of the premises
- Computer systems and hard copy files
- Computer and Internet security
- Backups of computer data
- Transaction protection (e.g., for processing credit cards, debit cards, check payments)
- Protocols for securely disposing of private or sensitive files
- Participate in a phone consultation with the MCIT-assigned breach counsel prior to notifying individuals affected by a data breach or compromise.
- Do not admit liability, incur any expenses or assume any obligation without the prior consent of MCIT/MCIT’s breach counsel. Expenses incurred prior to MCIT’s approval are the member’s responsibility.
Remember that as you develop your data and cyber-security incident response plan that MCIT/MCIT’s breach counsel may engage IT forensic experts as necessary to assist you with an incident.
Cyber-incident Response Checklist
The Cyber-incident Response Checklist includes some of the activities that may be appropriate for your organization to undertake in the event of a data or cyber-security incident. The activities described do not represent an exclusive list. The best practice is to establish and follow a cyber-security incident response plan prior to experiencing an incident.
Response Plan Resources
In developing your response plan, you may want to refer to the following materials. Keep in mind that none of these is likely a perfect fit, but each provides valuable nuggets to apply to the development of a plan that works for your organization.
- Incident Response Plan* from ID Experts® Breach Services offers a detailed guide for developing a customized response plan that includes incident response team roles and responsibilities, policies and definitions, personal health information inventory and risk assessment, discovery, investigation and response. The document also includes worksheets, reference materials and incident response scenarios and how the response process might be used for each.
- Data Breach Response: A Guide for Business from the Federal Trade Commission suggests actions for an enterprise to take after an incident.
- Essentials of Data Security for Public Entities from MCIT is an entity-wide guide to strengthening a member’s data security. Chapter 3 offers incident preparation, response and recovery best practices.
- Federal Government Cybersecurity Incident & Vulnerability Response Playbooks from the Cybersecurity & Infrastructure Security Agency (CISA) are a set of operational procedures established for federal civilian executive branch agencies in planning and conducting cyber-security vulnerability and response activity. Although this is developed for federal government agencies, it is a detailed example of a strong incident response plan structure that local governments may want to use as a model.
Practice, Modify Response Plan
Once your organization establishes a data and cyber-security incident response plan, you should practice it relative to different circumstances. These tests highlight shortfalls of the plan so you can adjust the plan for improvement. For example, if the plan indicates that you can restore data from backups within four hours, but the reality is 24 hours, the plan should be adjusted to account for this time difference.
One way to test the response plan is to conduct tabletop exercises using various scenarios. Several sources offer prebuilt exercises at no cost, but they should be modified to fit with your organization’s circumstances. A quality tabletop exercise should also be well-planned before conducting it. This may take several months.
Sample tabletop exercises:
- Cyber-security scenarios from CISA include scenarios for ransomware, insider threats, phishing, local governments, early voting, election day voting, elections vote by mail and vendor phishing
- Tabletop exercise package documents for facilitators from CISA include the details of how to plan and conduct a successful tabletop exercise. The package includes an invitation, fact sheet, handbook, feedback form and after-action report.
- Ransomware Attack Response* walks an organization all the way through the first signs of trouble, discovery of further issues and determination of ransomware attack to decisions that need to be made to manage the incident and the consequences of those decisions.
Further Assistance for Members
Members with questions about cyber coverage offered through MCIT or incident preparedness and response best practices are encouraged to contact their MCIT risk management consultant at 1.866.547.6516.
MCIT also provides access to eRiskHub.com/MCIT to all members. This is a restricted site offering a curated collection of cyber-security resources. It includes materials to assist in developing data and cyber-security response plans, employee awareness training and other cyber-security information. Members must create an account to enter eRiskHub using the MCIT access code, which is available by contacting MCIT.
*The user must log in to eRiskHub.com/MCIT to access the document. Contact info@mcit.org to acquire the MCIT access code to set up an eRiskHub account.
Topics
