Stay up to date with our latest news and insights
Supporting description on the types of content that feature in the blog.
When the GDPR comes into effect in May 2018, every organisation that stores, processes or transmits personal data will need to have a watertight data breach response plan in place.
Thankfully, such plans are only there for when the worst happens, and the following ten-step process is intended to ensure your response correlates with the official guidelines from the ICO and GDPR.
-
Identify the business issues and outline the roles
For an incident response (IR) plan to be effective, you need to start by involving the people who will own the IR documentation. You’ll also need to identify what matters most to the business, its culture and how it currently responds to incidents.
Set roles and responsibilities that enable IR to become a business-as-usual practice. Staff need to understand what constitutes a data breach if they’re to effectively respond in future.
-
Spread the plan company-wide
If the IR plan only resides within your IT team, it won’t be adopted as standard practice by the entire company.
You need to work on inter-business collaboration from the start by bringing in stakeholders from each department.
-
Set KPIs
Without clear key performance indicators (KPIs) relating to data breach responses, your IR plan will be subjective.
Common KPIs for data breach responses include the time taken to detect and report an incident, the number of false positives and the security tools used to spot the incident.
-
Conduct multiple rounds of testing
An IR plan that isn’t thoroughly tested isn’t a plan at all.
For yours to be watertight, it needs to be stress-tested. This is a process that should involve all stakeholders and address weak points within the business.
Test, test, and then retest again - even if you need to schedule a full day to do so.
-
Revise the plan frequently
As cybercriminals evolve, so too should your IR plan.
Once developed, it shouldn’t be filed away for safe keeping; this is a living, breathing policy that must marry a robust framework with the flexibility required to address every situation encountered.
-
Determine what constitutes an incident
You’ll need to define which incidents need to be acted upon and those that can be ignored.
The security team should only be tasked with resolving the most serious issues, therefore if you define what constitutes a data breach, resources can be effectively deployed.
The incident handling guide from the National Institute of Standards and Technology provides incident categories which you may find helpful at this stage.
-
Form your IR team
The job of analysing security breach reports should fall on the shoulders of an IR team, led by a seasoned IR analyst.
Depending on personnel, this team can be internal, external or a mixture of both. Just bear in mind that the tasks they’ll undertake will require significant experience in incident response.
-
Choose the right tools
Incident response plans rely on a deep understanding of the business network, detection of the attacker, solid team communication and suitable alerts.
Threat intelligence software and comprehensive visibility of the network are therefore vital; ensure your IR team have the resources available to implement the right tools.
-
Familiarise yourself with Article 33
Article 33 in the GDPR details the exact process for notifying the supervisory authority should a personal data breach occur.
Ensure all stakeholders within your IR plan familiarise themselves with the five-step process.
The ICO offers a more comprehensive guide which details the information breach notifications must contain.
-
Establish the communication strategy
An IR plan can’t play out if there isn’t a solid communication strategy to support it.
If a breach occurs, it’s essential that third parties can be notified quickly and internal teams kept abreast of the latest developments.
Law enforcement and possible breach remediation providers may also need to be notified and PR contacts readied with statements should the press take an interest.
Just because you hold personal data doesn’t mean a data breach is inevitable. It simply needs to be planned for, and if you follow our steps to create a watertight data breach response, you can feel safe in the knowledge that you’re doing the utmost to keep the personal data within your organisation safe.
