HP - Executive Breach Incident Response Playbook.pdf

7/23/2019 HP - Executive Breach Incident Response Playbook.pdf

http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 1/12

Brochure

Executive breach

response playbookHow to successfully navigate the enterprise through a serious data breach



2

Brochure | Executive breach response playbook

Introduction

No matter how eective the technical response to an enterprise data breach, it ’s the executive

suite that drives the public’s perception in times of crisis. In fact , it is the executive team’sleadership that will help guide the entire enterprise response after the breach—which could

last for days, weeks, months, and even years depending on lawsuits and regulatory response.

Although it’s never easy to respond to something as challenging as a publicly disclosed data

breach, it can be done if the executive team gets the information they need in time. That is, if

the technical information is accurate and comprehensive enough to make eective decisions,

and all of the communication channels are in place and ready. Sounds straightforward, but it’s

not always. It takes executive leadership to make sure the resources and the plans are in place

to execute well. And it takes considerable practice. This playbook will help get you there.

In most organizations, senior leadership, including the CEO, are seriously underprepared for the

job. A recently HP-commissioned survey from the Ponemon Institute, “The Importance of Senio

Executive Involvement in Breach Response,” shows how systemic the challenge is at most

organizations: A startling 57% of CEOs have not been trained on what to do after a data breach,and more than 70% of executives think that their organization only partially understands the

information risks they’re exposed to.

There’s a serious disconnect here. According to the Ponemon Institute report, The Importance

of Senior Executive Involvement in Breach Response, senior executives know that their

involvement in the incident response process is critical to success—but they don’t believe

that they are accountable for data breaches. In this report’s survey, 79% of respondents say

executive-level involvement is necessary to achieve a successful data breach response, while

70% believe board-level oversight is also crucial. Unfortunately, the same survey found that

only 47% are up to date on their internal data breach response processes, and only 45% think

they are actually accountable.

Perhaps most troubling is that only 44% believe that their own enterprise’s incident response

process is either proactive or mature.

Many great resources are available that are geared toward the technical response that

organizations must perform when faced with a data breach incident; however, little has been

written on how the executive team should prepare to respond. The goal of this paper is to help

ll that gap and provide executive leadership with the ideas and tools they need.

Perception. Priorities. Protection.

Executive team to-do list

• Prepare a data breach response plan.

• Ensure the executive team can execute it.

• Have a solid understanding of the situation.

• Know what is at risk.

• Plan responses and processes for all

constituencies.

Figure 1. How prepared is your organization to deal with data breach?

4%

17%

33%31%

15%

35%

30%

25%

20%

15%

10%

5%

0%

Level 1 Level 5Level 2 Level 3 Level 4

Level of readine ss: From 1 (low) to 5 (high)

Source: Ponemon Institute “The Impor tance of Senior Executi ve Involvement in Breach Response” September 2014.

As gure 1 shows, senior executives believe the

current state of breach preparedness is more

reactive (immature) than proactive.



3

The importance of establishing a game plan

Many enterprises are already breached, and they don’t realize it. Look at many of the recent and

widely publicized data breaches. These organizations had been inltrated for months, with data

being continuously stolen, before the successful attacks were identied. There’s no avoiding it.

The probability is that you will be breached, and not once or twice but multiple times over the

upcoming years.

Without an executive data breach response plan that is designed to work in tandem withyour organization’s more technical digital investigations and response plans, any data breach

incident can go from bad to worse very quickly—especially when it comes to maintaining the

trust and condence of your customers, partners, and shareholders. In fact, if the executive

team does not plan for the data breach—and be able to execute that plan—it is, in eect,

planning to fail in its ability to react swift ly to the legal, regulatory, customer, employee, and

shareholder fallout.

The risks associated with executive missteps during the days after a data breach disclosure

are not unlike responding to any other type of disaster. The team needs to have a solid

understanding of the situation, know what is at risk, and be able to speak to each constituency.

Many executive-level risks are associated with data breaches. For instance, your team needs to

know whether to announce the data breach and when the timing is right to do so. There’s risk in

waiting too long to tell the public—both from regulators’ and public backlash— and there’s also

serious risk associated with announcing too soon. If the right processes are not in place and theexecutive team doesn’t understand the nature of the breach, the known facts can change, and

public statements will have to be altered accordingly. Not good.

Conversely, knowing how to talk with the technical teams and understanding the potential

business impact and the technical cause can help you execute the right course of action. That

course assures employees, customers, and shareholders that the enterprise can—and will—

safely navigate through with minimal costs or impact to delivery of customer services.

Additionally, public disclosures of certain types of data breaches are becoming mandatory. In

the United States, nearly every state has a data breach notication law regarding personally

identiable nancial account information involving its citizens. The E.U. is working on its own

data breach notication requirements under the ePrivacy Directive. There are also data breach

notication laws and guidance that involve disclosing patient health data and even for publicly

traded companies, should a breach involve data that could aect revenue.

That’s why it is critical to have your executive data breach response playbook in place. Because

in the event of a data breach emergency, such as the triggering of any of the regulatory

mandated responses above, you need to know precisely what to do and who your key

players are. If you don’t have this in place and ready to go ahead of time, you waste valuable

time—the vital time needed during a crisis—and are forced to build the plan on the y, which

exponentially raises the danger of highly public missteps.

For all of these reasons, having your executive data breach response plan in place will provide

the means for successful leadership through crises.




4


Successful leadership through the breach

Although most of the conversation centering around data breaches today focuses on the technica

enablement of the breaches, there’s always much more to it than that—especially when a

breach involves signicant or sensitive data. The type of data and their quantity are important.

In fact, there are many other considerations. More often than not, there is a criminal

investigation, an e-discovery process, and countless other pressing media, employee,

shareholder, and especially customer considerations.

Each constituency has dierent immediate needs. While law enforcement is going to want to

keep breach details and anything relating to its investigation quiet, the media will want to know

details and will push hard for them. Industry and government regulators are going to havequestions of their own. The call center is going to need to know what information to provide

customers to help keep them calm and even take measures to protect their identity if necessary.

Legal will want to be t ightlipped, too, while your PR teams will want to be more communicative.

They have good reason, too; media reaction is crucial. And shareholders are going to eagerly

await news of any potential impact on earnings. It’s a ne needle you are going to have to

thread, because each constituent’s concerns and needs are real and will have to be met

properly and at the right time.

One of the most important things that hav ing the response plan in place does for your

organization is enable executives to focus on these messages. That surely beats being reactive

and forced to assemble the team, carve out responsibilities, lines of communication, and

various plans of action. With the plan in place and everyone knowing what to do, executives

can speak to employees, shareholders, and customers with the necessary condence that thesituation is under control. This will greatly help you avoid potential missteps that hurt trust and

condence in the organization.

Remember that employees, partners, shareholders, and customers will be looking at how

executives are going to respond: Have they taken ownership of the situation, what are they

going to do about it, what actually happened, and how will it be resolved?

Basically, what the world is looking for is leadership. And this is just as true in a data breach as

any other type of emergency or crisis.



5

Into the breach: Scenario exercise ideas

Data breach situations can unfold in countless ways, and conditions similar to the scenarios that

follow can occur in any organization. They show how small missteps can potentially grow into

big public mishaps.

Take a look at these scenarios. Then ask yourself how prepared your organization is to respond,

what processes you have in place to respond, and how well other team members would be prepared.

Breach scenario #1: A large national retailer ’s point-of-sale (POS) system is breached,

with millions of credit cards stolen

It all started simply enough. A virtual server crashed. It was only by luck that an observant

administrator noticed something strange within the error code. Eventually, the related logs

and an image of the virtual server made it to an internal security analyst, who identied the

problem: A small, mysterious piece of software was actually an exploit designed to breach an

inventory system that was connected to the retailer’s national POS network.

If credit card data les were breached, it would require a public disclosure. The breach was

too close to credit card data for comfort, and the preliminary forensics examination couldn’t

determine if the attack was successful. Also, the potential credit card breach couldn’t have come

at a worse time. A string of retail breaches had just been announced over the holiday period.

Tens of millions of people had been aected. As a result, the retailer’s credit card security was

all over the news. The press was not going to let go of this story.

Days later, the investigation into the log les still had not provided as clear a picture as the

digital forensics and incident response team would have liked. But it was determined that the

initial breach occurred at least three years ago.

The good news is that the most recent attack activity was thwarted. The bad news is that

although the complete attack trail isn’t clear, the attackers did manage to access the POS

system and capture credit card payment data as it was being processed. It was not known what

other data may have been aected.

The appropriate law enforcement agencies will be notied soon. Now the executive team must

prepare for the public announcement to customers and shareholders. And they must give

employees the information they need to service customers and answer their questions in a way

that keeps morale high. In the meantime, the digital investigation teams will keep digging formore details and facts that can be established.

Breach scenario #2: Contract manufacturer discovers its proprietary processes and

customer intellectual property stolen

An international contract manufacturer noticed an overseas competitor was producing product

in a way that precisely resembled its own. An analysis conrmed that the competitor was using

certain plans and even software code identical to what it was producing. If that wasn’t bad

enough, the intellectual property of several of its customers had also been stolen somehow. If

the situation isn’t handled properly, the manufacturer could be forced out of business.

Following a signicant investigation, it became apparent that a disgruntled employee had

walked out with proprietary information on a ash drive. An investigation into the type of data

stolen, who had access to that scope of information, and other fac tors narrowed the list of

potential thieves to a few. When examining a number of employee laptops, it became clearwhich laptop was used. Data from multiple servers were copied to the notebook’s drive and

subsequently copied to a USB ash drive. Customers would have to be notied—and so would

shareholders. A breach of this magnitude could drive away customers—current and future—

and signicantly impact revenue.


Are you prepared to respond?

You discover that your proprietary processes and

customer IP were stolen.


Your POS system is breached and millions of credit

cards stolen.



6

Breach scenario #3: Regional hospital awakes to data breach nightmare

The scenario begins when the director of communications reports that a journalist f rom one

of the weekly business magazines called to say a large le of patient records has been posted

somewhere online.

The news hit fast and spread wide. Thousands of records were dumped in a popular le-sharing

site: Patient names, contact information, and insurance information were in one set of les;

patients’ prescription histories and some doctor visit information in another.

It’s a PR nightmare, but one that happens all too often—before there’s a chance for an

investigation to even get underway. How did the breach occur? What can be said to patients whose

information was leaked, as well as those who have not been aected? What will the regulatory

fallout be? The team needs to be assembled, and answers need to be uncovered—quickly.

Any conversation with the media would have to be punted until more details were known.

Meanwhile, regulators called, wanting to know details about the incident. But the hospital

can’t answer much more than verify that the data les appear to be authentic and from their

organization. The next call was to law enforcement.

In the hours and days that followed, the source of the breach was identied as being the result a

web server inltration. The decisions and steps made in the upcoming days will have a profound

impact on how regulators react, as well as the trust that is saved or lost in the eyes of patients.

The next section can help you determine how your organization would respond. You’ll be able

to identify any gaps in your process and how you should remedy them if a publicly reportable

breach occurs.

Building an efective executive data breach response plan

Much of the discussion about data breach response commonly focuses on the technical

response. The executive data breach plan centers on what is known to have happened

technically and what this damage will mean from a business perspective, and then eectively

managing any negative impact and putting forward the best public response possible.

This requires that good processes and communication be in place, along with the ability to

eectively execute the plan.

You need to assemble a core team of executive leaders to help manage the response. In

many cases, it would be the same team charged with managing a business continuity plan

in the face of any type of disaster. Although many other types of disasters may be managed

by your chief operating ocer or equivalent, your CISO or CIO would manage the incident

internally since this is a data breach. These executives know (or should know) where critical and

regulated data resides and what systems manage these data and processes. Dealing with the

executive data breach is the same as if they’d owned the IT recovery should a hurricane or other

disaster disrupt IT systems. This puts CISOs in the best position to manage the technical, legal,

regulatory, and executive teams.


Monitor/detect

Triage Respond Incidentclosing

Lessonslearned

Figure 2. Process and technique eciency improvement framework


A large le of patient records from your hospital

was posted online.



7

Although the CISO or CSO owns the internal response, it typically is the CEO and executive

leadership that set the tone for the public response. To succeed, you’ll need a cross-functional

team that is comfortable working together. Usually this is a senior team that includes general

counsel, internal audit, human resources, and corporate communications. They all need to be

working in concert.

Here’s the plan that must be in place and always ready to be put into action should a breach

disclosure become necessary:

Continuous monitoring and detection—Your IT and security teams are always on the lookout

for bad things to happen. IT security-related events are detected from many dierent internal

and external sources—and early detection is the key to identifying and responding to an issue

not only quickly, but eectively. For executives, it’s important that when a breach that will require

a public disclosure is detected, the proper executives and internal resources must be notied.

The triage phase—This phase is intended to quickly analyze all available information so

that security events can be categorized and correlated. This way the organization can most

accurately determine the severity and prioritization of events, and assign the event to the

proper team(s) for remediation and response. Triage also provides a single point of contact for

answering technical questions that arise. The triage process is instrumental for coordinating the

technical response groups and creating your nal response plan.

The respond phase—The respond phase includes the steps taken to address, resolve, or

mitigate an incident. During this phase, you will need an incident coordinator who will conduct

overall response and direction. There are four classes of responses required for an incident:

• Technical response. The technical response is designed to focus on the actions the technical

sta takes to analyze and resolve an event or incident. Technical sta includes the IT groups

required to assist with remediation of the event or incident. This phase can involve several

groups or departments within the IT organization to coordinate and provide technical actions

to contain, resolve, or mitigate incidents as well as the actions needed to repair and recover, if

necessary, aected systems or data.

• Management response. The management response highlights activities that require some

type of management intervention, notication, interaction, escalation, or approval as part of

any response. It may include coordinating with corporate communications as it relates to any

human resources, public relations, nancial accounting, audits, and compliance issues.

• Communications response. These are activities that require some measure of communicationsto the corporation and internal and external constituents. Corporate communications should

always be consulted prior to any communications being released. In many cases, management

will direct the release of breach information. This includes issues related to any human

resources, public relations, nancial accounting, audits, and compliance issues.

• Legal response. The legal response, if required, would work with outside regulators,

third parties, and other parties. In addition, their input would be required for any external

communications to assure that such communication is in accordance to company policy and

supports any statutory or regulatory requirements.

Incident closing—After the incident has been contained, eradicated, or mitigated, it is critical

that your organization complete the collection of all of the information they can about the

incident and conduct an after-incident report. During the incident closing process, the incident

team must take steps to properly nalize all documentation, including all analytics and nal

reports. Additionally, the incident team must take every precaution to preserve all informationobtained as part of this process using proper chain-of-evidence procedures, because this

information may be required in certain legal responses.

After this close-out process is complete, the incident coordinator will conduct a lessons-learned

session to identify eciency improvements in either processes or techniques used for remediation.


The phases of the plan

• Monitoring and detection

• Triage

• Respond

• Incident closing



8

The data breach communications plan: Break glass in caseof emergency

The prospect of a data breach crisis is itself a crisis. And when it comes to your external

response, the communications plan is essential. In fact , the legacy of the crisis—how people

will remember the incident—won’t be the technical details or how awlessly your teams did or

didn’t execute the plan internally. It will be how well, or poorly, the company communicated this

response externally.

After the data breach is conrmed and it’s a publicly reportable event, crisis communications

teams need to assess the situation, gain a solid understanding of the critical conditions, review

the plan of action and adjust as necessary based on facts of the incident, then communicate

publicly. Even as the event unfolds, the response must be continuously evaluated regarding

how well the plan is going—or not going.

When the incident is underway, gather all of the facts that you can: What type of data? How

many records? What was the cause? When did it happen? Is the situation rectied? If not yet,

when will it be? And what steps are underway to bring about the best resolution possible?

Of course, if the breach is sizable, you will have to assemble the core breach response team,

which consists of senior IT leadership, legal, communications, and others.

You will have to share the story (what you can, at rst) with the outside world—what happened,how the breach will aect them (such as the need to change passwords, protect themselves

against identity theft, change credit card numbers), and how you are managing the situation.

The negative side of the story is what happened and what risk has been created. The positive

aspect of the story is what is being done to resolve the situation and to mitigate its impact. To

the outside world, you want to focus as much as possible on what steps are in place to x what

has been broken.

This means the majority of what you communicate will be about your mitigation eorts, and

what steps will be and have been taken to make sure it doesn’t happen again.

This is why your plan is so important: All the steps you can take, or the steps you need to decide

whether or not to take, must be determined in advance.




9

Respond efectively when breaches happen

When it comes to security breaches, it’s not a matter of if but when they will occur. What

separates enterprises when it comes to publicly reportable breaches are how the enterprise

responds—their ability to identify what happened and why, rapidly respond to stop the attack,

and communicate to employees, partners, shareholders, and customers in a way that maintains

and even builds trust.

HP helps organizations to establish the processes they need for optimal breach management.We rapidly deploy a highly skilled and experienced information security team and

comprehensive security technology to help enterprises establish visibility, remediate issues,

and put tactics into place that guard against future incidents.

Forensic readiness: We can help you create a proactive plan to help your teams identify valid

and malicious changes and produce the best possible digital evidence in the event of security

incidents. This minimizes disruption and maximizes the technical information you need to make

the best post-breach decisions possible.

Security incident and breach response: Expert monitoring is always available, providing

detection and countermeasures through rapid, predetermined incident response. In the event o

a breach, HP will dispatch a team of security experts on location to immediately contain the breach.

We also help assess, investigate, and provide recommendations to reduce future vulnerability.

E-disclosure: Following an incident, you’ll need accurate data capture, logging, and audit trail

reporting for use in legal and regulatory investigations. Our specialists, many of whom have law

enforcement experience, will help you through this collection process.

Data recovery: One of the most challenging parts of a breach can be data recovery. Mitigate

data loss or deletion consequences by designing and implementing processes for backup and

recovery. Our experienced security services teams are on call 24x7 to act as your vir tual team or

as an extension to your team to get you back in business.

When a data breach occurs, HP will rapidly deploy an expert and experienced information

security team so you gain swift visibility into the incident, and you can respond condently

to the marketplace and all of your constituents in a way that maintains trust . And, just as

important, we can help you put into place tactics and technologies that will greatly reduce the

risks of future incidents.




10


After an incident

Update the incident report and review exactly what happened and at what times.

Review how well the staff and management performed in dealing with incident.

Determine whether or not the documented procedures were followed.

Discuss any changes in process or technology that are needed to mitigate future incidents.

Determine what information was needed sooner.

Discuss whether any steps or actions taken might have inhibited the recovery.

Determine which additional tools or resources are needed to detect, triage, analyze, and mitigate future incidents.

Discuss what reporting requirements are needed (such as regulatory and customer).

If possible, quantify the financial loss caused by the breach.

Report findings to executive management.

Before an incident

Identify the individual owner and responsible party for all incidents.

Identify core team responsible for all incidents (including individuals from legal, corporate communications, and HR).

Ensure proper monitoring and tracking technologies are in place (such as firewalls, IPS, and anti-virus).

Provide media training to the proper individual(s).

Provide a company-wide process for employees, contractors, and third parties to report suspicious or suspected

breach activities.

Provide company-wide training on breach awareness, employee responsibility, and reporting processes.

During an incident

Record the issues and open an incident report.

Convene the core team.

Set up a technical bridge to discuss needs required to restore operations.

Set up a management bridge or communication schedule to provide updates to executive management.

Triage the current issues and communicate to executive management.

Identify initial cause and activate needed specialists to respond to the current issues to restore operations.

Retain any evidence and follow a strict chain of evidence to support any needed or anticipated legal action.

Communicate to affected third parties, regulators, and media (if appropriate)

Before, during, and after checklistThe time an incident occurs is not the time to plan and organize. It is a time for action. Here are some simple

steps for you to consider and processes that need to be in place before, during, and after a breach event:

Figure 3. Incident checklist



1

Why you need to act today

Security-related and non-security-related threats have become not only more numerous and

diverse but also more damaging and disruptive. New types of incidents emerge frequently.

Preventative activities based on the results of risk assessments can reduce the number of

incidents, but not all incidents can be prevented. That’s why a breach management response

capability is vital for rapidly detecting incidents, minimizing loss and destruction, reducing

business outage and customer impact, mitigating weaknesses that can be exploited, and

restoring information systems services.

The purpose of this framework is to establish processes and procedures to prevent, detect,

investigate, respond to, recover from, and remediate all incidents that threaten or target an

organization, its aliates, or subsidiaries. But it is important to recognize that this program

is only the foundation to a good security strategy. Other components must be built upon this

foundation, including:

• Monitoring an ecosystem with proactive tools, such as IDS/IPS, rewalls, anti-virus, and

Security Information Event Management (SEIM)

• Eective alerts based on controls in place from the monitoring tools but that also recognize

external data points and correlate big data elements

• Routine testing of the technologies deployed as well as the processes that support sound

breach management

• Feedback mechanisms from testing or an actual breach event to examine needed updates to

technologies and processes as well as strategic planning to avoid future disruptive incidents

Our call to action is simple: Take the necessary steps to implement the program outlined in

this simple guide. We are here to assist your organization with the most complete security

portfolio in the market. We can work with you to improve your security processes and

operations at every step.

Learn more athp.com/enterprise/security

See the Ponemon Institute report, The Importance of Senior Executive Involvement in

Breach Response


http://www.hp.com/enterprise/security

http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5310ENW&cc=us&lc=en%0d%D3%A0http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5310ENW&cc=us&lc=en




http://www.hp.com/enterprise/security



Rate this documentShare with colleagues

Sign up for updateshp.com/go/getupdated


© Copyright 2014-2015 Hewlett-Packard De velopment Company, L.P. The information contained here in is subject to change without notice. The only

warranties for HP products and servi ces are set forth in the express warranty statements accompanying such products and services. Nothing herein

should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial er rors or omissions contained herein.

4AA5-5562ENW, January 2015, Rev. 1

http://www.hp.com/go/getupdated

http://www.hp.com/go/getupdated

http://www.linkedin.com/shareArticle?mini=true&ro=true&url=http%3A%2F%2Fh20195%2Ewww2%2Ehp%2Ecom%2FV2%2FGetDocument%2Easpx%3Fdocname%3D4AA5-5562ENW&title=Executive+breach+response+playbook+&armin=armin

http://twitter.com/home/?status=Executive%20breach%20response%20playbook+%40+http%3A%2F%2Fh20195.www2.hp.com%2FV2%2FGetDocument.aspx?docname=4AA5-5562ENW

http://www.facebook.com/sharer.php?u=http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5562ENW.pdf

https://hpresearch.az1.qualtrics.com/SE/?SID=SV_6EuQKOr2Ku1CUzH&CMG=CMG483&Pubnumber=4AA5-5562ENW&BU=INDS&Doctype=Brochure

Documents

HP - Executive Breach Incident Response Playbook.pdf