Executive Breach Response Playbook

Brochure

Executive breach response playbookHow to successfully navigate the enterprise through a serious data breach

2

Brochure | Executive breach response playbook

Introduction

No matter how effective the technical response to an enterprise data breach, it’s the executive suite that drives the public’s perception in times of crisis. In fact, it is the executive team’s leadership that will help guide the entire enterprise response after the breach—which could last for days, weeks, months, and even years depending on lawsuits and regulatory response.

Although it’s never easy to respond to something as challenging as a publicly disclosed data breach, it can be done if the executive team gets the information they need in time. That is, if the technical information is accurate and comprehensive enough to make effective decisions, and all of the communication channels are in place and ready. Sounds straightforward, but it’s not always. It takes executive leadership to make sure the resources and the plans are in place to execute well. And it takes considerable practice. This playbook will help get you there.

In most organizations, senior leadership, including the CEO, are seriously underprepared for the job. A recently HP-commissioned survey from the Ponemon Institute, “The Importance of Senior Executive Involvement in Breach Response,” shows how systemic the challenge is at most organizations: A startling 57% of CEOs have not been trained on what to do after a data breach, and more than 70% of executives think that their organization only partially understands the information risks they’re exposed to.

There’s a serious disconnect here. According to the Ponemon Institute report, The Importance of Senior Executive Involvement in Breach Response, senior executives know that their involvement in the incident response process is critical to success—but they don’t believe that they are accountable for data breaches. In this report’s survey, 79% of respondents say executive-level involvement is necessary to achieve a successful data breach response, while 70% believe board-level oversight is also crucial. Unfortunately, the same survey found that only 47% are up to date on their internal data breach response processes, and only 45% think they are actually accountable.

Perhaps most troubling is that only 44% believe that their own enterprise’s incident response process is either proactive or mature.

Many great resources are available that are geared toward the technical response that organizations must perform when faced with a data breach incident; however, little has been written on how the executive team should prepare to respond. The goal of this paper is to help fill that gap and provide executive leadership with the ideas and tools they need.

Perception. Priorities. Protection.

Executive team to-do list

• Prepare a data breach response plan.

• Ensure the executive team can execute it.

• Have a solid understanding of the situation.

• Know what is at risk.

• Plan responses and processes for all constituencies.

Figure 1. How prepared is your organization to deal with data breach?

4%

17%

33%31%

15%

35%

30%

25%

20%

15%

10%

5%

0%Level 1 Level 5Level 2 Level 3 Level 4

Level of readiness: From 1 (low) to 5 (high)

Source: Ponemon Institute “The Importance of Senior Executive Involvement in Breach Response” September 2014.

As figure 1 shows, senior executives believe the current state of breach preparedness is more reactive (immature) than proactive.

3

The importance of establishing a game plan

Many enterprises are already breached, and they don’t realize it. Look at many of the recent and widely publicized data breaches. These organizations had been infiltrated for months, with data being continuously stolen, before the successful attacks were identified. There’s no avoiding it. The probability is that you will be breached, and not once or twice but multiple times over the upcoming years.

Without an executive data breach response plan that is designed to work in tandem with your organization’s more technical digital investigations and response plans, any data breach incident can go from bad to worse very quickly—especially when it comes to maintaining the trust and confidence of your customers, partners, and shareholders. In fact, if the executive team does not plan for the data breach—and be able to execute that plan—it is, in effect, planning to fail in its ability to react swiftly to the legal, regulatory, customer, employee, and shareholder fallout.

The risks associated with executive missteps during the days after a data breach disclosure are not unlike responding to any other type of disaster. The team needs to have a solid understanding of the situation, know what is at risk, and be able to speak to each constituency. Many executive-level risks are associated with data breaches. For instance, your team needs to know whether to announce the data breach and when the timing is right to do so. There’s risk in waiting too long to tell the public—both from regulators’ and public backlash—and there’s also serious risk associated with announcing too soon. If the right processes are not in place and the executive team doesn’t understand the nature of the breach, the known facts can change, and public statements will have to be altered accordingly. Not good.

Conversely, knowing how to talk with the technical teams and understanding the potential business impact and the technical cause can help you execute the right course of action. That course assures employees, customers, and shareholders that the enterprise can—and will—safely navigate through with minimal costs or impact to delivery of customer services.

Additionally, public disclosures of certain types of data breaches are becoming mandatory. In the United States, nearly every state has a data breach notification law regarding personally identifiable financial account information involving its citizens. The E.U. is working on its own data breach notification requirements under the ePrivacy Directive. There are also data breach notification laws and guidance that involve disclosing patient health data and even for publicly traded companies, should a breach involve data that could affect revenue.

That’s why it is critical to have your executive data breach response playbook in place. Because in the event of a data breach emergency, such as the triggering of any of the regulatory mandated responses above, you need to know precisely what to do and who your key players are. If you don’t have this in place and ready to go ahead of time, you waste valuable time—the vital time needed during a crisis—and are forced to build the plan on the fly, which exponentially raises the danger of highly public missteps.

For all of these reasons, having your executive data breach response plan in place will provide the means for successful leadership through crises.


4


Successful leadership through the breach

Although most of the conversation centering around data breaches today focuses on the technical enablement of the breaches, there’s always much more to it than that—especially when a breach involves significant or sensitive data. The type of data and their quantity are important.

In fact, there are many other considerations. More often than not, there is a criminal investigation, an e-discovery process, and countless other pressing media, employee, shareholder, and especially customer considerations.

Each constituency has different immediate needs. While law enforcement is going to want to keep breach details and anything relating to its investigation quiet, the media will want to know details and will push hard for them. Industry and government regulators are going to have questions of their own. The call center is going to need to know what information to provide customers to help keep them calm and even take measures to protect their identity if necessary.

Legal will want to be tightlipped, too, while your PR teams will want to be more communicative. They have good reason, too; media reaction is crucial. And shareholders are going to eagerly await news of any potential impact on earnings. It’s a fine needle you are going to have to thread, because each constituent’s concerns and needs are real and will have to be met properly and at the right time.

One of the most important things that having the response plan in place does for your organization is enable executives to focus on these messages. That surely beats being reactive and forced to assemble the team, carve out responsibilities, lines of communication, and various plans of action. With the plan in place and everyone knowing what to do, executives can speak to employees, shareholders, and customers with the necessary confidence that the situation is under control. This will greatly help you avoid potential missteps that hurt trust and confidence in the organization.

Remember that employees, partners, shareholders, and customers will be looking at how executives are going to respond: Have they taken ownership of the situation, what are they going to do about it, what actually happened, and how will it be resolved?

Basically, what the world is looking for is leadership. And this is just as true in a data breach as any other type of emergency or crisis.

5

Into the breach: Scenario exercise ideas

Data breach situations can unfold in countless ways, and conditions similar to the scenarios that follow can occur in any organization. They show how small missteps can potentially grow into big public mishaps.

Take a look at these scenarios. Then ask yourself how prepared your organization is to respond, what processes you have in place to respond, and how well other team members would be prepared.

Breach scenario #1: A large national retailer’s point-of-sale (POS) system is breached, with millions of credit cards stolenIt all started simply enough. A virtual server crashed. It was only by luck that an observant administrator noticed something strange within the error code. Eventually, the related logs and an image of the virtual server made it to an internal security analyst, who identified the problem: A small, mysterious piece of software was actually an exploit designed to breach an inventory system that was connected to the retailer’s national POS network.

If credit card data files were breached, it would require a public disclosure. The breach was too close to credit card data for comfort, and the preliminary forensics examination couldn’t determine if the attack was successful. Also, the potential credit card breach couldn’t have come at a worse time. A string of retail breaches had just been announced over the holiday period. Tens of millions of people had been affected. As a result, the retailer’s credit card security was all over the news. The press was not going to let go of this story.

Days later, the investigation into the log files still had not provided as clear a picture as the digital forensics and incident response team would have liked. But it was determined that the initial breach occurred at least three years ago.

The good news is that the most recent attack activity was thwarted. The bad news is that although the complete attack trail isn’t clear, the attackers did manage to access the POS system and capture credit card payment data as it was being processed. It was not known what other data may have been affected.

The appropriate law enforcement agencies will be notified soon. Now the executive team must prepare for the public announcement to customers and shareholders. And they must give employees the information they need to service customers and answer their questions in a way that keeps morale high. In the meantime, the digital investigation teams will keep digging for more details and facts that can be established.

Breach scenario #2: Contract manufacturer discovers its proprietary processes and customer intellectual property stolenAn international contract manufacturer noticed an overseas competitor was producing product in a way that precisely resembled its own. An analysis confirmed that the competitor was using certain plans and even software code identical to what it was producing. If that wasn’t bad enough, the intellectual property of several of its customers had also been stolen somehow. If the situation isn’t handled properly, the manufacturer could be forced out of business.

Following a significant investigation, it became apparent that a disgruntled employee had walked out with proprietary information on a flash drive. An investigation into the type of data stolen, who had access to that scope of information, and other factors narrowed the list of potential thieves to a few. When examining a number of employee laptops, it became clear which laptop was used. Data from multiple servers were copied to the notebook’s drive and subsequently copied to a USB flash drive. Customers would have to be notified—and so would shareholders. A breach of this magnitude could drive away customers—current and future—and significantly impact revenue.


Are you prepared to respond?

You discover that your proprietary processes and customer IP were stolen.


Your POS system is breached and millions of credit cards stolen.

6

Breach scenario #3: Regional hospital awakes to data breach nightmareThe scenario begins when the director of communications reports that a journalist from one of the weekly business magazines called to say a large file of patient records has been posted somewhere online.

The news hit fast and spread wide. Thousands of records were dumped in a popular file-sharing site: Patient names, contact information, and insurance information were in one set of files; patients’ prescription histories and some doctor visit information in another.

It’s a PR nightmare, but one that happens all too often—before there’s a chance for an investigation to even get underway. How did the breach occur? What can be said to patients whose information was leaked, as well as those who have not been affected? What will the regulatory fallout be? The team needs to be assembled, and answers need to be uncovered—quickly.

Any conversation with the media would have to be punted until more details were known. Meanwhile, regulators called, wanting to know details about the incident. But the hospital can’t answer much more than verify that the data files appear to be authentic and from their organization. The next call was to law enforcement.

In the hours and days that followed, the source of the breach was identified as being the result a web server infiltration. The decisions and steps made in the upcoming days will have a profound impact on how regulators react, as well as the trust that is saved or lost in the eyes of patients.

The next section can help you determine how your organization would respond. You’ll be able to identify any gaps in your process and how you should remedy them if a publicly reportable breach occurs.

Building an effective executive data breach response plan

Much of the discussion about data breach response commonly focuses on the technical response. The executive data breach plan centers on what is known to have happened technically and what this damage will mean from a business perspective, and then effectively managing any negative impact and putting forward the best public response possible. This requires that good processes and communication be in place, along with the ability to effectively execute the plan.

You need to assemble a core team of executive leaders to help manage the response. In many cases, it would be the same team charged with managing a business continuity plan in the face of any type of disaster. Although many other types of disasters may be managed by your chief operating officer or equivalent, your CISO or CIO would manage the incident internally since this is a data breach. These executives know (or should know) where critical and regulated data resides and what systems manage these data and processes. Dealing with the executive data breach is the same as if they’d owned the IT recovery should a hurricane or other disaster disrupt IT systems. This puts CISOs in the best position to manage the technical, legal, regulatory, and executive teams. Insert the graphic at the end of the paper, which is just a mock up example, so open to a more creative example.


Monitor/detect

Triage Respond Incidentclosing

Lessonslearned

Figure 2. Process and technique efficiency improvement framework


A large file of patient records from your hospital was posted online.

7

Although the CISO or CSO owns the internal response, it typically is the CEO and executive leadership that set the tone for the public response. To succeed, you’ll need a cross-functional team that is comfortable working together. Usually this is a senior team that includes general counsel, internal audit, human resources, and corporate communications. They all need to be working in concert.

Here’s the plan that must be in place and always ready to be put into action should a breach disclosure become necessary:

Continuous monitoring and detection—Your IT and security teams are always on the lookout for bad things to happen. IT security-related events are detected from many different internal and external sources—and early detection is the key to identifying and responding to an issue not only quickly, but effectively. For executives, it’s important that when a breach that will require a public disclosure is detected, the proper executives and internal resources must be notified.

The triage phase—This phase is intended to quickly analyze all available information so that security events can be categorized and correlated. This way the organization can most accurately determine the severity and prioritization of events, and assign the event to the proper team(s) for remediation and response. Triage also provides a single point of contact for answering technical questions that arise. The triage process is instrumental for coordinating the technical response groups and creating your final response plan.

The respond phase—The respond phase includes the steps taken to address, resolve, or mitigate an incident. During this phase, you will need an incident coordinator who will conduct overall response and direction. There are four classes of responses required for an incident:

• Technical response. The technical response is designed to focus on the actions the technical staff takes to analyze and resolve an event or incident. Technical staff includes the IT groups required to assist with remediation of the event or incident. This phase can involve several groups or departments within the IT organization to coordinate and provide technical actions to contain, resolve, or mitigate incidents as well as the actions needed to repair and recover, if necessary, affected systems or data.

• Management response. The management response highlights activities that require some type of management intervention, notification, interaction, escalation, or approval as part of any response. It may include coordinating with corporate communications as it relates to any human resources, public relations, financial accounting, audits, and compliance issues.

• Communications response. These are activities that require some measure of communications to the corporation and internal and external constituents. Corporate communications should always be consulted prior to any communications being released. In many cases, management will direct the release of breach information. This includes issues related to any human resources, public relations, financial accounting, audits, and compliance issues.

• Legal response. The legal response, if required, would work with outside regulators, third parties, and other parties. In addition, their input would be required for any external communications to assure that such communication is in accordance to company policy and supports any statutory or regulatory requirements.

Incident closing—After the incident has been contained, eradicated, or mitigated, it is critical that your organization complete the collection of all of the information they can about the incident and conduct an after-incident report. During the incident closing process, the incident team must take steps to properly finalize all documentation, including all analytics and final reports. Additionally, the incident team must take every precaution to preserve all information obtained as part of this process using proper chain-of-evidence procedures, because this information may be required in certain legal responses.

After this close-out process is complete, the incident coordinator will conduct a lessons-learned session to identify efficiency improvements in either processes or techniques used for remediation.


The phases of the plan

• Monitoring and detection

• Triage

• Respond

• Incident closing

8

The data breach communications plan: Break glass in case of emergency

The prospect of a data breach crisis is itself a crisis. And when it comes to your external response, the communications plan is essential. In fact, the legacy of the crisis—how people will remember the incident—won’t be the technical details or how flawlessly your teams did or didn’t execute the plan internally. It will be how well, or poorly, the company communicated this response externally.

After the data breach is confirmed and it’s a publicly reportable event, crisis communications teams need to assess the situation, gain a solid understanding of the critical conditions, review the plan of action and adjust as necessary based on facts of the incident, then communicate publicly. Even as the event unfolds, the response must be continuously evaluated regarding how well the plan is going—or not going.

When the incident is underway, gather all of the facts that you can: What type of data? How many records? What was the cause? When did it happen? Is the situation rectified? If not yet, when will it be? And what steps are underway to bring about the best resolution possible?

Of course, if the breach is sizable, you will have to assemble the core breach response team, which consists of senior IT leadership, legal, communications, and others.

You will have to share the story (what you can, at first) with the outside world—what happened, how the breach will affect them (such as the need to change passwords, protect themselves against identity theft, change credit card numbers), and how you are managing the situation. The negative side of the story is what happened and what risk has been created. The positive aspect of the story is what is being done to resolve the situation and to mitigate its impact. To the outside world, you want to focus as much as possible on what steps are in place to fix what has been broken.

This means the majority of what you communicate will be about your mitigation efforts, and what steps will be and have been taken to make sure it doesn’t happen again.

This is why your plan is so important: All the steps you can take, or the steps you need to decide whether or not to take, must be determined in advance.


9

Respond effectively when breaches happen

When it comes to security breaches, it’s not a matter of if but when they will occur. What separates enterprises when it comes to publically reportable breaches are how the enterprise responds—their ability to identify what happened and why, rapidly respond to stop the attack, and communicate to employees, partners, shareholders, and customers in a way that maintains and even builds trust.

HP helps organizations to establish the processes they need for optimal breach management. We rapidly deploy a highly skilled and experienced information security team and comprehensive security technology to help enterprises establish visibility, remediate issues, and put tactics into place that guard against future incidents.

Forensic readiness: We can help you create a proactive plan to help your teams identify valid and malicious changes and produce the best possible digital evidence in the event of security incidents. This minimizes disruption and maximizes the technical information you need to make the best post-breach decisions possible.

Security incident and breach response: Expert monitoring is always available, providing detection and countermeasures through rapid, predetermined incident response. In the event of a breach, HP will dispatch a team of security experts on location to immediately contain the breach. We also help assess, investigate, and provide recommendations to reduce future vulnerability.

E-disclosure: Following an incident, you’ll need accurate data capture, logging, and audit trail reporting for use in legal and regulatory investigations. Our specialists, many of whom have law enforcement experience, will help you through this collection process.

Data recovery: One of the most challenging parts of a breach can be data recovery. Mitigate data loss or deletion consequences by designing and implementing processes for backup and recovery. Our experienced security services teams are on call 24x7 to act as your virtual team or as an extension to your team to get you back in business.

When a data breach occurs, HP will rapidly deploy an expert and experienced information security team so you gain swift visibility into the incident, and you can respond confidently to the marketplace and all of your constituents in a way that maintains trust. And, just as important, we can help you put into place tactics and technologies that will greatly reduce the risks of future incidents.


10


After an incident

Update the incident report and review exactly what happened and at what times.

Review how well the staff and management performed in dealing with incident.

Determine whether or not the documented procedures were followed.

Discuss any changes in process or technology that are needed to mitigate future incidents.

Determine what information was needed sooner.

Discuss whether any steps or actions taken might have inhibited the recovery.

Determine which additional tools or resources are needed to detect, triage, analyze, and mitigate future incidents.

Discuss what reporting requirements are needed (such as regulatory and customer).

If possible, quantify the financial loss caused by the breach.

Report findings to executive management.

Before an incident

Identify the individual owner and responsible party for all incidents.

Identify core team responsible for all incidents (including individuals from legal, corporate communications, and HR).

Insure proper monitoring and tracking technologies are in place (such as firewalls, IPS, and anti-virus).

Provide media training to the proper individual(s).

Provide a company-wide process for employees, contractors, and third parties to report suspicious or suspected breach activities.

Provide company-wide training on breach awareness, employee responsibility, and reporting processes.

During an incident

Record the issues and open an incident report.

Convene the core team.

Set up a technical bridge to discuss needs required to restore operations.

Set up a management bridge or communication schedule to provide updates to executive management.

Triage the current issues and communicate to executive management.

Identify initial cause and activate needed specialists to respond to the current issues to restore operations.

Retain any evidence and follow a strict chain of evidence to support any needed or anticipated legal action.

Communicate to affected third parties, regulators, and media (if appropriate)

Before, during, and after checklistThe time an incident occurs is not the time to plan and organize. It is a time for action. Here are some simple steps for you to consider and processes that need to be in place before, during, and after a breach event:

Figure 3. Incident checklist

11

Why you need to act today

Security-related and non-security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of incidents emerge frequently. Preventative activities based on the results of risk assessments can reduce the number of incidents, but not all incidents can be prevented. That’s why a breach management response capability is vital for rapidly detecting incidents, minimizing loss and destruction, reducing business outage and customer impact, mitigating weaknesses that can be exploited, and restoring information systems services.

The purpose of this framework is to establish processes and procedures to prevent, detect, investigate, respond to, recover from, and remediate all incidents that threaten or target an organization, its affiliates, or subsidiaries. But it is important to recognize that this program is only the foundation to a good security strategy. Other components must be built upon this foundation, including:

• Monitoring an ecosystem with proactive tools, such as IDS/IPS, firewalls, anti-virus, and Security Information Event Management (SEIM)

• Effective alerts based on controls in place from the monitoring tools but that also recognize external data points and correlate big data elements

• Routine testing of the technologies deployed as well as the processes that support sound breach management

• Feedback mechanisms from testing or an actual breach event to examine needed updates to technologies and processes as well as strategic planning to avoid future disruptive incidents

Our call to action is simple: Take the necessary steps to implement the program outlined in this simple guide. We are here to assist your organization with the most complete security portfolio in the market. We can work with you to improve your security processes and operations at every step.

Learn more athp.com/enterprise/security

See the Ponemon Institute report, The Importance of Senior Executive Involvement in Breach Response


http://www.hp.com/enterprise/security

http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5310ENW&cc=us&lc=en%0d� http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5310ENW&cc=us&lc=en

http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5310ENW&cc=us&lc=en%0d� http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5310ENW&cc=us&lc=en

Rate this documentShare with colleagues

Sign up for updates hp.com/go/getupdated


© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA5-5562ENW, October 2014

https://hpresearch.az1.qualtrics.com/SE/?SID=SV_6EuQKOr2Ku1CUzH&CMG=CMG483&Pubnumber=4AA5-5562ENW&BU=INDS&Doctype=Brochure

http://www.facebook.com/sharer.php?u=http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-5562ENW.pdf

http://twitter.com/home/?status=Executive%20breach%20response%20playbook+%40+http%3A%2F%2Fh20195.www2.hp.com%2FV2%2FGetDocument.aspx?docname=4AA5-5562ENW

http://www.linkedin.com/shareArticle?mini=true&ro=true&url=http%3A%2F%2Fh20195%2Ewww2%2Ehp%2Ecom%2FV2%2FGetDocument%2Easpx%3Fdocname%3D4AA5-5562ENW&title=Executive+breach+response+playbook+&armin=armin

http://www.hp.com/go/getupdated

Technology

Executive Breach Response Playbook