Communications are key

Effective communication is key, and that especially true for incident response teams. An incident response team analyses information, discusses observations and activities, and shares important reports and communications across the company.

  • Establish, confirm, and publish communication channels and meeting schedules.

  • Print out team member contact information and distribute it widely. Do not rely on software based communication channels. Chances are, there may be no access to those during a security incident. Include important external contacts, and discuss and document when, how, and who will contact which outside entities (law enforcement, media, or other incident response organisations.

  • Who to notify in case of a data breach depends on the country (and in some countries even the state). For example:

    • In Canada, organisations are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Digital Privacy Act.

    • In Europe, The General Data Protection Regulation (GDPR) applies. It also applies to organisations outside the EU who process data from EU residents.

    • It seems that in the US, each state has its own legislation. Most of these only differ in minor ways.

Lessons learned

  • The SANS Institute lists them as one of the 6 critical stages of the overall Incident Response Process.

  • Such retrospectives are conducted after a security incident with all parties involved in the incident handling process to facilitate the recurrence of what went well and to improve what did not go so well.

Keep in touch

When not actively investigating or responding to a security incident, the team best meet at least quarterly, to review current security trends and incident response procedures. The more information that an incident response team can provide to executives, the better, in terms of retaining executive support and participation when it is needed (during a crisis or immediately after).