Over the last few years, the Governments of many countries around the world have become sensitive towards inadequate protection of consumer data by the companies. Many of them have enacted various laws and regulations to protect this sensitive data. The late 1990s and early 2000s, witnessed passing of many laws around information security, data privacy, and accountability. Unfortunately, this has led to complicated legalities for the companies.
What the regulations aim to achieve?
Most laws are enacted to protect the confidentiality, integrity and availability of the information that impacts the organization’s stakeholders (including its customers). The various laws in place have following goals:
- Establish and implement controls for protection of data
- Maintain, protect and assess compliance issues
- Identify and re-mediate vulnerabilities and deviations
- Provide reporting that can prove organization’s compliance
Some of the key laws that aim to achieve above mentioned goals are:
- Sarbanes-Oxley Act (SOX): It was enacted to protect investors and mandated strict reforms to improve financial disclosures to prevent accounting fraud.
- Gramm-Leach-Bliley Act: (GLBA): This act was enacted in the USA to protect the privacy and security of individually identifiable financial information collected, held and processed by financial institutions.
- Health Insurance Portability and Accountability Act (HIPAA): The rules in this act focus on Protected Health Information gathered by healthcare operations including insurance providers. Non-healthcare companies can also be impacted by this if they engage with companies that are directly affected by the regulation.
- The Federal Information Security Management Act of 2002 (FISMA): This act was enforced to improve computer security and network security within the USA Federal Government and affiliated parties. Any organization that serves as a contractor to the US Federal Government must comply with the provisions of this act.
These are some of the regulations in the USA alone. However, they impact organizations from many other countries that do business with US Government or US based companies. Other countries have similar provisions for organizations that operate or serve in their market. Meeting these regulations increases the security and integrity of the data that they collect, retain and rely upon for its operations.
Incident Response Plan
What to do if there is a security incident?
Despite best of checks and balances, there will be security incidents that need to be dealt with, as they occur. Every organization needs an incident response plan, not only to comply with regulations but also to ensure that they handle them in a structured way, and minimize their re-occurrence. A well-designed program helps organizations to deal with events quickly and efficiently without panicking.
Some of the key elements of a good incident response plan are:
- Scope and objective: This defines the fundamental elements of the plan. It covers events, systems, endpoints, etc. that it needs to achieve.
- Incident response teams, contacts, and responsibilities: It is important for everyone to know whom to contact in case of emergency (incident). His/Her details like name, contact number and role should be defined and agreed upon. The response team must include primary in-charge and a backup in-charge of every role.
- Notifications process: The communication about the occurrence of an incident to the affected parties is an absolute must. The communication needs to flow up the command chain and across the organization so that they quickly take corrective steps and prevent further damage. The incident response plan should cover clear notification and communication plan along with designated contacts and timelines. It is critical that notification process is as simple as possible. Nobody should waste time in trying to decipher what the plan intends, while the data loss is going on.
- Emergency activities: This part should list the process to be followed to stop the breach immediately. It could be a critical patch to the operating system or the security software (firewall or antivirus, etc.), or a pure isolation of affected system from the whole network. The emergency activities should include primary actions taken by each team for its area.
- Incident closure: This part defines the core elements of what will determine the security incident closure. Is it the blocking of information leak (patching the software or isolating it from network), reporting and initiating the legal proceedings or restoration of service? The plan should indicate the point at which the emergency (incident) is declared over (and not before that).
Incident Plan Management
This is one of the most crucial parts of managing incidence. The job of incidence management team is not over by simply having a plan in place. Since new cyber threats appear every day, the incident response plan should be regularly re-evaluated to ensure that it meets the shifts in the business and threat environment. The effectiveness of the plan can be assessed using following criteria:
- Number of incidents reported
- Response time or time-to-live of an incident
- Number of incidents successfully resolved
- Attentiveness to security issues within the organization
- Preventative techniques and security practices in place
- Bench-marking against industry standards
Information security is a collective responsibility of every individual. An organization may nominate one person (CISO) or one team to spearhead the security initiatives. They cannot succeed unless everyone works in unison to mitigate the threats and emerge unscathed from the incidents. Should a data security breach occur, the Incident Management Plan helps organizations collaborate and cohesively handle emergencies.