Incident-response teams deal with security breaches to limit damage
The basics of pulling together an incident-response team to react to data security breaches.
See related story “The do’s and don’ts of data breaches”
According to security professionals and consultants, incident- or computer-emergency response teams are essential to helping an organization work through a data breach or other cyberincident, such as a worm or a denial-of-service attack, that exposes sensitive information to unauthorized access.
Poll: Does your company have an incident-response team in place?
Such teams range in size and scope depending on the organization, but they have a few basic elements in common that enable them to limit the damage done:
* Representation from all affected departments, including IT, human resources, public relations, marketing, legal, compliance and others. Identifying at least one person from each of these departments to be part of the team, sit in on meetings, and offer input and approval of response plans, is best done before an incident happens.
“If you’re in the middle of the crisis [without a response team], you would have to figure out who the right people are [in each department] and you might make some wrong decisions,” says Randy Barr, CSO of WebEx. “And people may have different ideas of what should happen. Then you’ve lost the ability to respond quickly.”
* A clear communication channel with the executive team. At WebEx, Barr built a security committee and a security council. The committee, composed of employees from a number of departments, meets once a month. Issues they can’t settle are sent for a ruling to the council, which includes officers of the company. The council meets once a quarter for thirty minutes to keep up-to-date on security issues and to provide feedback to the company’s board of directors.
* Deciding what outside professionals would need to be pulled in during an incident, and who those professionals are. If a company doesn’t have the technical, legal or other expertise in-house to deal with a data breach, the response team needs to identify those weaknesses. The team also should decide with which legal firm, security consultant, public relations company, and so forth, the organization would work in case of a crisis, and if possible, keep those professionals on retainer.
“You’ve got to have at least some sort of relationship with these professionals so you can make that phone call” at the time of the incident, says an investigation manager with a financial services company who asked that his name and his company name not be mentioned.
* A communication plan. Detail with whom the team will communicate, both internally and externally, and what they will say. The team should get management’s approval of prepared scripts, limiting the time that needs to be spent on small details during a crisis.




