Incident Response: Implement a Communications Plan

Jan 13, 2016 | by RSA

We all know what it's like to uncover the first signs of a security incident: the huddled conference to confirm a plan of action, the sigh of relief when it appears the hack hasn't reached vital systems, and then the sinking feeling in the pit of your stomach when you realize it has.

Most mature infosec teams have a sophisticated process in place for the technical aspects of incident response: diagnosis, patching, remediation, further analysis, and forensics. Updating and modifying policies and processes, and keeping senior management and key stakeholders updated, is also important.

Last year's security incidents highlighted a critical change in incident response: the need to craft a communications strategy for employees and customers. When security incidents hit the news, credit card and bank customers tend to flood contact centers with questions about their vulnerability. The customer experience is a critical differentiator for many companies, and in times of crisis it's important that companies have the information they need to answer customers' questions.

While most CSOs and CISOs agree on the need for an effective communications plan, few are clear on what the procedure should consist of or how to implement it. Here are a few pointers on how to develop an effective communications plan:

  • Start by establishing relationships and liaisons with two key groups: customer service and public relations. Make sure each group has someone tasked with communicating regularly with the infosec team, and that there is an on-call process for infosec to reach them in emergencies. Infosec also needs to have someone who's responsible for communicating with these groups. If possible, involving your legal and human resource departments is helpful.
  • Put together a communications process that takes incident severity, potential impact on employees and customers, and messaging into account. For example, contact center employees can be prepped with a response as simple as, "We are investigating the issue, and right now, we don't think you are affected; however, we require additional analysis to confirm this conclusively and will proactively inform you either way." It's also helpful if employees can answer simple questions such as, "Should I preemptively change my password?" Similarly, HR should be prepped to answer questions from reporters and the media.
  • Review the process in place with legal and investor relations. Anticipate concerns, and work with these groups to overcome obstacles. Legal teams, in particular, often prefer secrecy to transparency to avoid additional risk. Infosec should be prepared to point out that the risk injected by secrecy may be greater than the risk introduced by transparency.
  • Confirm that each internal group has its own process for disseminating and acting on information. For example, the vice president of customer experience needs to have his or her own internal process for informing customers as appropriate.
  • For the communications process itself, think in terms of communicating high-level information quickly, with emphasis on the impact to the stakeholder's sphere of responsibility. For instance, infosec might inform the customer experience team that a breach has been uncovered, that it's not known yet whether customers have been affected, and that more information will be forthcoming at a certain time. Even if there's no further information to share by that time, infosec should be prepared to provide an update. Once the extent of the breach has been uncovered, the infosec liaison should inform the vice president of customer experience about the potential impact on customers and work with him or her to craft a message to customer service representatives.
  • Infosec should only invoke this process for severe breaches. It's often challenging to initially determine if a breach is severe enough to require invoking the process, but communications should start as soon as a breach is deemed significant.
  • As with any effective crisis-management process, backup mechanisms are important. Infosec teams should know what to do if their liaisons are on vacation, traveling, or unreachable. Additionally, response processes should be tested at least once a year.

Security breaches are occurring more often than ever. In order to protect your company-and your customers-it's important to have a thorough communications plan in place. This will help to make sure that each department is informed and ready to answer any questions that customers or the media might have.

Author: RSA

Category: RSA Fundamentals, Blog Post

Keywords: Effective Communications Plan, Incident Response, InfoSec, Security Breaches