DOJ Releases Cybersecurity Guidance for Response and Reporting of Cyber Incidents

By Ashley L. Taylor, Jr. & Siran Faulders on May 1, 2015

Posted in All Entries, Privacy + Cyber, Regulatory Enforcement + Compliance, State Attorneys General

The U.S. Department of Justice has released guidance to assist organizations in preparing for a cyber incident. Released alongside a speech given by Assistant Attorney General Leslie Caldwell on April 29, the 15-page memo, “Best Practices for Victim Response and Reporting of Cyber Incidents,” provides a framework for organizations to prepare an incident response plan and also offers guidance as to how to respond once an incident occurs.

According to the DOJ, the guidance was drafted for smaller organizations that may not have the resources to invest in cybersecurity, but its lessons are also useful for large organizations. The document is summarized in the following checklist:

Before a Cyber Attack or Intrusion:

Identify mission-critical data and assets, and institute tiered security measures to appropriately protect those assets
Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cybersecurity Framework
Create an actionable incident response plan, test the plan with exercises, and keep the plan up-to-date to reflect changes in personnel and structure
Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident
Have procedures in place that will permit lawful network monitoring
Retain legal counsel that is familiar with legal issues associated with cyber incidents
Align other policies (g., human resources and personnel policies) with your incident response plan
Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms that you may require in the event of an incident

During a Cyber Attack or Intrusion:

Do:
Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch
Minimize continuing damage consistent with your cyber incident response plan
Collect and preserve data related to the incident, including creating a backup “image” of the network; keeping all logs, notes, and other records; and keeping records of ongoing attacks
“Consistent with your incident response plan, notify—
Appropriate management and personnel within the victim organization
Law enforcement
Other possible victims
Department of Homeland Security
Do not:
Use compromised systems to communicate
“Hack back” or intrude upon another network

After Recovering from a Cyber Attack or Intrusion:

Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network
Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan

You can follow the Consumer Financial Services Law Monitor for continued updates on this and other news stories.