The U.S. Department of Justice has released guidance to assist organizations in preparing for a cyber incident. Released alongside a speech given by Assistant Attorney General Leslie Caldwell on April 29, the 15-page memo, “Best Practices for Victim Response and Reporting of Cyber Incidents,” provides a framework for organizations to prepare an incident response plan and also offers guidance as to how to respond once an incident occurs.
According to the DOJ, the guidance was drafted for smaller organizations that may not have the resources to invest in cybersecurity, but its lessons are also useful for large organizations. The document is summarized in the following checklist:
Before a Cyber Attack or Intrusion:
- Identify mission-critical data and assets, and institute tiered security measures to appropriately protect those assets
- Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cybersecurity Framework
- Create an actionable incident response plan, test the plan with exercises, and keep the plan up-to-date to reflect changes in personnel and structure
- Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident
- Have procedures in place that will permit lawful network monitoring
- Retain legal counsel that is familiar with legal issues associated with cyber incidents
- Align other policies (g., human resources and personnel policies) with your incident response plan
- Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms that you may require in the event of an incident
During a Cyber Attack or Intrusion:
- Do:
- Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch
- Minimize continuing damage consistent with your cyber incident response plan
- Collect and preserve data related to the incident, including creating a backup “image” of the network; keeping all logs, notes, and other records; and keeping records of ongoing attacks
- “Consistent with your incident response plan, notify—
- Appropriate management and personnel within the victim organization
- Law enforcement
- Other possible victims
- Department of Homeland Security
- Do not:
- Use compromised systems to communicate
- “Hack back” or intrude upon another network
After Recovering from a Cyber Attack or Intrusion:
- Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network
- Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan
You can follow the Consumer Financial Services Law Monitor for continued updates on this and other news stories.