Develop a security incident response plan which sets out the actions to take in the event of an incident. The plan has sections on preparation, identification, containment, eradication, recovery and follow-up.
Set up an incident response team who are responsible for incidents. Define the roles in the incident response plan, but it might be appropriate to include one person from management, one coordinator, one person responsible for response and one person for communication. Since an incident can occur at any time, including when people are on holiday or unavailable, you need alternates. (We suggest three people available for each role).
Train your incident response team
Test your plan regularly. Table top testing is one very effective mechanism, as it allows team members to be put in a scenario and test out different actions. Don’t just include your primary team members in the testing, include alternates.
Learn from the testing and from any real incidents, and improve the plan based on what happens.
Make sure that the incident response plan and communications within and outside the organization are possible even in the event of a disaster or systems failure (e.g. if you have a security incident in your system where the plan is stored).
For breach notification, ensure that you have a list of who you need to contact, stored in any easily accessible system (e.g. your CRM). Someone in the organization needs to have a responsibility for keeping this up to date, so that if there is an incident you can contact customers or others easily.
Prepare communication templates. If you are a data processor, have communications prepared in the event of a breach to your data controller customers. If you are a data controller, have communications prepared for the regulator. Identify who has responsibility to issue breach notification and ensure that they are involved in the incident response team.
Make sure that everyone in your organization knows how and where to report a security or personal data breach to. With only 72 hours to inform a regulator, you need rapid internal reporting.
Train and test your employees on data security including security incident reporting – we suggest training and an annual data security test that everyone has to take, and pass.
Some useful Resources
ISO 27002 (particularly section 16 on information security incident management)
NIST 800-53 (particularly IR controls)
OWASP top 10 considerations for incident response: