Part One: Building an All-Star Incident Response Team
KAMMCO Compliance Officer
Who is in charge during an incident stemming from a cyber or privacy/security event (“Incident”)? The IT team? The privacy team? The office manager? There is no one-size-fits-all approach for determining who is best to take on an investigation. One person can’t do it alone. A team of key individuals is necessary – their shared knowledge and experience resources combined – to resolve an Incident effectively and expeditiously.
In grade school, captains were chosen to pick teams. They did a quick assessment of the assembled players’ skills and abilities and made their picks based on who would take their team on to victory. The same idea can be applied to the selection of your organization’s incident response team. Keep in mind, your team should include not only your organization’s internal members but also the external resources necessary to respond to the specific type of Incident you’re facing. These external resources can be pulled into your team as needed after vetting them along with the members of your team. With both your internal members and external resources standing in front of you, let’s do an assessment of the key players for your team.
Internal Incident Response Team Members:
Your organization's privacy/security officer will likely receive the first report of an incident. It's their role to identify critical information from the report by asking the right questions promptly, then to bring that information to the whole team.
A cyber or privacy/security incident is typically tied to your organization’s technology, and that's why you need an IT representative on your team. This person knows your technology infrastructure and can assess your network and software vulnerabilities in the face of an attack. They provide the specialized knowledge necessary to contain an incident and to remediate the issue quickly to halt further exploitation.
The Communications Representative
When an incident occurs, communication is essential. The communications representative plays a major role in both internal and external messaging, with all incoming and outgoing communication being funneled through this person. During an incident, they communicate internally by sending messages to the staff and communicating instructions from your team. Externally, they receive all communications from law enforcement, media, and customers and work with your team to decide what should be communicated back out.
The Office Administrator/Risk Manager
During an Incident, tracking the completion of checklists and coordinating all the moving parts will minimize confusion and misunderstandings. This team member takes on oversight of the investigation. They check in with the other members of the team and fill in as needed.
The decision-makers don't necessarily need to be part of your incident response team. They can be considered “referees” who are consulted to make important calls. Throughout the investigation, your team will face decisions that may need to be made by an executive team or board of directors. Based on your team’s recommendations, the decision-makers make decisions and give approvals to keep your investigation moving forward.
External Incident Response Team Members:
They provide information on privacy-related legislation that may affect incident-response decisions. They also identify steps to mitigate legal liability.
They assist in handling external communications, especially in large-scale events, with a focus on damage control.
They examine the incident in detail. They take a deep look into computer logs and files to obtain digital evidence critical to your investigation. Computer forensics finds out the what, when, and how of the incident.
They determine coverage availability. They can also provide additional resources as part of their coverage to assist with your investigation of the Incident.
Now that your team is selected, Part 2 of this series will cover the game plan for building a winning incident response plan.