In today’s computing world, it is not a matter of “if” an organization will get compromised, but “when.” That’s why, in addition to the European Union’s General Data Protection Regulation (GDPR) going into effect this May, many organizations need to have a robust incident response program to ensure the safety of their customers’ and employees’ data.
Incident response programs need to cover a wide array of regulatory and compliance requirements, technical details, and workflows to ensure companies can adequately and quickly respond to a security incident in their environment. Because of this complexity, I’m going to break the topic of “building an incident response program” into multiple blog posts.
In this first article, I will outline some of the regulatory requirements documented in the GDPR. However, while I address GDPR requirements, I’m also covering some of the basic and underlying tenants of a robust incident response program—one that can also align with other state and country regulations worldwide.
At the forefront of many security professionals’ mind is May 25, 2018: the date when GDPR takes effect. Companies who do business in the European Union (EU) or have data on citizens of the EU must be compliant with the GDPR requirements by this time.
While there are many other security standards that businesses must meet, such as the Payment Card Industry Data Security Standards (PCI-DSS) for organizations that handle credit card information or the Sarbanes-Oxley Act (SOX) for publicly traded companies, it appears that GDPR has a significantly more stringent set of regulations and a much steeper penalty for non-compliance (up to 4 percent of annual global turnover or 20M Euro, whichever is greater).
Further, there are many other requirements within GDPR that are outside of incident response—so please consult your legal team or an outside expert to ensure all GDPR requirements are being addressed within your company or organization.
From the GDPR website, under Data Subject Rights:
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
While the above statement only indicates the requirement for notification within 72 hours of identifying a data breach and does not say organizations must have an incident response program, it is evident that in order to meet the 72-hour notification requirement, an organization will need to be in a position to quickly detect a breach within their networks, systems, or applications.
However, the GDPR does specify requirements for incident or breach response directly. Here are some of its high-level GDPR requirements:
Rapid declaration: Organizations must report breaches to the “supervisory authority” within 72 hours of becoming aware of them.
Formal incident/breach response policy and plan: Organizations that are disorganized or “fly by the seat of their pants” during an incident are at a much higher risk of not having a complete or thorough response and will likely incur penalties outlined in the GDPR. Developing an incident response program—creating policies and procedures, and ensuring everyone is aware of the program—will go a long way in establishing a base from which to work when an incident or breach occurs.
Data inventory: It becomes critical to know where an individual’s data is being stored so the incident response team can quickly know the potential impact of a security event on a system or application.
Impacted individual notification: Having an accurate inventory of what data is being stored will help with any potential individual notifications in the event of a breach. Know who is impacted and have a process to notify them in the event of a breach. The communication with individuals must describe the nature of the breach and recommendations to mitigate potential adverse effects.
Communication plans: Some communications requirements have been identified above; however, internal communication between impacted departments and groups is also critical to ensure a smooth response to an incident or breach. It is also vital that the communication plan identify who is authorized to talk to external entities, such as the press or law enforcement.
Incident response structure: One key decision an organization needs to make is: Should we build a program internally or utilize a Managed Security Service Provider (MSSP) for detection and/or response? If using an MSSP, organizations should routinely test it to ensure effectiveness and timely notification, as it is ultimately up to the organization to comply with regulatory requirements and timeframes.
Detection: The ability to detect an attack or security event has always been critical to an organization, but now a failure to detect an attack may be grounds for GDPR penalties. If an organization can detect and take action against an adversary within the network, the organization could prevent or reduce GDPR penalties, especially if an attack is stopped prior to exposure.
Incident/breach response: Within the response framework, the ability to quickly analyze what the attackers may have accessed or copied will go a long way in minimizing the potential impact to the organization and, most importantly, to the individuals that were impacted.
Effective response: A documented and approved program is an important step; however, if staff are not aware of the program, trained on the process documentation, and the program is not routinely tested, the response will not be effective. The Incident Response Program must be regularly audited and communicated to staff to ensure its effectiveness and completeness in the event of a breach.
While I have a pretty good grasp on how GDPR will impact Information Security Operations and Governance groups, I recommend you consult with your Legal and Privacy Teams prior to implementing or dismissing any controls that could be related to GDPR and, for that matter, to other regulatory requirements.
Next up: creating the framework of an incident response program and team.