Whether you’re a national retailer, international pharmaceutical company or a small university, security and privacy breaches can have a devastating effect on your business. As fast food chain Wendy’s sifts through the latest credit card breach incident some involved in the incident have mentioned the limitations of having a widely dispersed workforce (in this case thousands of independently-owned franchises) when it comes to reporting, tracking and managing security incidents.
Having a centralized incident reporting system for incident management that is accessible to consistently log incidents and route them to experts for threat assessment can be the first piece of the puzzle. This alone could help ensure a rapid, more coordinated response to security incidents. It also ensures the proper information is captured at the outset and the proper protocols are followed. Staff/franchises/customers, etc. can log into a portal, complete standard forms and then provide further information as the incident is reviewed by the security team and moves through the security workflow.
Incidentally, if you haven’t already developed a standard workflow for handling security incidents (or it’s time to refresh your existing procedure), privacy Website iapp.org has a great questionnaire for thinking through and planning for security breaches if you collect personal customer information.
Automating the Process
Once incidents are reported they can be prioritized based on reported or determined severity. For instance “Critical,” “Major” and “Minor.” While all incidents are logged and analyzed, “Critical” incidents might be routed immediately to the highest level remediation team and key executives. In addition, an alert might be sent back to the originator for immediate clarification and additional information. If a “Critical” incident has not had action taken on it within 5 minutes it could escalate to another team, fire off more alerts, etc.
If the personnel assessing the incident are not the personnel that will me handling remediation/response there may be a hand-off from the assessment team to a response team needed as well. Again, the nature of the hand-off may depend on the type and scope of the incident.
Beyond that, the scale and location of incidents may at some point also require legal and/or PR activity. Broadly, the process might look something like this very simplified flow:
At each hand-off, information is gathered and entered, informing the next decision and determining if and how the incident should continue down the chain. Also, different types of incidents can route differently. For example, a credit card breach routes to the credit card security team while a network breach routes to the network ops team.
Meanwhile, a clear and auditable breadcrumb trail is created so any internal or external compliance requirements can be demonstrated.
Real World Incident Response Example
Our customers have built incident management systems to handle a variety of incident response needs. The example below is from a Privacy Incident system that one of our customers developed to handle potential privacy breaches. Anyone in the organization can submit an incident report and the response workflow is immediately kicked off. Note that we’re only showing part of the system here to maintain anonymity. The complexity of the process is well beyond what you see here.
Manual Processes Aren’t Enough
While many IT departments have created documentation around the proper handling of a security incident, not enough have taken it to the next level by using workflow automation to create a fully-automated workflow that manages the incident from beginning to end. An automated security incident workflow has numerous advantages to manual handling (emails, phone calls, etc.)
The obvious benefit to automating the process is speed to resolution. When simple questions are answered based on automated rules and information is routed swiftly to the correct person, human action can be taken much more quickly. In addition, by gathering the correct data (via a standardized form) at the outset, there is less need for back and forth communication with the originator.
The additional benefit is the continuous improvement of the resolution process. Once a resolution time baseline is established, going forward, each type of incident can be compared. Are incidents getting resolved faster or slower? Where are the bottlenecks? Which type of incident is taking the longest? Which part of the process is bottle-necking?
Lastly, as I mentioned, an auditable trail is logged, making it easy for internal and, if needed, external agencies to review and ensure all guidelines were followed, who signed off, what steps were taken and by whom.
- Good example of how complex security incident workflows can get (New York Universtity)