Hardwiring Breach Response
Increased security awareness on campus can support a more efficient and controlled response, and preparing campus for a breach event will lead to greater awareness of risks and acceptance of necessary changes to policy.
IT teams that have experienced a breach event know that the first hours after incident notification will be hectic and confusing. The institution must organize internal responders, secure systems, contact all appropriate parties, set up crisis services, and collect key data all at once. Without a clear plan and organization in place, mistakes are made.
Nearly all institutions have conducted basic preparation in segmenting data and assigning ownership over key systems; however, few have made key roles and processes part of their breach response plan. Designating breach response leaders, creating distributed application whitelists, and tracking time to response can help even advanced organizations improve the efficiency and effectiveness of breach response.
Practice 1: Incident Managers
Ensure Focus and Authority for Fast Decisions
Single owners reduces lag to access experts, notify stakeholders
To make breach response efficient, controlled, and predictable, identify a pool of staff who will be prepared to make escalation, purchasing, and quarantine decisions during a breach. These incident managers oversee the entire workflow around breach response and are responsible for shift continuity, damage assessment, response team assembly, stakeholder notification, evidence collection, and an initial postmortem analysis.
Practice 2: Distributed Application Whitelisting
Pre-wire Unit-Level Containment Decisions
Focus on what stays on instead of what shuts down
Keep up with critical distributed applications without overburdening the security team by focusing on what will stay on during a breach instead of what will shut down. Compiling a list of top local applications outside of standard, enterprise-wide licenses can ensure continuity in local areas by insulating whitelisted applications from a system quarantine.
Practice 3: Time-to-Response Tracking
Measure Response to Reduce Breach Costs
Document process performance to streamline response
Operational efficiency during a breach is a significant driver of indirect expenses. To save on breach costs, improve the time to know a breach has occurred, understand root cause vulnerability, contain damage, and create a permanent solution. Comparing granular performance metrics of breach response to set benchmarks allows identification of areas for improvement and discovery of how different data and parts of campus respond differently to security incidents.
Representative uses of granular time-based metrics
Compare performance metrics at the level of data type (e.g., FERPA versus HIPAA) and unit type (e.g., academic department versus administrative office) to prioritize remediation at the level of process and understand where the “indirect” costs of data breaches are clustered.
Making Risks Relevant