A vital part of any Data Protection strategy is that of an incident response plan and policy. Your incident response policy dictates what your company does in the event that there is an incident within the business involving data, and the incident response plan details who is responsible for what function during an incident, and how to perform any actions that need to take place. Various data privacy and data protection laws mandate a notification to the regulator within a certain time period of identifying a data incident. If you are still scrambling to find out who should do what, investigation time is ticking away. Fast response allows you to have more time to ensure that an incident is a breach (or not a breach) before notifying the authorities. These may be a single document, or can be split dependent on different teams and divisions.
Over-arching Incident Response Policy
Your incident response policy mandates to your employees what needs to happen in an incident, as well as ground-rules around reporting. It will state who the Information Officer / Data Protection Officer is for the company, and that they need to be the single point of contact for an incident. Incidents can be incredibly damaging if acted on prematurely, so it’s important to retain a responsible person for these events.
Part of the policy should include who holds particular positions as well as their roles in the incident response process – teams like HR, Legal and IT. It also should offer protection to team members within the organisation that they have the option of anonymity (as far as is legally possible) and that the company will protect those that shed light on incidents. You want the staff to be comfortable that there are not going to be negative repercussions of reporting an incident. The last thing you want is to have an incident slip by unaddressed because someone was too scared to report it!
The next part of the policy should detail how the company responds to an incident, and also in what timeframes you should be responding. Different regulations have different reporting timelines, with some being vague (“as soon as possible”) and some very specific (“within 72 hours”).
Lastly, you need to detail what your after-the-fact actions, apologies and communications will be. It is important to wrap up any incident cleanly if it has happened, especially if it has been upgraded to a breach.
Granular Incident Response Plans
In some instances, you’ll have granular plans that specific teams need to follow in an incident. While the response policy is an overall view of the way the company deals with an incident, specific teams may have very specific processes that they need to follow – such as DevOps or Support in a software environment.
These granular plans can go down to the individual level of who is responsible for an action, what their contact details are, and what the time constraints on each event may be. Think of it as a Disaster Recovery (DR) plan for data related incidents. Ideally, you’d want a team’s incident response plan to almost be a guaranteed Service Level Agreement (SLA) with the rest of the business.
Methods defined in ethical hacking and information security standards can most certainly be incorporated into these granular plans – detailing processes such as:
- Update Processes
All of the above aims to take the confusion and ambiguity out of an incident occurring and allowing for the best possible response to the dreaded situation of a breach. Should you wish to have assistance in embedding the policies and processes into your business, we can assist! Drop us a line for more information about the services we offer.
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.