You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?
If you have in place a well-thought-out cyber security incident response plan (IRP), you will know how to act swiftly and in the best ways possible to protect your network, operations and reputation. Whether you want to validate an existing IRP or are developing your first plan, Kroll’s experts can help.
Unrivalled Insight Built into Every Incident Response Plan
As incident responders who every year work globally on thousands of cyber matters, we know the risk landscape well. We also have witnessed the value of organizations being prepared.
In helping clients develop or validate an IRP, Kroll experts follow a methodology that integrates our front-line experience investigating persistent and emerging threats with guidance from leading security standards, such as the NIST Cybersecurity Framework and CIS Controls™ along with unique considerations based on your environment.
Some of the areas we will help you cover in building your plan include the following:
- Assembling your incident response team (IRT).
Subject matter experts and key resources enterprise-wide should be involved in the response to ensure coverage of specific incident-related issues.
- Assigning IRT responsibilities.
The role of everyone on the IRT should be outlined and each team member’s responsibilities clearly defined.
- Outlining technical protocols.
It is human nature for technical teams to want to try and fix something before having to escalate the problem. Unfortunately, this often leads to a loss of critical evidence that has hurt many an organization. We can advise on the steps for IT and security teams to follow upon detecting an issue, including escalation points.
- Determining authority to call an incident.
Your IRP should also cover protocols related to notifying senior leadership, external partners such as outside counsel or your insurance carrier, and regional or industry-specific regulators.
- Establishing communications procedures and responsibilities.
In a crisis, the ability to communicate cannot be taken for granted. We will help you examine and decide how the IRT will communicate securely if corporate email becomes unsafe to use or not accessible due to ransomware. Also, we will help you determine who will communicate with external parties, such as outside counsel, your insurance carrier, law enforcement, the media and regulators.
- Gathering and documenting pertinent information.
Our experts will help ensure you compile information that will be critical to have in the event of an incident. This includes technical diagrams/schematics as well as comprehensive contact information for key resources such as:
- IRT members and their alternates (backups)
- Essential internal stakeholders (e.g., executives and legal counsel)
- Vendors or providers of specialty services, e.g., investigations, forensics and remediation; breach notification; crisis communications; and cyber insurance
- Determining a review and testing schedule.
IRPs cannot be a create-and-forget exercise. Based on the complexity of your organization, we will help you determine measures for updating the plan organically (e.g., when members leave the company or change roles) and provide for a regular testing schedule (e.g., quarterly or annually).
Call for an Incident Response Plan Consultation Today
Beyond the pragmatic guidance that a cyber incident response plan provides, developing an IRP also signals to regulators, data subjects and other principal stakeholders your commitment to proactively address cyber threats. Take advantage of Kroll’s years of unique cyber incident response experience to better prepare to respond to a cyberattack. To learn more about creating an incident response plan or validating and testing an existing plan, contact us today.