This blog post discusses the steps taken by the firm in response to a breach of security. Your firm (no matter the size) should have this contact matrix filled out, communicated and ready to go so you are ready to respond to a security breach.
|Incident Response Coordinator||MUST BE A SR. BUSINESS LEADER IN THE ORGANIZATION|
|Cyber Lawfirm Contact|
|Person Responsible for Firm's Technical Security|
|Person Responsible for Firm's Network, Servers, and Endpoints|
|FBI Contact (Learn More)|
|Police Cyber Contact|
|Cyber Forensics Contact|
Using the matrix filled out above, your firm should follow the following step-by-step list to ensure you taking the necessary actions for protecting your firm.
Note that you need to provide guidance to your HELPDESK on how to determine if an issue could be real and how to determine if it has business impact.
Note that it is the judgement call of the INCIDENT RESPONSE TEAM if a Category 3 or 4 issue would require Legal and Insurance to be contacted.
If the issue is Category 1 or 2, once Legal and Insurance have provided guidance, the INCIDENT RESPONSE TEAM should contact the FBI CONTACT and POLICE CONTACT.
Note: Try to avoid letting attackers know that you are aware of their activities. This can be difficult, because some essential responses might alert attackers.
Compare the cost of taking the compromised and related systems offline against the risk of continuing operations. In the vast majority of cases, you should immediately take the system off the network. However, you might have service agreements in place that require keeping systems available even with the possibility of further damage occurring. Under these circumstances, you can choose to keep a system online with limited connectivity in order to gather additional evidence during an ongoing attack.
In some cases, the damage and scope of an incident might be so extensive that you might have to take action that invokes the penalty clauses specified in your service level agreements. In any case, it is very important that the actions you will take in the event of an incident are discussed in advance and outlined in this response plan so that immediate action can be taken when an attack occurs.