The Five Most Important Aspects of a Cyber Security Incident Response Policy
The worst time to develop your Cyber Security Incident Response Policy (CSIRP) is after the incident has happened, or "right of the boom". Without a well-crafted and tested strategy, precious time will be wasted and costly mistakes will be made.
As a Managed Service Provider, when developing a comprehensive Incident Response Plan many factors must be considered. The MSP must first have a CSIRP for any potential breach that may occur on their own internal network. Then they must work with their clients to develop a CSIRP for breaches that may involve a breach on one of their networks.
The five important aspects of the Cyber Security Incident Response Policy are:
Technical preparedness and response
Reviewing tech E&O/cyber insurance implications
Understanding regulatory reporting requirements
Relationships with local and federal law enforcement
Controlling messaging
The first step in creating a CSIRP is defining the team that will oversee the process. This would include members of the senior management team, the CISO or security team, IT personnel, and key department managers. This is the team that will develop the processes and procedures defined by the policy. Ideally, this is the internal security council for the MSP.
When creating the plan for the internal network the MSP must begin by ensuring they have taken the proper steps "left of the boom". These are all of the security measures and practices that are in place prior to any incident occurring. This could, and should, include implementing security controls based on a recognized cybersecurity framework (NIST, CIS, ISO, etc.).
Of course, no security practice is 100%. Therefore, the MSP must consider what happens not if, but when, an incident occurs. They must consider their internal cyber forensics capabilities, Tech E&O/Cyber Insurance coverage, Regulatory reporting requirements they may be under, criminal justice ramifications, and potential damage to reputation.
When an incident occurs, it is important that the MSP act quickly. Time is the enemy of cyber security. However, the MSP should understand what actions may be appropriate given the situation. They must train their internal staff to take those steps in a rapid but organized fashion. If criminal activity has occurred, it is important to preserve as much evidence as possible without allowing the breach to continue. During last year's breach at Kaseya, the decision to shut the entire system down was made very quickly and likely saved the entire system from further damage. If necessary, the MSP can engage with an external cyber forensics firm to determine the extent of the damage and the likely perpetrators.
The MSP should engage with their Tech E&O Insurance (which should include CyberInsurance) carrier when developing a CSIRP. They should understand what their responsibilities are in reporting the incident and what actions the carrier may require in response to the situation. These procedures should be included in the CSIRP.
If the MSP manages or stores any data that falls under regulatory guidelines and there is evidence that data was compromised, the MSP must understand the reporting requirements of those regulations. Many regulations have time limits within which the breach must be reported, and the scale of the breach must be declared. This information must be included in the CSIRP.
The MSP should also be familiar with the process of engaging with law enforcement if the breach reached the appropriate level of criminality. The MSP should establish relationships with local law enforcement as well as local or regional FBI resources. The Department of Homeland Security (DHS) has created guidelines for reporting cybersecurity incidents to the Federal Government. Understanding this process prior to incident allows the MSP to engage with law enforcement much quicker.
Finally, the MSP must understand how security breaches can damage their professional reputation. Messaging must be controlled carefully. All messaging regarding the incident must come from Senior Management. Engineers, technicians, sales reps, and others must be trained to refer any questions regarding the incident to senior management or the designated party. If the breach has detrimental effects on a client's network, it may result in a lawsuit. Anything communicated to the client by an employee of the MSP may be used the MSP in court. The Senior Management team may decide to engage with a reputable Public Relations firm to refine their public messaging.
Once the MSP has defined and tested their CSIRP, they should work with their clients to develop a corresponding CSIRP for their organization. All of the same principles apply; however, the client is ultimately responsible for the management of the policy and the tangential relationships involved. The MSP would play a certain role withing the CSIRP, but it must be owned and managed by the client.
In the event of a breach occurs on a client's network the messaging aspects are even more critical for the MSP. In his video "MSP Liability Considerations after Client's 'Cyber Event'", Joe Brunsman explains the concept of "Identify, Contain, and Refrain". He councils that MSPs focus on the technical aspects of identifying and containing the breach but refrain from discussing any legal or forensic issues. Training of the engineers on what they can say and what they cannot say in the event of a client breach is critical in protecting the practice.
The key to success in handling a data breach is proper preparation. Simply reacting when one occurs can have devastating effects on an MSP.
OTX Roundtable was created to provide a peer-based environment where MSPs can work together to achieve compliance and certification. If you are looking for a peer group focused on risk management and compliance, please reach out