DISASTER RECOVERY PLAN

Transcription

1 DISASTER RECOVERY PLAN

2 Data breaches are a threat faced by every business, regardless of size or sector. Whether such an incident is the result of human error or a malicious act, every company needs a clear plan in place for responding to it. The purpose of this template is to help small businesses familiarise themselves with what needs to be done in the event of a data breach, and to ensure they take all the right steps to resume operations, inform all the relevant parties about what has occurred, and can learn from the incident to prevent future breaches. Contents Introduction - why have a plan... 2 Data breach preparedness... 2 Auditing your data... 2 Identifying legal responsibilities... 3 Defences... 3 Training... 3 Testing schedule... 3 Plan review... 3 Roles and responsibilities... 4 Internal contacts... 4 External contacts... 4 Breach detection checklist... 4 Immediate responses... 4 In the aftermath... 5 Data breach procedures... 5 Appendices... 6 Notification procedures... 7 Prepared messages... 7 Insurance policies... 7 Record of activities... 7 Location of resources... 7

3 Introduction - why have a plan Many small businesses may not have given much thought to drafting a data breach response plan, as they may be under the impression they are unlikely to be vulnerable to these incidents. However, this is far from the case. June 2015 research conducted by PwC on behalf of the Department for Business, Innovation and Skills found that almost three-quarters of small firms (74 per cent) experienced a data security breach in the prior 12 months, with the average cost being between 75,000 and 311,000. For small firms, these expenses could be crippling and even put the business at risk of not surviving it. Therefore, anything companies can do to prepare for this eventuality can help minimise these losses. Data breach preparedness In order to be able to respond quickly to an incident, there are several steps that need to be taken beforehand to help businesses fully understand their data environment and what their exposure will be. Auditing your data Conducting a full audit of what data you possess and how vulnerable it is should always be a key first step. This ought to include details of every type of data you possess, such as employee details, intellectual property and customer records. Each data type needs to have a score assigned based on its importance to the company, and its risk - how valuable it is likely to be to external parties. There are several ways to do this, but a number rating of 1-5, which 5 is the most important, is a good solution as this allows businesses to tally up and easily visualise the score. Listing the member of staff most directly responsible for the handling of this data is also vital. Data type Importance grade (1-5) Risk grade (1-5) Responsible personnel Eg. Employee payroll data 3 4 HR director

4 Identifying legal responsibilities Different data types may be subject to various regulations, both at a national and European level. Understanding what these are - such as reporting requirements - is essential for a swift response. This needs to be reviewed regularly, as rules are subject to frequent change - for example, the introduction of the European General Data Protection Regulation. Industry-relevant requirements, such as PCI-DSS for the financial sector, or healthcare's HIPAA rules, also need to be monitored closely. Legal responsibilities - to be assessed every X months Data type Relevant legislation Reporting requirement (Y/N) Contact E.g. Customer details Data Protection Act N ICO Defences (A list of the protections in place to guard against breaches. For example, detail antimalware software, access control policies, processes for sharing data) Training (Detail training schedule to ensure staff are educated on risks. How often should this take place, who needs to participate, etc) Testing schedule The data breach response plan will be tested in its entirety once every X months Plan review The data breach response plan itself will be formally reviewed once every X months and in response to regular testing

5 Roles and responsibilities It is critical to ensure people know who will assume responsibility for the company's response when the data breach plan is activated. Emergency situations demand quick reactions, and having a clear idea of the command line and who is responsible can save valuable minutes. Internal contacts Name Job role Contact details Process owned E.g. John Smith IT sys admin (Phone numbers, address, normal workplace) Securing compromised databases External contacts Name Organisation Contact details Process owned Stuart Burrows Kroll Ontrack +44 (0) Data recovery Johanna Ward Kroll Ontrack Legal Technologies +44 (0) Legal investigation Breach detection checklist Upon detection of a breach, following the items in this checklist will give you the best chance of an effective response that minimises the damage done and ensures business continuity. Immediate responses Alert response team (Refer to personnel listed in Roles and Responsibilities section) Secure premises

6 (Locations must be physically secured and IT equipment accounted for) Stem data loss (IT experts must identify and close breach to prevent further loss) Document evidence (Gather details of what has occurred for use in investigations. What systems were compromised, how was this achieved, etc) Alert affected parties (Notify those affected by the breach - usually customers. Also consider a PR response to help control any media attention) In the aftermath Interview personnel (This is vital in determining the root cause of the incident.) Bring in external personnel/forensics (If additional expertise is required to stem a reach of conduct an investigation) Notify authorities (Refer to procedures listed in appendices) Apply lessons (Revise planning and response procedure based on outcomes) Data breach procedures Depending on the type of breach you have experienced, you may need to approach your response plan in a slightly different way - an accidental breach caused by an employee requires different priorities than an external hacker gaining access to your databases. You should therefore prepare specific templates that cover the most likely scenarios, and make sure personnel are aware of any key differences in your approach. Data breach scenario A Scenario Eg Unauthorised database access

7 detected Possible causes Compromised login credentials IT services and data at risk Customer details Impact Plan of action Sensitive personal and financial information stolen, increased fraud potential Refer to Breach Detection Checklist Key contacts Refer to Roles and Responsibilities Data breach scenario B Scenario Possible causes IT services and data at risk Impact Plan of action Key contacts Appendices The appendices to your data breach plan may include the following:

8 Notification procedures (A list of processes for disclosing of an incident to employees, management, partners and customers, as well as policies for dealing with media enquiries if required) Prepared messages (It may be useful to have prepared statements available for distribution to customers/media etc, as in the event of an incident, there may not be time to draft such material from scratch) Insurance policies (A list of insurance policies in place that may need to be claimed in the event of an incident) Record of activities Date Activity Outcome Actions E.g Scheduled test of breach response plan for scenario X Goals met? None Location of resources Resource Location E.g. Emergency contact details Intranet With members of IT team