Tag Archives: incident response

Get “Incident Response” Ready with Help from the DOJ

Being ready and able to effectively respond to a cyber incident is vital in terms of minimizing the resulting damages, but do you know what to do or where to look for assistance?

An effective response means having a plan before a cyber incident occurs. To help with your incident response planning efforts, the U.S. Department of Justice (“DOJ”) recently released a revised version of its “Best Practices for Victim Response and Reporting of Cyber Incidents” (Guidance). The DOJ’s Guidance was based on the real-life lessons learned by federal officials with input from private companies who managed cyber incidents.

The Guidance consists of four sections: Continue reading Get “Incident Response” Ready with Help from the DOJ

OCR Publishes New Cybersecurity Materials & Guidance

The Office for Civil Rights (OCR) released new guidance materials that should prove helpful for smaller organizations working on a limited budget. The purpose of the new guidance is to help Covered Entities and Business Associates understand the steps involved with responding to a security incident.

Response Checklist

OCR’s checklist is titled ‘My entity just experienced a cyber-attack! What do we do now?’ and briefly touches on several quick-response steps:

  • Execute the response and mitigation procedures and contingency plans
  • Report the crime to applicable law enforcement agencies
  • Report all cyber threat indicators to federal and information-sharing and analysis organizations
  • Report the breach to OCR as soon as possible (but no later than 60 days after discovery of a breach affecting 500 or more individuals)

The accompanying infographic helps to illustrate these steps.

Key Takeaways

Being prepared for a cybersecurity incident and having the response process thought out is a key focus area for our clients. For organizations in the healthcare industry, we have provided foundational templates for building incident response programs. Whether your organization is starting from scratch or just wanted to supplement existing incident response plans, these templates are key resources.

Each of these steps mentioned by the OCR is an important component of an effective incident response plan. You can view our incident response materials through the website in our newsletter. Submit any incident response questions to cyberteam@eplaceinc.com.

What is a Tabletop and How Will It Help My Organization Mitigate Cyber Risk?

If you’ve heard cyber insurance or risk management professionals bantering recently, you’ve probably caught onto the buzzword ‘tabletop exercises.’

Without wanting to look naïve, you tap the phrase into a Google search, only to find it’s not a tool used by just the cyber community. Organizations and government agencies have been leveraging tabletops for decades to discuss simulated emergency situations. But recently, tabletop exercises have rapidly gained momentum in cyber security contexts.

Tabletop exercises go by a number of different names: “war games,” incident response drill, incident response simulation, etc.

The goal is always the same: to test an organization’s ability to respond to a cyber security incident.

Tabletops are essentially a fire drill to practice the crisis situation of a cyber security incident. Organizations develop the muscle memory to respond effectively and efficiently when there’s a privacy or security issue in real time.

The simulation facilitates discussion amongst your incident response team and validates the team’s ability to respond to a breach. This activity will test your team’s ability to mobilize, make decisions, and deliver a structured response in an environment with constantly changing facts.

Types of Tabletops

There are different ways to test your ability to respond.

Some tabletop exercises are strictly focused on the legal side. They provide guidance on how to proactively prepare for litigation and comply with the intricate notification regulations that differ state by state.

Other tabletop exercises are much more technical in nature. These focus on the detection and analysis of anomalous activity, along with further prioritization, containment, eradication and recovery.

There are even tabletops that focus on operational details that create inevitable bottlenecks in response times, like providing identity protection or hosting call centers.

An effective tabletop for cybersecurity covers all of these issues and poses questions for the team to prompt action towards mitigating the overall risk. Taking a comprehensive approach during a tabletop – from the legal, technical, and operational viewpoints – helps visualize the impact of a security incident to the organization as a whole. Organizations can use the results to identify gaps and areas for improvement.

How does a tabletop help mitigate my cyber risk?

According to data from the Ponemon Institute, employee negligence poses the biggest security threat to all business organizations.  Awareness and training are key to combatting those risks from the top down.

A tabletop exercise is a practical tool to get the executive team “on board,” by bringing together key decisions makers and exposing them to the potential harm of a disaster cyber scenario. Once exposed to the possible implications of the risk, these influencers can then help promote a culture of privacy and cyber security within an organization.

Who is involved? Why does this exposure help bring awareness?

An exercise on incident response is typically designed to take a cross-functional approach and engage colleagues from different departments that each have a stake in the breach response process. We encourage organizations to develop an ‘Incident Response Team,’ including the following representatives:

  • IT/Network Security
  • Compliance
  • Executive Management
  • PR/Communications
  • Human Resources
  • Business Continuity
  • Finance
  • Risk Management

Each of these roles will help an organization realize the overall impact of a cyber security incident on day-to-day business activities, overall perception, reputation, and compliance.  The Incident Response Team members responsible for a breach response should participate in the tabletop exercise.

Most times, we’ve found these particular individuals rarely find themselves sitting in the same room together. The tabletop simulation provides a unique opportunity to practice as a team and develop a cohesive response unit.

What does a tabletop exercise test?

A tabletop exercise is designed to test your team’s awareness of the response process during a cyber security incident, and what issues must be addressed to deliver an effective response.

Typically, an organization’s Incident Response Plan (IRP) is incorporated directly into the simulation. An IRP is a critical component to ensuring that organizations are prepared to respond efficiently and effectively to a data security incident.

If an organization hasn’t quite developed their IRP yet, a tabletop exercise can still be valuable. It provides an impetus that’s needed to initiate an incident response planning program, or incite individuals to develop a plan.

Tabletop exercises are focused on strengthening your organization’s ability to respond to a data security incident by developing a strong internal team, ensuring that team members understand their roles and responsibilities, identifying critical response tasks and considerations, and providing a framework to ensure that resources are used wisely and efficiently in the event of a data breach.  Testing the incident response plan is critical to identify gaps and improve the plan.


Whether your organization is equipped with an Incident Response Plan or not, it’s important to consider the benefits associated with cybersecurity’s new buzzword. A tabletop exercise mitigates cyber risk through testing the organization’s response team, identifying gaps, and providing a forum to interact on emerging threats in cyber security and privacy.

For more information or advice on tabletop exercises, feel free to reach out to our cyber team – cyberteam@eplaceinc.com – to get in touch with an Incident Response Specialist.


PCI Guidance: Responding to a Data Breach

The Payment Card Industry Security Standards Council (PCI SSC) released guidance for merchants and service providers to help in preparing to respond to an incident and engaging a Payment Card Industry Forensic Investigator (PFI). To find a list of pre-approved PFIs, visit the PCI SSC website.

Join the next ePlace Solutions webinar: PCI Readiness – Solidifying PCI Scope of Compliance Risk, to gain a better understanding of the PCI DSS requirements and how to best prepare for compliance. The webinar is October 28th at 10:30 AM PT / 1:30 PM ET, free of charge.

Preparing for the Worst

The PCI SSC recommends that organizations prepare for the worst when it comes to incident management. The guidance provides 5 key points to address when putting together an incident management program.

1. Implement an Incident Response Plan

The retail industry has seen a plethora of cardholder data breaches in recent years. Organizations need to be prepared for what seems to be the inevitable data breach. An Incident Response Plan is a crucial step in preparing for an incident.

PCI DSS provides guidance in Requirement 12.10: Implement an incident response plan. Be prepared to respond immediately to a system breach.

According to PCI DSS, an effective incident response plan should include:

  • Roles, responsibilities, and communication strategies in the event of a compromise (i.e. notifying payment brands of an incident)
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting an incident

2. Limit Data Exposure

When responding to a security incident, too often organizations will impulsively shut down the infected systems and ruin any evidence that existed. Simply turning off a system could potentially delete key evidence in the investigation, as well as tip off the attackers that they’ve been detected.

Minimizing data loss while simultaneously preserving evidence is essential. The incident response team should ensure they have the capability to isolate an infected system without turning it off. This helps keep the attackers away from other potentially sensitive areas of the network and allows the forensics team to investigate the situation.

3. Notify Business Partners

An effective response to a security incident involves notifying the proper parties. Organizations should have a communications strategy that contains all parties and contact information that is necessary in the event of a security incident. Potential parties might include payment card brands, merchant banks, or other entities that require notification by contract or law.

4. Manage Third-Party Contracts

Third-parties represent a security concern for many organizations. Oftentimes third-parties have access to an organization’s network and systems for business operations. However, the protection of data and information ultimately falls on the data controller.

Having language to address the vendor’s data security policies and procedures, as well as their incident response management, is a key component to preparing for an incident. As the data controller, provisions to keep the third-party accountable are essential to ensuring the best protection of data and information.

5. Identify a PFI

Organizations should identify and establish a relationship with a PFI before an incident occurs. PFIs will often offer their services on retainer so the relationship exists and they are only a phone call away when you need them.

When engaging with a PFI, it’s important to understand their role in the incident management process. There are several things to consider when performing due diligence on potential PFIs for the organization.

PFIs are required to be independent of the organization they are investigating. There should be no other existing relationships with the PFI. The organization’s Qualified Security Assessor is not allowed to conduct the investigation. In addition, other third-parties representing the organization, like a public relations consultant, should not be interfering with the investigation. PFIs’ investigations must be completely independent.

The purpose of the PFI is to investigate the root cause and scope of the intrusion. PFIs will compile their findings into two reports: a PFI Preliminary Incident Response Report and a PFI Final Incident Response Report. It’s important to realize that the investigation and reports are not PCI DSS assessments and will not determine compliance with PCI DSS.

SEC Cybersecurity Examinations: What You Need To Know

The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) released a Risk Alert to announce the second round of cybersecurity examinations as a part of its 2015 Examination Priorities.

These examinations follow up a previous round in which 100 broker-dealers and investment advisers were interviewed and documents reviewed. Observations from those examinations were published in February 2015. This subsequent round of examinations will focus more on testing broker-dealers’ and investment advisers’ implementation of firm procedures and controls.

While the examiners might include additional areas of risk, the upcoming round of OCIE examinations will focus and review the following areas:

Governance and Risk Assessment

  • Whether firms are evaluating cybersecurity risks
  • Whether firms’ controls and risk assessment processes are tailored to their business
  • The level of communication and involvement of senior management / board of directors

Access Rights and Controls

  • How firms control access to systems and data using credentials, authentication, and authorization

Data Loss Prevention

  • How firms monitor the content transferred outside the firm through email or uploads
  • How firms monitor for potentially unauthorized data transfers
  • How firms verify the authenticity of a customer request to transfer funds

Vendor Management

  • Vendor management controls and practices with due diligence, oversight of vendors, and contract terms
  • How vendor relationships are viewed as a part of the risk assessment process
  • How firms determine the appropriate level of due diligence to conduct on a vendor


  • How training is tailored to specific job functions
  • How training is designed to promote responsible employee and vendor behavior
  • How procedures for responding to cyber incidents are integrated into personnel and vendor training

Incident Response

  • Whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible incidents