Last week, the Cybersecurity Unit of the U.S. Department of Justice (the “Justice Department”) released a guidance document, entitled Best Practices for Victim Response and Reporting of Cyber Incidents (“Guidance”), discussing best practices for cyber incident response preparedness based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The Guidance is intended to assist organizations with preparing to respond to a cyber incident, and emphasizes that that the best time to plan a cyber response strategy is before an incident occurs. The Justice Department drafted the Guidance with smaller, less-experienced organizations in mind, but also believes that larger organizations may benefit from its summary of best practices.

To help develop a cyber incident response strategy, the Justice Department recommends that organizations take the following precautions:

  • Identify the organization’s mission critical data and assets (i.e., the “crown jewels”);
  • Develop an actionable, up-to-date incident response plan before an intrusion occurs;
  • Have appropriate authorization in place to permit lawful network monitoring;
  • Ensure the organization has legal counsel available that is familiar with technology and cyber incident management;
  • Ensure the organization’s policies, such as human resources and personnel policies, align with its cyber incident response plan;
  • Engage with federal law enforcement agencies before an incident occurs; and
  • Establish relationships with cyber information sharing organizations, such as Information Sharing and Analysis Centers.

In addition, the Guidance recommends best practices for preparing an actionable cyber incident response plan that contains procedures and guidance for responding to a cyber incident. The Justice Department recommends that an organization’s response plan be vetted and, at minimum, contain the following steps as part of the incident response process:

Step 1: Make an initial assessment of the nature and scope of the incident.

Step 2: Implement measures to minimize ongoing damage from the incident.

Step 3: Record and collect information and evidence associated with the incident.

Step 4: Provide internal and external notifications regarding the incident.

After recovering from a cyber attack or intrusion, the Justice Department recommends that a breached organization conduct a post-incident review of its response to the incident and assess the strengths and weaknesses of its performance and incident response plan.