Last month, the Department of Justice (“DOJ”) issued guidance on how organizations should prepare for and respond to information security incidents. First, the DOJ recommended that each organization perform an assessment of its data, assets, and services to determine which portions of its network require the most protection. Second, the DOJ recommended that organizations implement an incident response plan that:
- Identifies the person responsible for each element of the incident response effort;
- Provides contact information for all critical personnel and identifies how to proceed if critical personnel are unreachable;
- Indicates which mission critical data, networks, or services should be prioritized;
- Addresses how the organization will forensically preserve data related to the incident;
- Identifies the criteria the organization will use to determine whether data owners, customers, or partner companies should be notified if their data is affected;and
- Provides procedures for notifying law enforcement.
Third, the DOJ stated that organizations should conduct regular exercises to train employees on the incident response plan, and to make sure that the plan is current. Fourth, the DOJ recommended that organizations configure their servers to log network activity and obtain consent from network users to conduct real-time monitoring of the network. Finally, the DOJ encouraged organizations to identify legal counsel that is experienced in addressing issues associated with an information security incident and to establish a relationship with local law enforcement before a breach occurs.
The DOJ also recommended, that in response to an incident, organizations first assess the nature and scope of the incident and that the breached organization keep detailed records of the steps that it took to respond to the breach and the costs that it incurred. The DOJ further recommended that the organization forensically image the affected computers, preserve existing logs, consider increasing the size of its network log files, and develop a record of all steps that it has taken to respond to the breach. Breached organizations should also ensure that their employees are not using potentially compromised systems to communicate about response efforts and that their employees do not disclose information about the incident or the organization’s response without verifying the identity of anyone seeking such information. Finally, the DOJ stated that organizations should not attempt to access, damage, or impair the systems that are being used as part of the attack as such efforts are likely illegal.