Activate the incident management team

You need to ensure that you adopt a consistent, business-wide approach, agreed by senior management, to any cyber security incident.

To help you do this, you should establish an incident management (IM) team that includes IT security experts as well as members from legal, regulatory and compliance, physical security, human resources and public relations, and representatives from affected business units.

Key issues to consider include:

Team composition:
  • if you have a dedicated IM team in place, alert them immediately (subject to any possible conflicts)
  • unless you have the expertise in-house, you will need to quickly consider involving external security experts. Your internal IT function may be able to help identify a suitable external IT security expert. See Key considerations when seeking to involve external security experts below for more information
  • decide whether you need other external expertise (eg forensic accountants, PR advisers, lawyers)
  • so that you can make decisions quickly and secure the resources and co-operation from the business, you should include at least one senior employee or board director in your IM team
  • your team should also include at least one person with the authority to confiscate or disconnect equipment and to approve monitoring of suspicious activity
  • depending on the incident, you may consider involving other third parties as part of the incident solution. These could include:
    • the company that maintains your web hosting account
    • the software vendors
    • the owners of attacking IP addresses
    • sector-wide or other broader incident response teams or groups that may help tackle the incident
    • national government, police or other relevant state agencies (see Is it necessary to notify anyone?)
  • make sure everyone on your IM team knows the need for strict confidentiality
  • make sure responsibilities and lines of reporting are clear
  • your IM team must approve all responses to the incident
Involving other parties:

Depending on the nature of the incident, you may consider involving other third parties as part of the incident solution These could include:

  • the company that maintains your web hosting account
  • the software vendors
  • the owners of attacking IP addresses
  • sector-wide or other broader incident response teams or groups that may help tackle the incident
  • national government, police or other relevant state agencies (see Is it necessary to make any notifications? for more information on notifications)

Key operational messages:

  • make sure everyone on your IM team is aware of the need for strict confidentiality
  • make sure responsibilities and lines of reporting are clear
  • your IM team must approve all responses to the incident
  • you may need to form a second, parallel team to investigate the subject of the security incident, independently of the events surrounding the incident itself

Key considerations when seeking to involve external security experts

 

  •  do you have any "trusted introducers" (either through your internal IT function or another external third party, eg legal or accountancy advisers) who could recommend an appropriate external security firm?
  • is there any official or government-sponsored certification or accreditation of security providers? This may provide further guidance and identify potential candidates who are appropriately skilled
  • what is the expected division of responsibilities between the external and internal team – will you need to rely on them heavily on the external or will they only be one part of the solution?
  • how might you restrict the spread of sensitive information while making sure the external experts have sufficient access (often across various databases and/or systems) to accomplish their tasks?
  • how can you address the inherent lack of knowledge about the organisation, held by external team members?
  • how will the incident be handled if it, or the response to it, involves work at multiple locations?
  • how will you ensure sufficient incident response knowledge is maintained by internal employees?