On April 29, 2015, the Cybersecurity Unit in the Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice released a best practices document (Document) for victims of cyber incidents. The Document provides useful and practical tips that will assist organizations, regardless of size and available resources, in creating a cyber-incident response plan and responding quickly and effectively to cyber incidents. It iterates many of the important lessons that federal prosecutors and private sector companies have learned in handling cyber incidents, investigations, prosecutions and recoveries.
Assistant Attorney General Leslie Caldwell delivered a speech at the Criminal Division’s Cybersecurity Industry Roundtable on April 29, 2015, wherein she described the Document as “living,” and one that CCIPS will “continue to update as the challenges and solutions change over time.” Caldwell added that this Document is an example of the assistance CCIPS plans to continue to provide in order to elevate cybersecurity efforts and build better channels of communication with law enforcement.
Best Practices for Cybersecurity Preparedness
CCIPS recommends eight steps as part of an organization’s pre-planning activities to help limit computer damage, minimize work disruption, and maximize the ability of law enforcement to locate and apprehend perpetrators:
- Identify your “Crown Jewels”—an organization’s most valued assets that warrant the most protection.
- Have an actionable plan in place before an intrusion occurs—stressing the word “actionable,” CCIPS suggests organizations decide on specific, concrete procedures to follow in the event of a cyber incident.
- Have appropriate technology and services in place—equipment, such as data back-up, intrusion detection capabilities, data-loss-prevention technologies, and devices for traffic filtering or scrubbing, should be installed, tested, and ready to deploy before a cyber incident occurs.
- Have appropriate authorization in place to permit network monitoring—obtain employee consent to monitor and disclose, as necessary, their communications to facilitate early detection and response to a cyber incident.
- Ensure your legal counsel is familiar with technology and cyber incident management—legal counsel who are conversant and accustomed to addressing issues associated with cyber attacks will speed up an organization’s decision-making process and reduce the organization’s response time.
- Ensure organization policies align with the cyber incident response plan—preventative and preparatory measures should be implemented in all relevant organizational policies, such as human resources policies.
- Engage with law enforcement before an incident—meeting and engaging with local federal law enforcement offices will facilitate interaction and establish a trusted relationship.
- Establish a relationship with cyber information sharing organizations—information sharing organizations exist in every sector of critical infrastructure and may provide cybersecurity-related services.
The Cyber Incident Preparedness Checklist (included in the Document) succinctly outlines these eight steps, and is of practical use to an organization that is creating or improving its already-existing incident response plan. For an incident response plan, the Document provides explicit examples of the types of information an organization should evaluate when assessing the nature and scope of an incident. It also includes the information an organization should document in its initial assessment and the [...]