Decades ago, a security incident such as an "old-school" virus infection would have thrown people for a loop. This was a time when DOS-based McAfee Antivirus ruled and patching didn't really exist -- except at the server level. Sometimes information would be lost, sometimes not, but the problem typically stopped there.
There was no real concern over a security breach like there is today. And most organizations didn't have a formal incident response plan. Fast forward to today.
Many businesses still don't have incident response plans, even though the consequences of computer abuse can be extremely devastating. Networks, including Exchange messaging environments, are as complex as ever. And this complexity not only facilitates breaches -- it minimizes the chances of uncovering criminal activity in the first place. The lack of response plans in Exchange creates a lot of unnecessary risk for so many businesses, and there's research to support this. Network complexity, internal politics and whatever else is ailing the incident response function are moot points -- you still need a plan of action for when the going gets tough. Odds are your business is required by law to have a plan in place.
Most big government and industry laws and regulations have specific requirements for incident response plans, including plans for Exchange environments. The Health Insurance Portability and Accountability Act (HIPAA) has had these requirements since 2003. The Gramm-Leach-Bliley Act has had requirements since 2002. Other standards from NIST (800-53) and ISO/IEC (17799 and 27002) have recommended these plans for just as long. With newer laws and regulations -- including the HITECH Act, HIPAA Omnibus Rule and the latest version of PCI DSS -- we're seeing a more granular focus on what needs to be done for incident response.
For instance, the HITECH Act and HIPAA Omnibus Rule requires that all healthcare covered entities or any subcontractors must send out breach notifications once an event occurs, such as someone emailing an unprotected spreadsheet of health records. The Payments Card Industry Data Security Program (PCI DSS) requires annual testing of incident response plans to ensure the protection of cardholder data. A more recent regulation from the Security and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative examines the level of preparedness of broker-dealers and registered investment advisors across the U.S. This initiative has specific requirements for incident response procedures, including information that must be provided about incidents that have already occurred.
So what should be in an incident response plan? You can use a plan template to get started on crafting or fine tuning your organization's plan. It can also help fill in any gaps that exist in your Exchange and network environment.
If you manage Exchange -- or any aspect of IT -- you need a plan. Will you be prepared to not only respond to an incident, but to all of the ensuing flak from regulators and auditors? We're in the modern era of information security; it isn't wise to wait for an incident to unfold. It's difficult to know what the next two decades will hold in terms of incident response, but the important thing is that you're paying attention today.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.