When preparing for a disaster, CIO Jonathan Feldman takes cues from public safety professionals: They train for various potential scenarios, even though they can't anticipate every possible situation.
"They have a certain amount of preparation. They have protocols and plans," said Feldman, CIO for the City of Asheville, N.C.
Feldman said his disaster recovery and business continuity planning follows that logic. As such, the plan contains procedures that would kick in for various types of events -- including data breaches -- even though his IT team can't foresee in advance exactly how an event would unfold.
Feldman's approach falls in line with the latest thinking on how to form and test a DR/BC plan. A data breach plan that is equally flexible should take into account these key points:
- prioritize which systems to recover and restore first, said David Phillips, managing director of cybersecurity consulting at Berkeley Research Group LLC. Start with a risk assessment. CIOs and their fellow executives need to identify which business functions are most critical so they can
- Set thresholds. Not all data breaches have the same level of impact; some breaches may only cause minimal disruptions. A data breach plan should set thresholds and match them to corresponding levels of responses, said Damian Walch, director of strategic risk services at Deloitte Advisory and the U.S. national leader for resilience services.
Jonathan FeldmanCIO, City of Asheville, N.C.
- Build in flexibility. Data breach plans should be granular but modular, experts said. "You want to build flexibility into the plan so the company can respond in the way that's best," said attorney Melissa Ventrone, chair of the data privacy and security practice at Wilson Elser Moskowitz Edelman & Dicker LLP.
- Identify which person will handle which role. "Everyone should know their part and the part of their organization," Phillips said. The contact roster should list the person tasked with each specific function along with his or her contact information as well as the name of a forensics firm (preferably one on retainer to guarantee a timely response and possibly one or two backup firms).
- regulatory requirements regarding data breaches are met and the company's public relations people can help properly inform clients and consumers, Ventrone said. Account for legal, regulatory requirements. Detail when and how to loop in the executive crisis management team so that the appropriate legal and
- Establish alternative systems. Some companies have alternatives systems always at the ready, some plan to revert back to manual processes, and others outline how they'll quickly stand up alternative systems. "IT needs to have a detailed plan that says, 'If this system gets compromised, how can we continue to do business without that system functioning?' It's up to IT to figure out what the alternatives are," Phillips said.
- which scenarios to test. But Feldman and others said it's crucial the data breach plan stipulates how these tests get done. "There's no substitute for that, and drills don't happen by accident. They're planned, they're prioritized and that means they're resourced," said Feldman, noting that his organization runs drills periodically. Run drills. Set up mock events based on specific types of disasters, including breaches. Each organization must determine whether they need outside help to run drills, how often to drill and
About the author:
Mary K. Pratt, a freelance writer based in Massachusetts, writes frequently about business management and information technology. She can be reached at email@example.com.
A breach notification letter gets a failing grade
Learn from the Adobe data breach
Does your data breach plan call for new tools?