This content is part of the Essential Guide: An IT security strategy guide for CIOs

Essential Guide

Browse Sections
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Eight-step data breach plan for the IT organization

A data breach plan that addresses the many variations a hack can take should consider these eight points.

When preparing for a disaster, CIO Jonathan Feldman takes cues from public safety professionals: They train for various potential scenarios, even though they can't anticipate every possible situation.

"They have a certain amount of preparation. They have protocols and plans," said Feldman, CIO for the City of Asheville, N.C.

Feldman said his disaster recovery and business continuity planning follows that logic. As such, the plan contains procedures that would kick in for various types of events -- including data breaches -- even though his IT team can't foresee in advance exactly how an event would unfold.

Feldman's approach falls in line with the latest thinking on how to form and test a DR/BC plan. A data breach plan that is equally flexible should take into account these key points:

  1. David PhillipsDavid Phillips
    Start with a risk assessment. CIOs and their fellow executives need to identify which business functions are most critical so they can prioritize which systems to recover and restore first, said David Phillips, managing director of cybersecurity consulting at Berkeley Research Group LLC.
  2. Set thresholds. Not all data breaches have the same level of impact; some breaches may only cause minimal disruptions. A data breach plan should set thresholds and match them to corresponding levels of responses, said Damian Walch, director of strategic risk services at Deloitte Advisory and the U.S. national leader for resilience services.
  3. Drills don't happen by accident. They're planned, they're prioritized and that means they're resourced.
    Jonathan FeldmanCIO, City of Asheville, N.C.
    Plan to triage. Detail how the IT team will determine which systems are affected by a breach, the scope of that impact, which systems are most crucial and thus need attention first, how to cordon off and protect data, and how long the disruption is expected to last, Walch said.
  4. Build in flexibility. Data breach plans should be granular but modular, experts said. "You want to build flexibility into the plan so the company can respond in the way that's best," said attorney Melissa Ventrone, chair of the data privacy and security practice at Wilson Elser Moskowitz Edelman & Dicker LLP.
  5. Identify which person will handle which role. "Everyone should know their part and the part of their organization," Phillips said. The contact roster should list the person tasked with each specific function along with his or her contact information as well as the name of a forensics firm (preferably one on retainer to guarantee a timely response and possibly one or two backup firms).
  6. Melissa VentroneMelissa Ventrone
    Account for legal, regulatory requirements. Detail when and how to loop in the executive crisis management team so that the appropriate legal and regulatory requirements regarding data breaches are met and the company's public relations people can help properly inform clients and consumers, Ventrone said.
  7. Establish alternative systems. Some companies have alternatives systems always at the ready, some plan to revert back to manual processes, and others outline how they'll quickly stand up alternative systems. "IT needs to have a detailed plan that says, 'If this system gets compromised, how can we continue to do business without that system functioning?' It's up to IT to figure out what the alternatives are," Phillips said.
  8. Damian WalchDamian Walch
    Run drills. Set up mock events based on specific types of disasters, including breaches. Each organization must determine whether they need outside help to run drills, how often to drill and which scenarios to test. But Feldman and others said it's crucial the data breach plan stipulates how these tests get done. "There's no substitute for that, and drills don't happen by accident. They're planned, they're prioritized and that means they're resourced," said Feldman, noting that his organization runs drills periodically.
Eight-step checklist
Eight-step Checklist

About the author:
Mary K. Pratt, a freelance writer based in Massachusetts, writes frequently about business management and information technology. She can be reached at 
[email protected].

Next Steps

A breach notification letter gets a failing grade

Learn from the Adobe data breach

Does your data breach plan call for new tools?

Dig Deeper on Enterprise disaster recovery and business continuity planning