It is important that such incidents be identified, documented, responded to, contained, recovered from, and followed up correctly in order to:
- Establish a record of the event to keep relevant stakeholders informed (these could include legal department, public relations, human resources, law enforcement agencies, media, industry regulator, customers, suppliers and partners).
- Specify the information required to assist in management of the incident such as logs, network configuration and information types / levels.
- Specify the tools required to assist in management of the incident such as specialist tracking and analysis software.
You may be able to manage incidents internally, or consider having a specialist external resource in place to assume control of the process when required.
It should be documented clearly as to whom incidents should be reported, according to their type and severity. When an incident does occur, the relevant parties should be formally informed of the event, how it arose, its actual and potential impact and what is being / has been done to contain and resolve the issue.
This process may be automated or manual, depending on the size and nature of your organisation and its IT / information / cyber security capability.
Remember that depending on the nature of your organisation and the information compromised, it may be necessary to report the incident to various authorities such as data, financial and/or your own industry regulator.
It may also be appropriate to report the incident to relevant law enforcement bodies.
Following recovery from and closure of such incidents, a formal review should take place in order to assess the root cause, identify technical weaknesses or human error, determine the extent of business impact and implement correct action to minimise the risk of similar incidents reoccurring.