Lesson 5.2 Declaring an incident and notifications
in this lesson, we will talk about the process of declaring a cyber incident and who has the authority to make that decision
understand the possible triggers that will require the declaration of a cyber incident
and identify potential people to notify after an incident has been declared?
Well, this is a good question to ask. And again, this is not the question to ask. In the midst of a cybersecurity incident
who decides about notifications who contacts law enforcement? If you're going to do that, who contacts the media, who contacts the public or customers or people who may have had their information breached as a result of a cyber incident?
You need to get all of this figured out ahead of time. Have a part of your eye rplan haven't practiced. When we talked about tabletop exercises on the last lesson,
it really should also include these stakeholders. A tabletop exercise. It's fine to do a few with just the i R team, but you should occasionally, at least once a year, to a major cyber incident tabletop that includes the CEO, the chief of staff, the chief legal officer and the chief
human resource is officer and their staffs so they can get used to how they would react in such an event.
So there are some certain notification triggers things like an organization can no longer provide critical services. This may require you declare a cyber incident and follow your process.
P I has been breached that, in and of itself may require you to declare an incident and take the appropriate notification steps.
Sensitive data has been breached, or there's an insider threat that is suspected. Now you're not going to, of course, notify the media that you've got an insider threat, but you might need to notify
you are safeguards and security people internal your chief security officer Legal HR. If you have an insider threat working group, assemble that group to talk through it. So what I'm really trying to get at is you should have certain checkpoints along the way
that if this happens, then you need to notify these people.
So some examples of folks that you may need to notify the C I O is traditionally one that will get notified early on on any type of cyber incident. The cyst So, of course, should be at the forefront of something like this. The chief of staff may also be in the loop.
The CFO. You might need contracts funding additional equipment,
anything like that. The CFO will be involved with. You might have to call back off duty certain members and get them in during the evening holidays. Weekends where you just need all hands on deck. And it might be their day off.
The general counsel or your legal department may be in the notification loop
system owner. So if you have an incident involving a system, you might need to get a hold of that business unit to tell them that their application is part of an investigation or has been compromised.
And law enforcement may also be somebody that needs to be notified in the event of a cyber attack or once said, the incident has been declared
quick question for this lesson. What is an example of a trigger that may cause an organization to declare a cyber incident? A sensitive data has been breached,
Be an insider threat is suspected,
see organization can no longer provide critical services or d all of the above.
If he answered. All of the above, you are correct. Those are all things that I went through that could
result in declaring a cyber incident for the organization.
The summary for this lesson is we talked about the process for declaring a cyber incident and who has the authority to make that decision again. I can't tell you who that is, but you need to define that and have that exact conversation with leadership. Say, OK, today we just found out that
our domain controller was compromised and as a result, all credentials air suspected to be compromised. And we already know that Attackers have logged into thes people's accounts.
Who, What would we do with that information? Who would make the decision to declare a cyber incident and have some leadership around the table and a bet that you're going to have some people scratching their heads cause they probably have never thought about this before. So again, good questions have before you actually need to have them,
and we talked about the triggers that will require the declaration of a cyber incident