Incident response is the serie of procedures used to deal with a cyber attack. Indeed, responding to an attack is not limited to 'simply' reacting to the illegal activity. For the company, an incident involving the violation of information systems, represents an extremely delicate moment, in which the management of the incident response phase requires competence and effectiveness. In fact, beyond the technical aspect and the risks linked to the potential damage that an attack may cause, today it is necessary to consider also the legal aspect.
Incident response and data protection: the GDPR
The new IT security regulations, starting with the General Data Protection Regulation (GDPR), have a significantly different approach to the regulations that companies were used to in the past.
Whereas the traditional regulations, for example those relating to the 'physical' security of workplaces, provided just simple obligations in order to be compliant with the law, in the case of data protection we are facing what we can define as a 'result obligation'. What is required of the company is to put in place all appropriate security measures to prevent and counteract a data breach. In the incident response phase, therefore, it is essential to implement all the necessary activities to be able to prove that this obligation has been fulfilled.
Data collection in incident response
To be able to accomplish the task, it is essential, first of all, to possess the tools to analyse the attack and to reconstruct all the activities undertaken to counter it. The forensic analysis takes care of these aspects. It is performed using specific tools that allow the authenticity of the information collected to be validated, and adopting strict procedures to guarantee the so-called 'chain of custody'. It is therefore indispensable to have the system logs that represent, from a legal side, the 'evidence' of what happened. From this point of view, it is obvious that a deeper detection and analysis of the data, for instance through the use of a SIEM, allows the possibility of making a precise reconstruction of the possible data breach.
Incident response, no improvising
Just as in the case of evacuation plans in the case of fire, in the event of a breach in information systems, it is essential to have a detailed plan to define the procedures, roles and objectives of the incident response. The regulatory framework (and common sense) suggests an approach based on the precautionary principle. In other words, it is good to start from the assumption that, sooner or later, we will be faced with an uncomfortable situation, and is better to know how to react. One of the actions to be considered, in addition to securing data, is to check the possibility that the security incident could lead to the compromise of services shared with other parties, such as suppliers, customers and business partners. A check, and possibly a timely communication to the affected parties, can make it possible to mitigate the risk of a 'domino effect' that could have very serious consequences.
Incident response management, how to protect corporate reputation
While this is a relatively new issue for Europe, the example of the United States shows that the setting up of adequate incident response procedures is progressively gaining importance also in terms of corporate reputation. Many US-based organizations, in fact, provide periodic cyber-security assessments for business partners, making collaboration conditional on meeting regulatory standards and industry certifications. In short: in addition to being an indispensable element of regulatory compliance, the definition of an effective response system is now considered an important business enabler.
