Wednesday, August 3, 2016

Breach Response



Years ago, a business could plan to secure their enterprises. The IT department would harden the system and in most cases there would be a reasonable assurance the enterprises was relatively safe. Things have changed as technology has improved. This improvement has come at a price. The speed of advancement has not been the easiest environment to apply security in. This lack of applied security has promoted several issues. This has been noted in many breaches. This has clearly only grown in importance as the breaches the breaches are more common and the businesses provide more data to steal.

In the case of a breach, the first act is that the alleged breach must be verified to have occurred. If one did occur, the business needs to analyze what was affected. Not all breaches are reportable. If there happens to be data involved of a consumer confidential nature, there would need to be a notification. The trigger point would be the data having social security numbers, driver’s license numbers, financial account numbers, passwords, and other personally identifying information.

The business also may be required to notify the affected parties with in a specific amount of time. This period varies on the state and federal level, depending on the subject matter and jurisdiction.  Many states instead of putting a number of this period, simply state this have to be done with a few “reasonable” time period. This generally is accepted as 45 days. If there is HIPAA information involved, there may be a timeline in place for the notification.

Once the timeline is in place and divided on, the notice itself has to be written. This is also dependent on the jurisdiction. Certain states have requirements that have to be met. For instance, Rhode Island has for its notification law six items to be met. There may be a template or form letter to be used.

These events are not going to slow down in occurrence or magnitude. As the attackers have operationalized this as a business, it has proven itself to be a revenue producer, and popular as an attack tool.





Miel, LLC Infosec Managed Services & Consulting
  
810-701-5511

charlesparkerii@gmail.com




It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)