How long before your board members read up on the incident and call you to ask “just a few questions”? How long before you need to call your security, risk or IT chief and ask how prepared your organization is to respond to a similar incident?
Being prepared with the answer before you get the call (likely as you’re sitting down to dinner on Friday night) can build confidence with your leadership team, make your next review go smoother, and help protect your organization from future incidents.
There are numerous frameworks, compliance requirements, and industry practices that provide guidance on what an incident response process should include. For example, the Federal Information Security Management Act (FISMA) provides requirements on numerous topics for government agencies and those working with government agencies. These requirements are largely in line with guidelines from the National Institute of Standards and Technology (NIST). Such requirements and guidelines can be a good place to start with your plan, and you’ll want to add industry specific guidelines as well as any internal requirements that already exist in your organization.
Does your board know what NIST or FISMA suggest you should do? Board members will most definitely care when considering the expenses of hiring outside counsel and consultants to prepare before a government agency arrives to ask “just a few questions”.
In a succinct manner, you will need to demonstrate that your approach to incident management:
- Upholds industry accepted practices.
- Exceeds regulatory requirements.
- Is better handled than that of the competition.
- Aligns across the organization.
Implementing an industry standard methodology for incident response is an absolute necessity, regardless of the size or complexity of your organization. Simply “having a plan” won’t meet the expectations of board members, as they likely are unfamiliar with FISMA and NIST. Miscommunication and misalignment of both board and C-level views on defining, managing, and remediating incidents will add to confusion, stress, and could increase your company’s exposure.
A well thought out plan, based on industry standards and then well communicated to the organization, offers the best path to resolving the incident. You should know the answer to the question “what does incident management mean to our board members?” You also need to ensure that management knows what to do when an incident occurs. If your only opportunity to address the group is at a board meeting, you probably know that time allotted to topics during board meetings is always at a premium, and there are numerous agenda items competing for the time not already allocated. That makes it all the more important to clearly and concisely communicate and align expectations.
If an incident does occur, be ready for questions like “What caused the incident? Were we aware of the risks?What actions will be taken to prevent it from happening again?” This is where a governance, risk management and compliance (GRC) platform can shine, by correlating data points and reporting facts clearly and concisely to stakeholders. Your GRC platform will not only help you create and communicate your plan, but also help you prepare for the next questions your board are likely to ask, by allowing you to capture the relationship of the underlying data points for causation, mitigation, and remediation and easily present them.
Answering a few questions posed by the rest of the C-suite and the board doesn’t get you off the phone. But anticipating the subsequent questions and having the data to back up your answers readily available, that may just get you back to dinner before it gets cold.