July 26, 2008

Achieving Information Security: Response (3 of 3)

Given enough time and resources, any security system put in place will be over come. This is undisputed fact. Coming into the office one morning, and seeing that your network has been compromised, knowing that detailed and confidential client or patient data has now been stolen, is not the time you want to figure out how you should react to the situation. It situations like this, you need to move quickly and intelligently, and not let your emotions (fear for your business, anger for the violation) take hold of you.

One of the most important parts of planning a proper response is to understand who is at risk because of the breach. You need to understand that as violated as you feel right now, other, who don't even know they are in danger, possibly are. If you run a business who bills clients (basically every business), then that payment information is on file somewhere, and puts those clients at risk. If you are a doctor, you likely have highly personal information about your patients.

Once you established who is at risk, establish a list of who needs to be contacted, and how you plan on contacting them. The most obvious, yet over looked often, are the police. If you think or know you have had a security breach, and data has been stolen, it is time to contact the authorities. data theft is still theft, and computer crimes are a big deal. Also, check which other authorities may need to be required based on your industry.

Once the proper Authorities have been contacted, contact others who may be at rick. If patient information has been stolen, contact your patients. If billing or financial information of clients has been compromised, let them know.

Contacting a client to tell them their information may have been stolen is a difficult thing. Expect to get a lot of calls, and be ready to answer a lot of questions. And in today's world, be prepared to compensate the client for their loss. It is typical for the company responsible for the data loss to pay for identity theft insurance for their clients for up to a year following the breach, anything more than that is nice, but unless what was stolen caused direct loss to your client, then you don't own them much, in my opinion.

Now that you have contacted the proper authorities and the people affected, then last step is to find out what went wrong, and fix it. How did the thief get the data, what type of attack was used, and what can you do to prevent it from happening again.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google