Data—big or small—and the vulnerable environment in which it lives has evolved so quickly that organizations can barely keep up. Growing threat vectors and actors can take down a system, exposing personal data to theft and loss. As recent data breaches prove, companies are lagging in their preventative controls. It’s no wonder, then, that the 2015 Verizon Data Breach Investigations Report cited 79,790 security incidents from only 70 organizations. That’s 1,140 incidents per organization per year.
How an organization manages its response to these data incidents determines the level of risk to its business, brand, and customers. To be successful, companies must develop an incident response process that accounts for the evolving nature of threats, copes with limited resources, and complies with complex breach notification laws.
Options for Incident Response Management
Many types of software tools exist to help organizations manage their incident response process. These range from homegrown solutions to workflows offered by GRC or compliance platforms to an emerging class of software that is purpose-built for managing incident response. This guide explores each of these three options, and provides criteria for making the best decision for your organization’s needs.
Option 1: Homegrown Solutions
Ad-Hoc Incident Response Management
This reactive approach happens when a company has no set strategy for managing incidents. Although organizations can rely on external legal and operational expertise and resources to help manage their incidents, the lack of a consistent internal process puts companies and their customers at risk for brand damage, lost business, identity theft, and lawsuits or fines. In addition, the ad-hoc approach does not meet the requirements of incident response management under HIPAA, GLBA or state laws. In the long run, this seemingly low- investment approach can be the costliest.
“The findings of our research [in the CyberSecurity Incident Response report] suggest that companies are not always making the right investments in incident response. As a result, they may not be as prepared as they should be to respond to security incidents. One recommendation is for organizations to elevate the importance of incident response and make it a critical component of their overall business strategy.”
– Dr. Larry Ponemon, Chairman and Founder
Decision Trees (Paper/Excel)
Paper-based decision trees are the first-generation of tools developed by privacy and compliance professionals to cope with the complexity of federal and state breach notification rules. Whether homegrown or consortium-grown, decision trees and associated checklists do not provide consistent and scalable incident assessment or ease of use. They lack the automation to efficiently track federal and state obligations, or to standardize best practices for incident response management. Organizations must use additional means to document and demonstrate compliance internally and to regulators.
Option 2: Multi-purpose Software Suites
One source defines software suites as “related programs that interact nearly seamlessly with each other to make certain tasks easier among different programs.” Businesses find them useful for many jobs, such as auditing information systems, creating digital media or performing GRC-related tasks. Often, however, software suites don’t have the in-depth functionality to do complex or highly specialized tasks, such as incident management. For instance, developers of many GRC and compliance solutions have included incident response management as an add-on, and not a core competency.
Governance, Risk and Compliance Solutions
GRC applications address enterprise-level governance, risk and compliance issues. Despite their wide range of features and functionality, they lack the depth and focus on incident response management found in a purpose-built solution. Most GRC applications are not designed to keep up with evolving regulations, lack a consistent and reproducible method for incident assessment, and do not provide the guidance needed to respond appropriately to incidents. Thus they fail to meet organizations’ burden of proof under HIPAA/HITECH, GLBA or state breach notification obligations. These platforms also require significant investment to implement and maintain.
Compliance Management Tools
This class of software applications helps organizations meet compliance requirements, including meaningful use, quality management and HIPAA compliance gap analysis. These tools use their case management features for managing incident response. However, they fail to address the incident assessment and safe-harbor provisions of federal and state breach notification laws. Without the ability to perform assessments, compliance management tools cannot determine if an incident is a reportable breach, and thus help organizations plan for an appropriate response.
Option 3: Best-of-Breed Incident Response Management Software
This class of software is purpose-built for incident response management. As with other categories, each provider has its own focus. Some software offers workflow and functionality primarily for security professionals, while others encompass the privacy and security aspects of incident response management. The latter type of software guides privacy, compliance and security professionals through the maze of state and federal regulations to determine if the incident is a notifiable breach. This software provides notification requirements, documentation, reporting, trend analysis and support for any ensuing regulatory audits or investigations.
This functionality improves workflow for managing incident response in several ways; for instance, all members of the workforce can report incidents by customizable web interfaces. Because it is delivered as software as a service (SaaS), incident response management software can stay current with changing laws, and implementation and maintenance have little to no impact on an organization’s IT resources. This option conforms to security best practices to ensure compliance with regulatory requirements and with an organization’s security standards.
Explore How Radar Works
Make the Right Notification Decision with Less Effort
Radar is the only solution with automated risk scoring and breach notification decision-support, helping you avoid the pitfalls of over- and under-notifying.