Brochure

Executive breach
response playbook
How to successfully navigate the enterprise through a serious data breach

Brochure | Executive breach response playbook

Introduction
No matter how effective the technical response to an enterprise data breach, its the executive
suite that drives the publics perception in times of crisis. In fact, it is the executive teams
leadership that will help guide the entire enterprise response after the breachwhich could
last for days, weeks, months, and even years depending on lawsuits and regulatory response.
Executive team to-do list
Prepare a data breach response plan.
Ensure the executive team can execute it.
Have a solid understanding of the situation.
Know what is at risk.
Plan responses and processes for all
constituencies.

Although its never easy to respond to something as challenging as a publicly disclosed data
breach, it can be done if the executive team gets the information they need in time. That is, if
the technical information is accurate and comprehensive enough to make effective decisions,
and all of the communication channels are in place and ready. Sounds straightforward, but its
not always. It takes executive leadership to make sure the resources and the plans are in place
to execute well. And it takes considerable practice. This playbook will help get you there.
In most organizations, senior leadership, including the CEO, are seriously underprepared for the
job. A recently HP-commissioned survey from the Ponemon Institute, The Importance of Senior
Executive Involvement in Breach Response, shows how systemic the challenge is at most
organizations: A startling 57% of CEOs have not been trained on what to do after a data breach,
and more than 70% of executives think that their organization only partially understands the
information risks theyre exposed to.
Theres a serious disconnect here. According to the Ponemon Institute report, The Importance
of Senior Executive Involvement in Breach Response, senior executives know that their
involvement in the incident response process is critical to successbut they dont believe
that they are accountable for data breaches. In this reports survey, 79% of respondents say
executive-level involvement is necessary to achieve a successful data breach response, while
70% believe board-level oversight is also crucial. Unfortunately, the same survey found that
only 47% are up to date on their internal data breach response processes, and only 45% think
they are actually accountable.
Perhaps most troubling is that only 44% believe that their own enterprises incident response
process is either proactive or mature.
Many great resources are available that are geared toward the technical response that
organizations must perform when faced with a data breach incident; however, little has been
written on how the executive team should prepare to respond. The goal of this paper is to help
fill that gap and provide executive leadership with the ideas and tools they need.
Perception. Priorities. Protection.
Figure 1. How prepared is your organization to deal with data breach?

35%

33%

30%

31%

25%
As figure 1 shows, senior executives believe the
current state of breach preparedness is more
reactive (immature) than proactive.

20%
15%
10%

17%

15%

4%

5%
0%
Level 1

Level 2

Level 3

Level 4

Level 5

Level of readiness: From 1 (low) to 5 (high)

Source: Ponemon Institute The Importance of Senior Executive Involvement in Breach Response September 2014.

Brochure | Executive breach response playbook

The importance of establishing a game plan

Many enterprises are already breached, and they dont realize it. Look at many of the recent and
widely publicized data breaches. These organizations had been infiltrated for months, with data
being continuously stolen, before the successful attacks were identified. Theres no avoiding it.
The probability is that you will be breached, and not once or twice but multiple times over the
upcoming years.
Without an executive data breach response plan that is designed to work in tandem with
your organizations more technical digital investigations and response plans, any data breach
incident can go from bad to worse very quicklyespecially when it comes to maintaining the
trust and confidence of your customers, partners, and shareholders. In fact, if the executive
team does not plan for the data breachand be able to execute that planit is, in effect,
planning to fail in its ability to react swiftly to the legal, regulatory, customer, employee, and
shareholder fallout.
The risks associated with executive missteps during the days after a data breach disclosure
are not unlike responding to any other type of disaster. The team needs to have a solid
understanding of the situation, know what is at risk, and be able to speak to each constituency.
Many executive-level risks are associated with data breaches. For instance, your team needs to
know whether to announce the data breach and when the timing is right to do so. Theres risk in
waiting too long to tell the publicboth from regulators and public backlashand theres also
serious risk associated with announcing too soon. If the right processes are not in place and the
executive team doesnt understand the nature of the breach, the known facts can change, and
public statements will have to be altered accordingly. Not good.
Conversely, knowing how to talk with the technical teams and understanding the potential
business impact and the technical cause can help you execute the right course of action. That
course assures employees, customers, and shareholders that the enterprise canand will
safely navigate through with minimal costs or impact to delivery of customer services.
Additionally, public disclosures of certain types of data breaches are becoming mandatory. In
the United States, nearly every state has a data breach notification law regarding personally
identifiable financial account information involving its citizens. The E.U. is working on its own
data breach notification requirements under the ePrivacy Directive. There are also data breach
notification laws and guidance that involve disclosing patient health data and even for publicly
traded companies, should a breach involve data that could affect revenue.
Thats why it is critical to have your executive data breach response playbook in place. Because
in the event of a data breach emergency, such as the triggering of any of the regulatory
mandated responses above, you need to know precisely what to do and who your key
players are. If you dont have this in place and ready to go ahead of time, you waste valuable
timethe vital time needed during a crisisand are forced to build the plan on the fly, which
exponentially raises the danger of highly public missteps.
For all of these reasons, having your executive data breach response plan in place will provide
the means for successful leadership through crises.

Brochure | Executive breach response playbook

Successful leadership through the breach

Although most of the conversation centering around data breaches today focuses on the technical
enablement of the breaches, theres always much more to it than thatespecially when a
breach involves significant or sensitive data. The type of data and their quantity are important.
In fact, there are many other considerations. More often than not, there is a criminal
investigation, an e-discovery process, and countless other pressing media, employee,
shareholder, and especially customer considerations.
Each constituency has different immediate needs. While law enforcement is going to want to
keep breach details and anything relating to its investigation quiet, the media will want to know
details and will push hard for them. Industry and government regulators are going to have
questions of their own. The call center is going to need to know what information to provide
customers to help keep them calm and even take measures to protect their identity if necessary.
Legal will want to be tightlipped, too, while your PR teams will want to be more communicative.
They have good reason, too; media reaction is crucial. And shareholders are going to eagerly
await news of any potential impact on earnings. Its a fine needle you are going to have to
thread, because each constituents concerns and needs are real and will have to be met
properly and at the right time.
One of the most important things that having the response plan in place does for your
organization is enable executives to focus on these messages. That surely beats being reactive
and forced to assemble the team, carve out responsibilities, lines of communication, and
various plans of action. With the plan in place and everyone knowing what to do, executives
can speak to employees, shareholders, and customers with the necessary confidence that the
situation is under control. This will greatly help you avoid potential missteps that hurt trust and
confidence in the organization.
Remember that employees, partners, shareholders, and customers will be looking at how
executives are going to respond: Have they taken ownership of the situation, what are they
going to do about it, what actually happened, and how will it be resolved?
Basically, what the world is looking for is leadership. And this is just as true in a data breach as
any other type of emergency or crisis.

Brochure | Executive breach response playbook

Into the breach: Scenario exercise ideas

Data breach situations can unfold in countless ways, and conditions similar to the scenarios that
follow can occur in any organization. They show how small missteps can potentially grow into
big public mishaps.
Take a look at these scenarios. Then ask yourself how prepared your organization is to respond,
what processes you have in place to respond, and how well other team members would be prepared.
Are you prepared to respond?
Your POS system is breached and millions of credit
cards stolen.

Breach scenario #1: A large national retailers point-of-sale (POS) system is breached,
with millions of credit cards stolen
It all started simply enough. A virtual server crashed. It was only by luck that an observant
administrator noticed something strange within the error code. Eventually, the related logs
and an image of the virtual server made it to an internal security analyst, who identified the
problem: A small, mysterious piece of software was actually an exploit designed to breach an
inventory system that was connected to the retailers national POS network.
If credit card data files were breached, it would require a public disclosure. The breach was
too close to credit card data for comfort, and the preliminary forensics examination couldnt
determine if the attack was successful. Also, the potential credit card breach couldnt have come
at a worse time. A string of retail breaches had just been announced over the holiday period.
Tens of millions of people had been affected. As a result, the retailers credit card security was
all over the news. The press was not going to let go of this story.
Days later, the investigation into the log files still had not provided as clear a picture as the
digital forensics and incident response team would have liked. But it was determined that the
initial breach occurred at least three years ago.
The good news is that the most recent attack activity was thwarted. The bad news is that
although the complete attack trail isnt clear, the attackers did manage to access the POS
system and capture credit card payment data as it was being processed. It was not known what
other data may have been affected.
The appropriate law enforcement agencies will be notified soon. Now the executive team must
prepare for the public announcement to customers and shareholders. And they must give
employees the information they need to service customers and answer their questions in a way
that keeps morale high. In the meantime, the digital investigation teams will keep digging for
more details and facts that can be established.

Are you prepared to respond?

You discover that your proprietary processes and
customer IP were stolen.

Breach scenario #2: Contract manufacturer discovers its proprietary processes and
customer intellectual property stolen
An international contract manufacturer noticed an overseas competitor was producing product
in a way that precisely resembled its own. An analysis confirmed that the competitor was using
certain plans and even software code identical to what it was producing. If that wasnt bad
enough, the intellectual property of several of its customers had also been stolen somehow. If
the situation isnt handled properly, the manufacturer could be forced out of business.
Following a significant investigation, it became apparent that a disgruntled employee had
walked out with proprietary information on a flash drive. An investigation into the type of data
stolen, who had access to that scope of information, and other factors narrowed the list of
potential thieves to a few. When examining a number of employee laptops, it became clear
which laptop was used. Data from multiple servers were copied to the notebooks drive and
subsequently copied to a USB flash drive. Customers would have to be notifiedand so would
shareholders. A breach of this magnitude could drive away customerscurrent and future
and significantly impact revenue.

Brochure | Executive breach response playbook

Are you prepared to respond?

A large file of patient records from your hospital
was posted online.

Breach scenario #3: Regional hospital awakes to data breach nightmare

The scenario begins when the director of communications reports that a journalist from one
of the weekly business magazines called to say a large file of patient records has been posted
somewhere online.
The news hit fast and spread wide. Thousands of records were dumped in a popular file-sharing
site: Patient names, contact information, and insurance information were in one set of files;
patients prescription histories and some doctor visit information in another.
Its a PR nightmare, but one that happens all too oftenbefore theres a chance for an
investigation to even get underway. How did the breach occur? What can be said to patients whose
information was leaked, as well as those who have not been affected? What will the regulatory
fallout be? The team needs to be assembled, and answers need to be uncoveredquickly.
Any conversation with the media would have to be punted until more details were known.
Meanwhile, regulators called, wanting to know details about the incident. But the hospital
cant answer much more than verify that the data files appear to be authentic and from their
organization. The next call was to law enforcement.
In the hours and days that followed, the source of the breach was identified as being the result a
web server infiltration. The decisions and steps made in the upcoming days will have a profound
impact on how regulators react, as well as the trust that is saved or lost in the eyes of patients.
The next section can help you determine how your organization would respond. Youll be able
to identify any gaps in your process and how you should remedy them if a publicly reportable
breach occurs.

Building an effective executive data breach response plan

Much of the discussion about data breach response commonly focuses on the technical
response. The executive data breach plan centers on what is known to have happened
technically and what this damage will mean from a business perspective, and then effectively
managing any negative impact and putting forward the best public response possible.
This requires that good processes and communication be in place, along with the ability to
effectively execute the plan.
You need to assemble a core team of executive leaders to help manage the response. In
many cases, it would be the same team charged with managing a business continuity plan
in the face of any type of disaster. Although many other types of disasters may be managed
by your chief operating officer or equivalent, your CISO or CIO would manage the incident
internally since this is a data breach. These executives know (or should know) where critical and
regulated data resides and what systems manage these data and processes. Dealing with the
executive data breach is the same as if theyd owned the IT recovery should a hurricane or other
disaster disrupt IT systems. This puts CISOs in the best position to manage the technical, legal,
regulatory, and executive teams.
Figure 2. Process and technique efficiency improvement framework
Monitor/
detect

Triage

Respond

Lessons
learned

Incident
closing

Brochure | Executive breach response playbook

Although the CISO or CSO owns the internal response, it typically is the CEO and executive
leadership that set the tone for the public response. To succeed, youll need a cross-functional
team that is comfortable working together. Usually this is a senior team that includes general
counsel, internal audit, human resources, and corporate communications. They all need to be
working in concert.
Heres the plan that must be in place and always ready to be put into action should a breach
disclosure become necessary:
Continuous monitoring and detectionYour IT and security teams are always on the lookout
for bad things to happen. IT security-related events are detected from many different internal
and external sourcesand early detection is the key to identifying and responding to an issue
not only quickly, but effectively. For executives, its important that when a breach that will require
a public disclosure is detected, the proper executives and internal resources must be notified.
The phases of the plan
Monitoring and detection
Triage
Respond

The triage phaseThis phase is intended to quickly analyze all available information so
that security events can be categorized and correlated. This way the organization can most
accurately determine the severity and prioritization of events, and assign the event to the
proper team(s) for remediation and response. Triage also provides a single point of contact for
answering technical questions that arise. The triage process is instrumental for coordinating the
technical response groups and creating your final response plan.

Incident closing

The respond phaseThe respond phase includes the steps taken to address, resolve, or
mitigate an incident. During this phase, you will need an incident coordinator who will conduct
overall response and direction. There are four classes of responses required for an incident:
Technical response. The technical response is designed to focus on the actions the technical
staff takes to analyze and resolve an event or incident. Technical staff includes the IT groups
required to assist with remediation of the event or incident. This phase can involve several
groups or departments within the IT organization to coordinate and provide technical actions
to contain, resolve, or mitigate incidents as well as the actions needed to repair and recover, if
necessary, affected systems or data.
Management response. The management response highlights activities that require some
type of management intervention, notification, interaction, escalation, or approval as part of
any response. It may include coordinating with corporate communications as it relates to any
human resources, public relations, financial accounting, audits, and compliance issues.
Communications response. These are activities that require some measure of communications
to the corporation and internal and external constituents. Corporate communications should
always be consulted prior to any communications being released. In many cases, management
will direct the release of breach information. This includes issues related to any human
resources, public relations, financial accounting, audits, and compliance issues.
Legal response. The legal response, if required, would work with outside regulators,
third parties, and other parties. In addition, their input would be required for any external
communications to assure that such communication is in accordance to company policy and
supports any statutory or regulatory requirements.
Incident closingAfter the incident has been contained, eradicated, or mitigated, it is critical
that your organization complete the collection of all of the information they can about the
incident and conduct an after-incident report. During the incident closing process, the incident
team must take steps to properly finalize all documentation, including all analytics and final
reports. Additionally, the incident team must take every precaution to preserve all information
obtained as part of this process using proper chain-of-evidence procedures, because this
information may be required in certain legal responses.
After this close-out process is complete, the incident coordinator will conduct a lessons-learned
session to identify efficiency improvements in either processes or techniques used for remediation.

Brochure | Executive breach response playbook

The data breach communications plan: Break glass in case

of emergency
The prospect of a data breach crisis is itself a crisis. And when it comes to your external
response, the communications plan is essential. In fact, the legacy of the crisishow people
will remember the incidentwont be the technical details or how flawlessly your teams did or
didnt execute the plan internally. It will be how well, or poorly, the company communicated this
response externally.
After the data breach is confirmed and its a publicly reportable event, crisis communications
teams need to assess the situation, gain a solid understanding of the critical conditions, review
the plan of action and adjust as necessary based on facts of the incident, then communicate
publicly. Even as the event unfolds, the response must be continuously evaluated regarding
how well the plan is goingor not going.
When the incident is underway, gather all of the facts that you can: What type of data? How
many records? What was the cause? When did it happen? Is the situation rectified? If not yet,
when will it be? And what steps are underway to bring about the best resolution possible?
Of course, if the breach is sizable, you will have to assemble the core breach response team,
which consists of senior IT leadership, legal, communications, and others.
You will have to share the story (what you can, at first) with the outside worldwhat happened,
how the breach will affect them (such as the need to change passwords, protect themselves
against identity theft, change credit card numbers), and how you are managing the situation.
The negative side of the story is what happened and what risk has been created. The positive
aspect of the story is what is being done to resolve the situation and to mitigate its impact. To
the outside world, you want to focus as much as possible on what steps are in place to fix what
has been broken.
This means the majority of what you communicate will be about your mitigation efforts, and
what steps will be and have been taken to make sure it doesnt happen again.
This is why your plan is so important: All the steps you can take, or the steps you need to decide
whether or not to take, must be determined in advance.

Brochure | Executive breach response playbook

Respond effectively when breaches happen

When it comes to security breaches, its not a matter of if but when they will occur. What
separates enterprises when it comes to publicly reportable breaches are how the enterprise
respondstheir ability to identify what happened and why, rapidly respond to stop the attack,
and communicate to employees, partners, shareholders, and customers in a way that maintains
and even builds trust.
HP helps organizations to establish the processes they need for optimal breach management.
We rapidly deploy a highly skilled and experienced information security team and
comprehensive security technology to help enterprises establish visibility, remediate issues,
and put tactics into place that guard against future incidents.
Forensic readiness: We can help you create a proactive plan to help your teams identify valid
and malicious changes and produce the best possible digital evidence in the event of security
incidents. This minimizes disruption and maximizes the technical information you need to make
the best post-breach decisions possible.
Security incident and breach response: Expert monitoring is always available, providing
detection and countermeasures through rapid, predetermined incident response. In the event of
a breach, HP will dispatch a team of security experts on location to immediately contain the breach.
We also help assess, investigate, and provide recommendations to reduce future vulnerability.
E-disclosure: Following an incident, youll need accurate data capture, logging, and audit trail
reporting for use in legal and regulatory investigations. Our specialists, many of whom have law
enforcement experience, will help you through this collection process.
Data recovery: One of the most challenging parts of a breach can be data recovery. Mitigate
data loss or deletion consequences by designing and implementing processes for backup and
recovery. Our experienced security services teams are on call 24x7 to act as your virtual team or
as an extension to your team to get you back in business.
When a data breach occurs, HP will rapidly deploy an expert and experienced information
security team so you gain swift visibility into the incident, and you can respond confidently
to the marketplace and all of your constituents in a way that maintains trust. And, just as
important, we can help you put into place tactics and technologies that will greatly reduce the
risks of future incidents.

Brochure | Executive breach response playbook

Figure 3. Incident checklist

Before, during, and after checklist

The time an incident occurs is not the time to plan and organize. It is a time for action. Here are some simple
steps for you to consider and processes that need to be in place before, during, and after a breach event:

Before an incident
Identify the individual owner and responsible party for all incidents.
Identify core team responsible for all incidents (including individuals from legal, corporate communications, and HR).
Ensure proper monitoring and tracking technologies are in place (such as rewalls, IPS, and anti-virus).
Provide media training to the proper individual(s).
Provide a company-wide process for employees, contractors, and third parties to report suspicious or suspected
breach activities.
Provide company-wide training on breach awareness, employee responsibility, and reporting processes.

During an incident
Record the issues and open an incident report.
Convene the core team.
Set up a technical bridge to discuss needs required to restore operations.
Set up a management bridge or communication schedule to provide updates to executive management.
Triage the current issues and communicate to executive management.
Identify initial cause and activate needed specialists to respond to the current issues to restore operations.
Retain any evidence and follow a strict chain of evidence to support any needed or anticipated legal action.
Communicate to aected third parties, regulators, and media (if appropriate)

After an incident
Update the incident report and review exactly what happened and at what times.
Review how well the sta and management performed in dealing with incident.
Determine whether or not the documented procedures were followed.
Discuss any changes in process or technology that are needed to mitigate future incidents.
Determine what information was needed sooner.
Discuss whether any steps or actions taken might have inhibited the recovery.
Determine which additional tools or resources are needed to detect, triage, analyze, and mitigate future incidents.
Discuss what reporting requirements are needed (such as regulatory and customer).
If possible, quantify the nancial loss caused by the breach.
Report ndings to executive management.

10

Brochure | Executive breach response playbook

Why you need to act today

Security-related and non-security-related threats have become not only more numerous and
diverse but also more damaging and disruptive. New types of incidents emerge frequently.
Preventative activities based on the results of risk assessments can reduce the number of
incidents, but not all incidents can be prevented. Thats why a breach management response
capability is vital for rapidly detecting incidents, minimizing loss and destruction, reducing
business outage and customer impact, mitigating weaknesses that can be exploited, and
restoring information systems services.
The purpose of this framework is to establish processes and procedures to prevent, detect,
investigate, respond to, recover from, and remediate all incidents that threaten or target an
organization, its affiliates, or subsidiaries. But it is important to recognize that this program
is only the foundation to a good security strategy. Other components must be built upon this
foundation, including:
Monitoring an ecosystem with proactive tools, such as IDS/IPS, firewalls, anti-virus, and
Security Information Event Management (SEIM)
Effective alerts based on controls in place from the monitoring tools but that also recognize
external data points and correlate big data elements
Routine testing of the technologies deployed as well as the processes that support sound
breach management
Feedback mechanisms from testing or an actual breach event to examine needed updates to
technologies and processes as well as strategic planning to avoid future disruptive incidents
Our call to action is simple: Take the necessary steps to implement the program outlined in
this simple guide. We are here to assist your organization with the most complete security
portfolio in the market. We can work with you to improve your security processes and
operations at every step.

Learn more at
hp.com/enterprise/security
See the Ponemon Institute report, The Importance of Senior Executive Involvement in
Breach Response

11

Brochure | Executive breach response playbook

Sign up for updates

hp.com/go/getupdated

Share with colleagues

Rate this document

Copyright 2014-2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
4AA5-5562ENW, January 2015, Rev. 1