Is it a breach or not?
Incidents happen, and the most important part of IR is the planning stage. You should have a process or checklists with steps to make sure it goes as smoothly and fast as possible.
When your forensic analysis shows or likely determines PII was accessed, your executives need to have the right information to make a decision. You should have a memo which breaks down what data was on the system and factual evidence of the data accessed. It should be in layman terms where the executives can lean on the analysis for decisions. (e.g. A copy of our sensitive database was put in an unusual area of the system and the attacker used methods to hide the file. We have evidence that this file left our company through analysis of our network connections from the compromised system.)
Additionally, its good to have the investigators opinion of the likelihood data was accessed in the memo. A typical example is a web server defaced, but no additional tools or activity happened on the server. The likely motive of the attacker was only defacement and your analysis may suggest that the likelihood of leakage of data was low.
The key is understanding your management and have discussions early on about when to notify and when not to notify.
Tom Webb
Comments