The Cybersecurity Unit of the US Department of Justice recently published guidance on “Best Practices for Victim Response and Reporting of Cyber Incidents.” The guidance is available here. The document aims at assisting organizations in preparing a cyber incident response plan and responding to a cyber incident. It was drafted for smaller organizations but it is also useful for larger organizations with more experience in handling cyber incidents. The DOJ recommends that organizations should take the following steps before a cyber intrusion or attack occurs:
- Identify your “crown jewels”
- Have an actionable plan in place before an intrusion occurs
- Have appropriate technology and services in place before an intrusion occurs
- Have appropriate authorization in place to permit network monitoring
- Ensure your legal counsel is familiar with technology and cyber incident management to reduce response time during an incident
- Ensure organization policies align with your cyber incident response plan
- Engage with law enforcement before an incident
- Establish relationships with cyber information sharing organizations
Once a cyber intrusion or attack occurs, the DOJ recommends the following:
- Make an initial assessment
- Implement measures to minimize continuing damage
- Record and collect information
- Image the affected computer(s)
- Keep logs, notes, records and data
- Records related to continuing attacks
- Notify people within the organization, law enforcement, the Department of Homeland Security and other potential victims
The Guidance also contains a section on “Don’ts” in connection with cyber intrusion and attacks:
- Do not use the compromised system to communicate
- Do not hack into or damage another network
At the end of the guidance, the recommendations are summarized in a helpful checklist.
