If you need to prepare a Cybersecurity Incident Response Plan for your law office but don’t know where to start, you’ve come to the right place.
The National Institute of Standards and Technology (NIST) offers a wealth of resources – including an outline of the four essential phases of an incident response plan – free on its website.
“It is important to recognize that preparatory activities and post-incident activities are equally important,” says the NIST. “In fact, NIST emphasizes both types of activities in their outline. The key to an effective cybersecurity incident response plan (CSIRP) is to have one in place well before a breach occurs.”
Download the NIST’s official Computer Security Incident Handling Guide.
Why choose Alta Pro Lawyers Risk Purchasing Group over other legal malpractice programs? Because Alta Pro RPG gives insured law firms exclusive access to valuable practice resources and cost-saving programs. When you join the Alta Pro RPG, you can use our Pro Practice Resource Center, filled with practical pointers and risk management tools to keep your law firm safe and soaring. Plus you get exclusive access to free CLE webinars, like our recent, highly popular program on Basics of Cannabis Law. Also: discounts on office essentials, Ask the Risk Pro, malpractice defense hotline and more. Don’t miss out on these fantastic perks. If you’re already a policyholder with Alta Pro but haven’t yet created your RPG account, here’s how to do it.
NIST Four Phases of An Incident Response Plan
The following is from the NIST website:
Phase One: Preparation. “Your plan needs to detail who is on the incident response team—along with their contact information and what their role is, and when members of the team need to be contacted. Each member of this team, from the CEO to the members of the IT team, needs to understand their place on the team and what they need to do in the event of a breach. They also need to recall the details within your CSIRP so that when a security incident happens, they can respond quickly.”
Phase Two: Detection and analysis. “[This phase] is triggered when an incident has just occurred and your organization needs to determine how to respond to it. Security incidents can originate from many different sources and it’s not practical, or even possible, to create a plan to respond to every type of security incident possible. The NIST provides a list of some of the more common methods of attack that you can use as a starting point as you determine what steps to take in the event of a security event.”
Phase Three: Containment, eradication, and recovery. “This phase is the heart of your CSIRP. Everything you do in response to an attack will revolve around containing the incident, eradicating the threat, and recovering from the attack.” Here are some NIST criteria for devising a containment strategy: potential damage to and theft of resources; need for evidence preservation; service availability (e.g., network connectivity, services provided to external parties); time and resources needed to implement the strategy; effectiveness of the strategy (e.g., partial containment, full containment); duration of the solution (e.g., an emergency workaround to be removed in four hours, a temporary workaround to be removed in two weeks, permanent solution). Eradication and recovery can take days, weeks, or months depending on the size of the breach. The NIST advocates for a phased approach, with the early phases increasing your overall security as quickly as possible and later phases focused on long-term changes and ongoing work to keep your organization safe.”
Phase Four: Notification. “Depending on what kind of information was affected, you may also need to notify certain parties such as law enforcement, the FTC, your customers, affected businesses, and others. You need to work with your legal and compliance teams to make sure you understand who needs to be notified and have a plan in place for notifying.”
Post-incident wrap-up. “After the incident has been stopped, security updates have been made, and your organization is back on track, your organization should take some time to debrief from the incident. Reflect on what has happened and talk about how you can identify similar incidents in the future and stop them sooner. Assess the severity and damage.”
Do you practice in Wisconsin, Texas, Minnesota, Ohio, Illinois, Indiana or Michigan? Is your professional liability coverage managed through Alta Pro? If so, you’re automatically a member of the Alta Pro Risk Purchasing Group (RPG), which offers a wealth of benefits for your practice: free, cutting-edge CLE webinars featuring top experts tackling timely topics; the Pro Practice Playbook; the Pro Practice Blog; Reminger’s ProLink risk management assistance; Reminger’s Claim Repair Hotline; discounts on CLIO practice management software; tax savings on health insurance; and access to the Risk Pro, who can help keep your firm safe and successful. Register here and start enjoying your Alta Pro RPG benefits.