Effectively gathering
facts following a data breach
January 15, 2013
By Eric Vanderburg
It
is easy for miscommunication to happen after a data breach. There could
be many people working on the incident and those people may document
differently and without guidance, critical facts could be lost due to
inconsistent or ineffectual documentation procedures. This can make it
difficult for incident response teams to understand the relevant facts
of the matter. Here are some guidelines in documenting a breach.
It can be very helpful to start with a timeline. Discuss the incident
with those who first noticed it and those who validated that there was
an incident. Put the time of the reported incident and the validation on
the sheet and then add the events that led up to the incident. Keep
adding events to the timeline as you progress and this will help show
the incident flow and help you determine the cause and effect of the
incident. Review the timeline with the incident response team and
receive feedback. The timeline can be used similar to a murder board in
a police investigation. Post the known facts and their times on the wall
in the incident briefing room and then tack on new facts to it as you
progress. You can do this digitally as well if the team is not all in
one place.

Next, record the facts only. Don’t
let personal opinions creep into the log. Documented assumptions can
lead the incident response team in the wrong direction. They can also be
detrimental if legal action is taken as part of the investigation as
these documents could be part of the discovery process.
The National Institute of Standards and Technology’s
(NIST) Computer Security Incident Handling Guide
suggests that teams should have a person designated as the documenter
while another person performs tasks so that the critical facts are not
left out.
Lastly,
don’t jump to conclusions. There could be many explanations given the
available data so care must be taken to eliminate available options.
Determine what data you will need to eliminate an option and then seek
that out. Keep track of the possible scenarios and their underlying
criteria and whether those criteria have been proved or disproved.
Eric Vanderburg is the Director of
Information Systems and Security at JurInnov, Ltd. (“JurInnov).
JurInnov’s consulting practice is a trusted resource for law firms and
corporations whose litigation technology needs are as varied and
specialized as the organizations themselves. JurInnov’s international
consulting practice focuses on the application of technology solutions
to today’s challenging business and legal demands, including information
security consulting, litigation document management and online review,
electronic discovery, legal analytics and review, and computer
forensics.
Eric
Vanderburg is a graduate from Kent State University with a Bachelor of
Science in Technology and a Masters of Business Administration with a
concentration in Information Systems. During and after his education he
worked as a consultant specializing in the development and maintenance
of information management and network security systems for businesses,
law firms, and government agencies. Most recently, he was a professor of
computer networking at Remington College where he taught courses on
information security, database systems, and computer networking. He has
been invited to speak at many organizations and campuses on technology
and information security. In order to build further competencies in
information security, Eric is currently pursuing a doctorate in
Information Assurance.
Vanderburg joined JurInnov in 2006 to manage information systems and
security for JurInnov and its clients. He holds over 25 vendor
certifications including: Certified Information Systems Security
Professional (CISSP), Holistic Information Security Practitioner (HISP),
Certified Wireless Security Professional (CWSP), Hitachi Data Systems
Certified Professional (HDSCP), and many certifications from Microsoft
and Cisco. |