Effectively gathering facts following a data breach

January 15, 2013

By Eric Vanderburg

It is easy for miscommunication to happen after a data breach. There could be many people working on the incident and those people may document differently and without guidance, critical facts could be lost due to inconsistent or ineffectual documentation procedures. This can make it difficult for incident response teams to understand the relevant facts of the matter. Here are some guidelines in documenting a breach.

It can be very helpful to start with a timeline. Discuss the incident with those who first noticed it and those who validated that there was an incident. Put the time of the reported incident and the validation on the sheet and then add the events that led up to the incident. Keep adding events to the timeline as you progress and this will help show the incident flow and help you determine the cause and effect of the incident. Review the timeline with the incident response team and receive feedback. The timeline can be used similar to a murder board in a police investigation. Post the known facts and their times on the wall in the incident briefing room and then tack on new facts to it as you progress. You can do this digitally as well if the team is not all in one place.

Next, record the facts only. Don’t let personal opinions creep into the log. Documented assumptions can lead the incident response team in the wrong direction. They can also be detrimental if legal action is taken as part of the investigation as these documents could be part of the discovery process.

The National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide suggests that teams should have a person designated as the documenter while another person performs tasks so that the critical facts are not left out.

Lastly, don’t jump to conclusions. There could be many explanations given the available data so care must be taken to eliminate available options. Determine what data you will need to eliminate an option and then seek that out. Keep track of the possible scenarios and their underlying criteria and whether those criteria have been proved or disproved.

Eric Vanderburg is the Director of Information Systems and Security at JurInnov, Ltd. (“JurInnov). JurInnov’s consulting practice is a trusted resource for law firms and corporations whose litigation technology needs are as varied and specialized as the organizations themselves. JurInnov’s international consulting practice focuses on the application of technology solutions to today’s challenging business and legal demands, including information security consulting, litigation document management and online review, electronic discovery, legal analytics and review, and computer forensics.

Eric Vanderburg is a graduate from Kent State University with a Bachelor of Science in Technology and a Masters of Business Administration with a concentration in Information Systems. During and after his education he worked as a consultant specializing in the development and maintenance of information management and network security systems for businesses, law firms, and government agencies. Most recently, he was a professor of computer networking at Remington College where he taught courses on information security, database systems, and computer networking. He has been invited to speak at many organizations and campuses on technology and information security. In order to build further competencies in information security, Eric is currently pursuing a doctorate in Information Assurance.

Vanderburg joined JurInnov in 2006 to manage information systems and security for JurInnov and its clients. He holds over 25 vendor certifications including: Certified Information Systems Security Professional (CISSP), Holistic Information Security Practitioner (HISP), Certified Wireless Security Professional (CWSP), Hitachi Data Systems Certified Professional (HDSCP), and many certifications from Microsoft and Cisco.