When thinking about how to respond to cyber security incidents, you need to think about how your organization will engage with law enforcement – and the time to make these key decisions is BEFORE an incident occurs.
Some of the questions that need to be answered in an incident response plan include:
- Who makes the decision as to when to contact law enforcement?
- What law enforcement agency will be contacted? Who is the LE contact?
- Who will be the communications link between the company and law enforcement personnel?
- What kinds of records need to be kept during the incident response?
- How will potential evidence be identified and preserved in a manner which will allow it to be used in court?
The United States Department of Justice’s Cybersecurity Unit has published an excellent document which lays out the steps that organizations can take before, during and after a cybersecurity incident to make cooperation with “John Q. Law” as smooth as possible. The document is available here – it looks like it is worth reviewing whether you are just starting your incident response planning journey or if you have a plan in place. As security professionals, we want to ensure that attackers can be brought to justice wherever possible and this document can help make that happen.