Step 1: Identify Potential PII Attacks

Since this project will require an enterprise cybersecurity incident response plan with considerations specifically to identity theft, types of attacks must be identified. In a table or spreadsheet, identify the types of attacks that could result in denial of access to or theft of PII (personally identifiable information). Consider both internal and external incidents and those associated with employees and/or customers. Submit your list of potential PII attacks for feedback from your CIO (course instructor).

Step 2: Align Industry-Specific Standards

Now that you have identified potential attacks in the previous step, you should research and identify state or federal government standards established for the protection of PII (where they exist) as well as industry codes. Keep in mind that while you are concerned in particular about standards that govern the financial industry, there are different standards specific to other industries. As a CISO, you need to be aware that regulations can vary—for example, standards are different in the health care field.

Add an additional column to the prepared list of potential types of PII attacks from the previous step. In this second column, note what standards might be required when addressing each incident type. You should align government-mandated and sector-voluntary standards to the PII attacks identified.

Refer to the provided industry-specific regulations for additional background on existing regulations. As you consider standards for your organization, continue building upon this table in the next step.

Step 3: Exceed Policy Standards to Fulfill Company Demands

In the previous step, you identified the policy standards for relevant PII attacks. In this step, address any types of attacks that were not aligned in the previous step or those in which given standards are considered inadequate by senior leadership. As CISO, you are aware of your organization’s expectations to guarantee the highest level of security for the organization and individuals in regards to theft of PII (personally identifiable information).

To complete this phase of the project, you will add an additional one to two columns to include upgraded or superior solutions on items considered to still be vulnerable. The alternatives that you add should reflect your organizational demands, initiatives, and vision. You will assess and prioritize this list of solutions in the next step.

Step 4: Assess Alternatives

Now that you have created a list of alternative solutions, assess your recommendations and prioritize them in a final column. Prioritize each alternative by placing a number “1” next to the first priority, a number “2” next to the second, and so on.

To the right of the prioritized solutions, in a sentence or two, state why you selected that alternative in that particular position. Submit the updated PII Solution Alternatives Table for feedback.

Step 5: Complete the Executing the Response to a Cyberattack eLearning Module

So far, you have identified potential PII attacks and developed a set of PII solution and prevention alternatives. Before outlining a strategy for breach management, review Executing the Response to a Cyberattack. A response to cyberattack typically includes prevention measures, which you have already considered, but it also includes defense, detection, recovery, and response concerns. These areas should be developed with business considerations and subject to the advice of company leaders.

Now that you have become more familiar with an overview of how to execute a response to a cyberattack, proceed to the next step to outline a breach management strategy.

Step 6: Outline Breach Management Strategy

The next several steps will fit the alternatives into a breach management strategy. Strategic thinking can be challenging in a project environment. A “project” is work- and task-oriented, and it includes specific deliverables produced within a defined timeframe. Such projects have a limited budget and are developed to exact specifications. This project’s charter is to present a strategic view of responding to a potential breach in the area of the system containing PII.

This section of the planning should explore areas other than cyber technology. It is about policies, required and recommended, that expand the project notes you have been creating to address corporate concerns outside of the technology realm, such as legal implications, reporting, etc.

Briefly outline, for use in the next few steps, a strategic approach in response to a breach allowing access to PII—customers and/or employees. Think of the policy aspects that will have to be addressed. You will continue to use the findings determined here and over the next few steps to produce a breach management strategy.

Breach management options will be considered in the next step.

Step 7: Determine Breach Management Options

Using the outline of the strategic approach developed in the previous step, determine both the technical and strategic options available in addressing a breach of PII. The eventual goal is to help senior management understand the level of effort required in an appropriate response to a breach. Take note of these options for future use.

Once complete, you will be ready to research legal issues in the next step.

Step 8: Research Breach Management Legal Issues

With breach management options identified in the last step, begin to research associated legal issues. Breach management in response to exfiltration of PII is well documented in a legal context. Multiple resources are available that address the issue. This section of your research and breach management strategy report should carefully identify all the concerns being raised in the courts surrounding previously documented cases.

The idea is to find evidence of court cases being litigated that are a result of a PII breach—not necessarily the outcomes of those legal proceedings. Identify the issues that your policy strategy should address and draft a discussion. This discussion will be used in a future report. After considering legal issues, move to the next step, which will be a look at cyber insurance.

Step 9: Research Breach Management Cyber Insurance Options

Redirect the research from legal issues in the last step to cyber insurance options in this step. As the number of PII breaches grows, so does the new industry of cyber insurance. Draft several paragraphs that state the options now available for this component of risk mitigation. Be sure to include what is covered by most readily available insurance policies, as well as what is not covered.

As an example: Is the institution covered for a customer PII breach if it is determined the breach was caused by an employee? The intent is not to make you a cyber insurance expert, but to offer senior leadership some of the strategic, big-picture options. This draft will be used in a future report.

In the next step, you will research the regulatory requirements of breach management.

Step 10: Research Breach Management Reporting and Other Requirements

Publicly traded enterprises and health care organizations are subject to governmental regulations and requirements where PII is concerned. In addition, some industries voluntarily impose standards upon their members. This is the section of the breach management strategy to address those issues.

What are the minimum reporting requirements applicable to financial institutions (in this case)? What standards are in place that must be met to prevent additional damage to the institution in the way of fines, warnings, or other sanctions as a result of noncompliance with regulations on reporting the breach?

Actual requirements for other industries could be similar, overlapping, or not, determined by the business sector, inclusion in critical infrastructure classification, and a number of other factors. The financial sector is our example for this project and not to be considered comprehensive or all-inclusive across all sectors.

In the next step, you will compile the report on breach management strategy.

Step 11: Compile the Breach Management Strategy Report

After considering the elements of breach management strategy over the last several steps, compile all drafts and revise into a complete five- to seven-page Breach Management Strategy that will present policies to senior leadership for the response to a PII breach.

You will need to include an overview of your strategic approach, options available, legal issues, cyber insurance, reporting and other requirements, and finally the proposal. Your proposal should identify issues/impacts with mitigation strategies, and include regulatory responses where they exist. Note how financial industry reporting requirements differ from health care or other industries.

Submit the Breach Management Strategy for feedback. This report will help complete your work on the final incident response plan.

Step 12: Compose Policy Components of an Incident Response Plan (IRP)

Now that you have a proposed breach management strategy, you are ready to begin development of an incident response plan (IRP) specific to a breach of PII. Compose the key policy components of an incident response plan in a list to be used as a basis for the next step.

Step 13: Itemize the Steps of an IRP

Start at the key policy component list from the last step and add postincident requirements already identified to itemize the actions it will take to accomplish these goals. Keep in mind the level of effort required and time involved to accomplish each element of the IRP.

You now have all the information necessary to create a comprehensive IRP. To get your mind set in the right direction, imagine that a breach affecting PII has occurred. It is the organization’s worst cyber incident. What do you do? How does the organization respond? What steps need to be taken to meet all the requirements you have identified in the Breach Management Strategy?

This step is to create a list or an outline; the use of a spreadsheet is recommended to facilitate subsequent steps in the project. The primary column is all of the actions or tasks that need to be completed in the IRP. As part of this first list, identify what department is responsible for what action by considering the functional areas of a financial institution.You will build upon this list in the next step by adding the element of time to your spreadsheet documentation.

Step 14: Assign a Typical Timeline for an IRP

As a result of your Breach Management Strategy, are there specific timelines required by the regulatory compliance you referenced? If so, that should be your starting point for creating the IRP timeline. These are referred to as project “milestones.” Look at the list you created in the previous step and put those milestones in a required response time sequence.

When building the timeline, pay attention to elements that depend on previous elements—things that must be completed before a following action can be started. In project management, these are referred to as “critical path” items.

This section of creating the IRP must have all critical path items covered within regulatory milestones. It is not mandatory to assign perfect values to the actual time it takes to accomplish each action item. It is mandatory to show the milestone dates.

As an example, one reporting requirement for a financial institution suffering a PII breach is likely to be to notify all affected customers within 72 hours of the breach. That means you will have a customer notification milestone at three days in the IRP.

After you have added the milestone dates to your spreadsheet documentation, you will plan for implementation of the incident response plan in the next step.

Step 15: Plan for the IRP Implementation

This is the step where you tie together the requirements (milestones), the timeline (critical path), and which department will be responsible for what elements in the plan (accountability). Ensure all of the rows and columns in the spreadsheet are in alignment to accomplish the goal of minimizing the impact of the PII breach. It is the final step in creating the IRP. This spreadsheet will be included in your final IRP.

Now, it is time for the final step, in which you will explain the results of all your hard work on the IRP to senior leadership.

Step 16: Complete the Incident Response Policy Plan (IRP)

The resulting IRP should be a total of 10 to 12 pages that present an actionable plan to fully address a breach of the organization’s PII. It should include a final paragraph on your thoughts about how the recommendations are likely to be received.

This final step is to bring all the work together. Use what has been created in the previous steps as detail to support your completed plan on incident response. Synthesize the material and include all CIO (instructor) feedback received.

Include in your comprehensive IRP the review and findings from a policy approach to maintain or exceed compliance with all regulatory demands. In addition, demonstrate your adherence to the best possible outcome for victims of a PII breach.

Remember, confidence in and approval of the approach is mandatory. It has already been determined that a breach of the organization’s PII is a serious matter. The CEO and the rest of the executives are depending on your expertise to address the situation quickly and effectively. This IRP is that plan of action.