- October 23, 2022
- Posted by: Gradeon
- Category: Compliance
It’s your worst nightmare when a data breach has compromised the contact centre. It’s time to activate the incident response plan.
For an organisation receiving credit card payments, PCI DSS is sometimes perceived as merely a set of requirements. Implementing reasonable security procedures and achieving compliance is all they have to do. Of course, compliance will reduce the likelihood of a data breach, but it won’t prevent it.
The incident response plan must be thought through, reviewed, approved, circulated, and tested. Staff must be familiar with the plan and their part so that if the worst happens, businesses can contain the breach and prevent further data loss.
PCI DSS requirement 12 compels the organisation to have an incident response plan, although it doesn’t define it in detail. Each plan will be different according to the nature of the organisation. However, there is a standard set of phases that each plan should address: preparation, identification, containment, eradication, recovery and lessons learned.
1. Preparation for an incident
The first phase of the plan should ensure that documentation and processes are in place to support the organisation in the event of a breach. It will allow staff and independent experts to handle the breach. A specialist consultant can add value at this stage, giving breach advice and testing assumptions.
Up-to-date documentation should include:
– An inventory of cardholder assets that identifies the data, its format and where it is stored
– Network architecture diagrams
– Dataflow diagrams showing how data moves through the systems into databases and files
– Firewalls & routers, protocols and open ports
– IT configuration and change control procedures
– Encryption processes, including how keys are managed
– Virus detection software, including update regime, configuration and logging
– Backup systems and physical media
Processes must be defined and documented:
– Daily security procedures should include reviews and monitoring of logs
– IT staff should participate in a formal security awareness program to consider vulnerabilities and threats
– Staff should be trained in incident response best practices, including preservation of evidence
2. Identification
Identifying that a breach has occurred is the starting point for activating the incident response plan. This phase requires rapid notification to relevant staff stating:
– The symptoms of the breach
– How it was discovered and by whom
– The scope of the breach, including areas and operations affected
– The entry point, if this is understood
A template and contact list should be devised to ensure that the correct information is circulated and everyone is aware.
3. Containment
Containment is concerned with preventing the breach from spreading further and preserving evidence for analysis. Visa [1] defines specific steps for this phase:
– Staff must not access compromised systems. Instead, take them offline.
– Staff must not turn off or reboot computers. Instead, isolate them from the network, e.g. by physically removing the network cable
– Identify the suspected devices and components. It could include servers and desktops, databases and log files
– Document all actions taken towards containment, stating who carried it out and when
– Preserve evidence such as log files and system images
A third-party specialist best carries out containment. Whereas internal staff will be familiar with the systems and operational processes, a third party will have experience handling incidents on a day-to-day basis and giving breach advice. Indeed the contract with American Express, Visa or Mastercard may require the use of a specialised assessor previously approved by them.
Credit card companies also require notification of a security breach. For example, Mastercard requires notification within 24 hours.
Further, they require the production of a forensic audit report within a short space of time. Visa requires this within three business days. The information must show the following:
– How many of their cards have been compromised
– How the breach occurred
– Whether the breach was a result of non-compliance with PCI DSS
– Ensuring that eradication and recovery have been successful
4. Eradication
Having contained the breach, the next phase is eradicating all the malware components deployed thoroughly. It must be carried out diligently to ensure that a rogue file cannot be re-activated at a later point. Additionally, systems and networks must be patched/hardened to prevent a similar attack.
5. Recovery
Cleaned systems must be tested for robustness before returning them for production. During recovery, the systems must be monitored carefully and re-incorporated into backups and operational processes.
6. Lessons learned
The organisation must learn from the experience. It will require an honest and thorough analysis of how the incident was handled. It should go beyond the stipulations for the forensic report and look at how the incident was detected and handled. Businesses must update the incident response plan and procedures to be fully effective in the event of a future breach.
Incident response plan
Hopefully, your security processes are strong enough that the incident response plan is never needed. That would be a great place to be in.
In the event of a data breach, however, the plan stands between the organisation and the chaos of compromised data, legal action and fines from credit card companies. A solid plan and well-trained staff have a chance to head off that nightmare.
Gradeon can help by providing a comprehensive incident response plan. This plan will help the organisation to quickly and effectively respond to the incident, minimising damage and preventing future incidents. Gradeon’s incident response plan includes all the necessary steps, from identifying the incident to investigating its cause to implementing corrective measures. Gradeon can also provide guidance and support throughout the process, ensuring the organisation can quickly and effectively resolve the issue.
