Payment card industry – Incident response plan
The seven critical elements for a PCI compliant incident response plan are as follows:
1. Roles & responsibilities
Develop a RACI for all the steps within the Incident response process. You will need to include business units impacted by the breach (Sales, Marketing, etc.) and third parties that manage your environments, such as MSP and MSSP.
2. Incident response
Procedures need to include a data breach's entire lifecycle, starting from notification of suspicious activity and ending with lessons learned after completing the breach remediation.
3. Business continuity
Disaster recovery and business continuity plans need to include security incidents and data breaches. Before bringing systems back online, don't forget to patch and block all non-essential services.
4. Backup
Backups can save your operations, particularly in a ransomware attack. Having cloud backups can further speed recovery.
5. Legal reporting
Get legal advice on how to report incidents and who to report them to. A good Digital Forensics (DFIR) team will have partnerships with law firms to guide you through the process.
6. Critical system components
Make sure you have data and system classification in place. Establishing where your sensitive data resides and associated critical systems will not only allow you to rapidly assess the impact, but will also guide the areas your security should focus on protecting.
7. Notification to oversight bodies
Whether it is PCI data, Health Data, or any other data with mandatory reporting, the appropriate oversight body will need to be notified. When you inform the oversight body, you will have a higher likelihood of reduced fines if you also include what you have done to immediately remediate the breach and your high-level plans to reduce the risk of another breach.
For help developing your incident response plan during #DataPrivacyWeek or any time throughout the year, contact us.
The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.