7 Things you should think about when you audit your response plan

Published: December 13, 2012 by ofonseca

Now that your data breach response plan is in place and you’re confident that your company is safeguarded from malicious  data breach attempts, what can possibly be still the biggest threat to your data breach protection plan?  Answer: the plan itself. All the planning and preparation in the world won’t protect your business from a data breach if the response plan fails to work.  The business world is ever changing so it’s necessary to ensure that your response plan stays current and functional.

That is why it’s imperative that you regularly audit, test and update your plan on preferably, a quarterly basis.

Here are 7 checklist items to keep in mind when auditing your response plan:

1) Update your data breach response team contact list – Employees come and go therefore it’s important that the contact information for the members of your internal and external breach response team is current.  Make sure department heads are noted and once updated, re-distribute the list to the appropriate people.

2) Verify that your data breach response plan is comprehensive – Revise the plan to include any major company changes, such as new departments or adjustments in data management policies.  Check in with each response team member to ensure their department understands its role and what they need to do during a data breach.  Set up a mock breach of data scenario so that your response team can practice trial runs. Practice a full scale rehearsal annually so the plan is fully vetted and any adjustments can be made before an event occurs.

3) Double check your vendor contracts – Check that your contracts with your forensics firm, data breach resolution provider and other vendors are current and easily accessible.  Review your vendors and contracts and make sure they both still match your data protection and security needs.

4) Review notification guidelines – Verify that the data breach notification section of your response plan reflects the latest state legislation and that your notification letter templates address any new laws.  Ensureyour contact list of attorneys, government agencies and media is updated so you can easily notify them after a breach.  For medical data breaches, healthcare providers need to verify that Department of Health & Human Services contacts are updated and their response team understands data breach information reporting procedures.

5) Check up on third parties that have access to your data – Evaluate how third parties are managing your data and if they are following your data protection rules.  Educate them on any new legislation that may affect you during a data breach.  Stress to third parties the importance of reporting a data breach to you immediately and what is expected in the resolution process. Healthcare companies need to meet HIPAA requirements and should check that business associate agreements (BAAs) are established.

6) Evaluate IT Security – Ensure proper data access controls are in place. Check that automated software and operating system updates for the entire company are installed properly. Verify that any automated security monitoring and reporting system is up to date and working.  Store backup copies of data securely.

7) Review staff security awareness – Verify that your staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed.  Train staffto identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.  Check that employees are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months.