How to manage a data breach quickly, efficiently, and with minimal damage done

6 Phases in the Incident Response Plan

To recognize and deal with disruptive incidents (e.g. data breach or cyber attack), IT professionals and staff need an incident response policy. This document addresses a suspected data breach in 6 main phases:

1. Preparation -- This is the most crucial phase to protect personal data. To properly and successfully implement a response plan, this phase should train everyone on their roles and responsibilities in the event of a data breach and test their performance with drill scenarios and mock data breaches. For EMM, this means training our on-ground data collectors on adequate reactions if the data they collect is compromised. When data collectors are trained with the help of FAYOHI, they should have participated in mock drills and be trained on security policies, as well as know their roles and the required notifications to make.

2. Identification -- It's the process if determing whether a breach has occurred. Ask these questions:

• When did the event happen?

• How was it discovered?

• Who discovered it?

• Have any other areas been impacted?

• What is the scope of the compromise?

• Does it affect operations?

• Has the source (point of entry) of the event been discovered?

3. Containment -- Upon the discovery of a breach, it must be contained to prevent spread and further damage. Rather than securely deleting everything, establish short- and long-term strategies. At this stage, it's important to update and patch systems, review remote access protocols (and I'm assuming, access controls), change all user and administrative access credentials, and harden all passwords. For EMM, we wouldn't delete the personal data of ALL mothers (.. how would this even work if the collection tool is paper-based and the data is stored in a physical safe?). Assuming that we use electronic tools (e.g. CommCare or ODK or Epicollect5) for data collection and storage, wouldn't containing a breach actually be their responsibility/in their control? So the document I'm writing is basically about a man-made error or breach on the EMM-FAYOHI side...

4. Eradication -- It's about eliminating the root cause of the breach, so malware should be securely removed, systems should be improved, and updates should be applied. Be thorough. If an EMM-FAYOHI member is responsible for the breach rather than a hacker or virus (because it would then be the fault of our third-party services/servers), I assume that eradicating the threat may entail firing/re-training data collectors and securing our physical safes (and even switching data collection tools)?

5. Recovery -- This is the process of restoring and returning affected systems and devices to regular operations. Recovery is about continuing normal activities and getting systems up and running without the fear of another breach. What does this mean for EMM? Once hardened and tested, we may continue with the electronic or paper-based systems.

6. Lessons Learned -- It's the time to discuss learnings, analyze and document everything about the breach, and determine what worked well/what didn't. Lessons learned from both mock and real events will help strengthen your systems against the future attacks.

Creating and managing an incident response plan involves regular updates and training.

6 Steps to Making an Incident Response Plan

There are also 6 steps to creating an incident response plan:

1. Identifying and prioritizing assets -- Consider EMM's critical assets and prioritize them according to importance and highest risk → The personal data of mothers are what we're looking to protect. Since every piece of information they give us about themselves is of equal importance and is stored in the same place, there is no priority to be established.

2. Identifying potential risks -- What is threatening us? What should risks should we focus on? → Loss or theft of physical property (for paper-based registration sheets) and/or breach of physical security (e.g. safes, computers, phones) and/or of electronic third-party services (e.g. servers of the electronic data collection tool we would use)

3. Establishing policies and procedures -- With clear directives, a panicked employee is less likely to end up making crucial and costly mistakes. What happens if EMM is breached?

• How do we identify and contain a breach?

• How do we record information about it?

• How do we notify and communicate with others?

• How do we legally defend ourselves?

• How are data collectors and employees trained?

Refer to the 6 phases above.

4. Setting up a response team -- Once a data breach is discovered, a team should coordinate the actions and resources to minize impact and restore operations as quickly as possible. Could data collectors be trained on this? Is this a question/concern to discuss with FAYOHI?

5. Selling the plan -- An effective incident response team and plan depends on the backing and resources available to support and execute it. The better that goals are presented to protect a business, the easier it will be to obtain any needed funding to create, practice, and execute the plan. Remember how the effort and expenses related to incident response will benefit EMM, both financially and with our reputation.

6. Training employees -- Staff should be properly trained on their expectations in the case of a breach because an incident response plan for the sake of it won't help anyone (as they say, "A plan without action is not a plan, it's a speech"). Train and test employees on data security. Run through different exercices and potential hacking scenarios to familiarize employees to their responsibilities. Allow them to practice what they've learned and be ready for the real deal. Identify and address holes in the plan, and help everyone see where they can improve.