U.S. Department of Justice Issues Guidance For Cyber Incident Panning and Response
Vancouver - In April 2015, the U.S. Department of Justice (“DOJ”) issued guidance to assist organizations to prepare for
and respond to cyber incidents. The guidance discusses the important steps that an organization should
take before, during and after a cyber incident. The guidance is intended for smaller, less well-resourced
organizations, but is useful for larger organizations as well.
Cyber-risk management is an increasingly important challenge
for organizations of all sizes and kinds. Cyber-risk is the risk
of damage, loss and liability (e.g. financial loss, business
disruption loss, loss to stakeholder value, reputational harm
and legal noncompliance liability) to an organization resulting
from a failure or breach of the organization’s information
technology systems. Cyber-risk can result from internal
sources (e.g. employees, contractors, service providers and
suppliers) or external sources (e.g. nation states, terrorists,
hacktivists and competitors). Commentators have said that
there are only two kinds of organizations those that have
been hacked and know it, and those that have been hacked
and don’t know it yet.
U.S. DOJ GUIDANCE
U.S. Department of Justice Criminal Division, Cybersecurity
Best Practices for Victim Response and Reporting of
(version 1.0, Apr. 2015) provides helpful
guidance for organizations that want to prepare for cyber
incidents. Following is a summary.
1. Before a Cyber Incident
An organization should have a well-established, robust, actionable and tested plan for managing and responding to a cyber incident. Following are some key considerations:
The organization should
identify its mission critical data, assets and services, so
that the organization can prioritize its efforts and plan its
• Risk Management:
The organization should implement
appropriate cyber-risk management practices.
• Actionable Response Plan:
The organization should have
a comprehensive, actionable plan for responding to a cyber
incident. The organization’s relevant personnel should be
familiar with the plan and participate in appropriate training
and regular exercises to test and update the plan.
• Required Technologies and Services:
should have in place, or have easy access to, ready-to-
deploy technologies and services that will be used to
respond to a cyber incident.
• Lawful Access:
The organization should obtain from each
user of the organization’s computer systems all authorizations
required for the organization to lawfully monitor the use of
the computer systems (including accessing email and other
communications) and respond to a cyber incident.
• Legal Advice:
The organization should obtain legal advice
from experienced legal counsel when preparing for cyber
incidents, and should ensure that required legal advice will
be available promptly when the organization responds to a
The organization should ensure that its
policies, procedures and practices (including those relating to
human resources and information technology) are designed
to minimize the risk of cyber incidents and align with the
organization’s cyber incident response plan.
• Proactive Relationships:
The organization should establish
relationships with relevant law enforcement agencies,
cyber-risk management information sharing associations,
cyber investigation/security firms and outside legal counsel.
2. During a Cyber Incident
An organization’s cyber incident response plan should provide actionable procedures for handling a cyber incident, continuing regular business operations during and after a cyber incident and working with law enforcement and incident response service providers. A response plan should have the following key steps:
• Initial Assessment:
The organization should make an initial
assessment of the nature and scope of the incident, and
attempt to determine the cause of the incident.
• Mitigating Measures:
The organization should promptly
take steps (both practical and technological) to stop the
incident and minimize resulting harm.
Throughout the incident response process, the organization should
collect, record and preserve all relevant data and information (including creating a
forensic image of the affected computer systems) regarding the incident (including
an ongoing incident) and the steps taken, and costs incurred, by the organization to
respond to the incident, mitigate resulting harm and prevent similar incidents in the
future. The data and information should be protected and properly handled (e.g. by
designated personnel) so that they are admissible as evidence in legal proceedings.
The organization should give timely and appropriate notice to internal
personnel (e.g. senior management, security coordinators, communications/public
affairs personnel and legal counsel), law enforcement agencies, regulators (if notice is
required by breach notification laws) and other potential victims (either by direct notice
or through law enforcement).
An organization that is a victim of a cyber incident should not do the following:
• Do Not Use Compromised System:
To the extent possible, the organization should not
use a computer system that is suspected of being compromised by a cyber incident to
communicate about the incident or the organization’s response to the incident.
• Avoid Social Engineering:
The organization should avoid becoming the victim of
social engineering (e.g. attempts by a perpetrator to deceive a target to take harmful
action) by not disclosing incident-specific information to unknown persons.
• Do Not Hack Back:
The organization should not attempt to access, damage or impair
another computer system that appears to be involved in the cyber incident. Hacking
back is likely illegal and the identified computer system might itself be an innocent
victim of a cyber incident.
3. After a Cyber Incident
After a cyber incident appears to be under control, the organization should remain vigilant
and continue to monitor its computer systems for anomalous activity; take steps to
prevent similar attacks in the future; conduct a post-incident review of the organization’s
response to the incident; and assess and improve the organization’s incident response
plan and related preparation activities.
The DOJ guidance is a helpful summary of some basic, best practices for preparing for
and responding to a cyber incident. More comprehensive guidance (including helpful
questionnaires and checklists) is available from various regulators in the United States and
Canada (e.g. the U.S. National Institute of Standards and Technology, the U.S. Securities
and Exchange Commission, the U.S. Financial Industry Regulatory Authority, the Investment
Industry Regulatory Organization of Canada, Canadian Securities Administrators and the
Office of the Superintendent of Financial Institutions of Canada). Organizations of all sizes
and kinds would be well served by following best practices to manage cyber-risks and
prepare to respond to cyber incidents.
Bradley J. Freedman, T 604.640.4129 firstname.lastname@example.org