Cyber & IT Supervisory Forum - November 2023

2.) Let’s now think about how incident communica Ɵ ons happen within the organiza Ɵ on. a. Once the incident response plan has been ac Ɵ vated, how and to whom might the details of the incident be communicated within the organiza Ɵ on? b. Who within the organiza Ɵ on might poten Ɵ ally be involved in this por Ɵ on of the incident response process? O Ō en, a lot of the work that goes on to address an incident occurs outside of the view of organiza Ɵ on sta ff . But there are a lot of things to be considered with respect to how the company keeps its own people informed of an incident. Internal communica Ɵ ons can be a delicate ma Ʃ er and some Ɵ mes cluing in more people not involved in the remedia Ɵ on process can be somewhat risky. In most circumstances, employees will sense that “something is not right,” par Ɵ cularly when systems are down or are not working normally. There is always a risk of divulging too much detail to employees, par Ɵ cularly as the company has li Ʃ le to no formal control over how that informa Ɵ on is managed by each employee. Typically, an organiza Ɵ on’s senior management team will confer with legal and/or communica Ɵ ons teams to determine the level of detail and frequency of informa Ɵ on disseminated to employees not involved in the incident response process. In most cases, management will fi nd that some level of no Ɵ fi ca Ɵ on and detail will be required, but it is important to recognize that management and control of informa Ɵ on is extremely important when dealing with any type of compromise. In this par Ɵ cular case, the centralized nature of the company’s opera Ɵ ons and the presence of even less controllable and observable satellite loca Ɵ ons makes the considera Ɵ on of just “how much to tell” even more important with respect to maintaining control over what’s being communicated to general employees. INJECT 3 : Tuesday, early a Ō ernoon, June 7: While internal IT teams con Ɵ nue their urgent work to contain the ransomware and execute their incident response plan, it is discovered that news of the incident has leaked to social media pla ƞ orms and is quickly beginning to spread to the company’s customers. Customers are expressing their concerns and seeking informa Ɵ on about the situa Ɵ on, pu ƫ ng pressure on customer support teams to provide Ɵ mely and accurate updates. Addi Ɵ onally, media outlets have learned of the incident, and reporters are reques Ɵ ng details about the a Ʃ ack. This surge in external communica Ɵ on requests escalates the urgency of managing the incident's public ‐ facing aspect. 1.) How would you priori Ɵ ze communica Ɵ on e ff orts between media, customers, and regulators in this situa Ɵ on and why? A key communica Ɵ ons considera Ɵ on that should be addressed in the incident response plan is the iden Ɵ fi ca Ɵ on of the individual(s) or departments within the organiza Ɵ on that are responsible for communica Ɵ ons to external par Ɵ es. In the heat of an incident, it would be extremely easy for these responsibili Ɵ es to “fall by the wayside” or be handled by individuals with no appropriate quali fi ca Ɵ ons to do so. MANAGEMENT OF EXTERNAL COMMUNICATIONS AND RECOVERY:

17