Creating an Incident Response Procedure to Manage Potential Data Breaches

Core requirement 7.(b)(6) calls for an Incident Response Procedure to manage potential data or security breaches. This procedure should include the process for two specific actions, to:

• Investigate potential data or security breaches; and
• Notify affected suppliers, legal authorities and other interested parties as required by law, of any potential or actual breaches.

It’s important to have thought through this process well before any incident takes place. Best practice for this procedure would be to clearly document all actions that need to take place in order to respond to a potential breach, identifying who is responsible for completing each, and when they need to be initiated.  Suggested actions for consideration in this plan include:

• Who will be responsible for investigating potential data or security breaches?
• How will an investigation of potential breaches include physical or operational vulnerabilities, the status of facility security, and the background and training of all personnel who are in contact with data bearing devices or who have responsibility for facility security?
• What methods will an R2 facility use to gather information on a data or security breach should one occur? Are there adequate test logs, device tracking records, facility security logs, visitor logs or video recordings?
• Who at the R2 facility confirms the fact that a data or security breach has occurred (or that potential conditions exist for one to happen) and that the Incident Response Procedure should be followed?
• Is there a list of suppliers, legal authorities or other interested parties who should be notified of a data or security breach should one occur? Is it easily available 24/7 to the designated manager responsible for that notification?
• What records are to be kept of each incident where this procedure was used, including documentation of all communications relating to the incident?
• What process is in place to initiate and complete all Corrective Actions to prevent a recurrence of the conditions that caused the incident?

A detailed and well-planned incident response procedure can be a powerful tool not only to help to guide the response process and mitigate the situation, but it can also be a good demonstration of your facility’s level of preparedness to handle such situations.