This checklist is intended to help state agencies deal with cybersecurity incidents. Private citizens will likely find “So You Think You’ve Been Hacked” more useful. Not all cyber incidents result in Data Breach; if a Data Breach is suspected, agencies should also use the “Data Breach Response” checklist.
Establish the facts
- Consider: Who is reporting the problem? How did they become aware?
- Observe: What do we know so far about what happened?
- What networks/systems are affected?
- What data/information was compromised (e.g., stolen,deleted, altered)?
- Record: When did the incident occur?
- When did we find out about it?
- When did we begin to do something about it?
- When will we know the full scope of the problem?
- When do we estimate that the problem will be remediated?
- Where did the incident occur (what office, activity, locale, etc.)?
- How much do we know with certainty about how the incident occurred? Do we know the source of the attack?
- Plan: How will we stay informed of efforts to remediate the breach and restore normal service?
Mobilize a response
You're not alone in responding to an incident -- the state has multiple expert resources. Consider the following in reaching out to them:
- Who has the lead in directing operational response efforts? What role will your office play?
- What other actions do your breach notification laws require?
- What are the legal implications of the incident?
- Have you notified your AAG, DES ORM and the Office of CyberSecurity?
- Who else should be notified at this point (e.g., citizens, business and industry, other state, local, federal officials, etc.)?
- Has law enforcement been notified?
- What expertise is on hand to work the problem? What additional help do you need? Who will provide it?
- What measures are needed to secure the networks/systems from further exploitation?
- What additional steps are needed to secure data holdings?
- How will the remediation efforts to limit/repair the damage and restore normal services be prioritized?
- What special notifications should be prepared for victims?
Communicate what you know
Here, as elsewhere, bad news does not get better with age, but remember the general rule that the first report is always wrong.
- Release your initial public statement as soon as you have a reasonable command of the problem and can explain what you are doing about it.
- Describe what you know so far about what happened and what is being done to correct it.
- Be prepared to explain the pre-existing cybersecurity posture and the measures that were in place to prevent events of this kind.
- Be prepared to explain the steps you will take to prevent future unauthorized intrusions. Start with basic cyber hygiene and the Critical Security Controls.
- Establish a regular cadence of updates for victims, media, and other stakeholders- including your own workforce.