Instead, you are led into a conference room where the CEO and others are sitting with a guy in a suit (aka The Lawyer) and they all start firing questions when you walk in.
Who let this get out? What member data was exposed? When did it happen? Where were you when the data was stolen? How did you let this happen? What are we going to tell our members? What's it going to cost to clean up this mess? How is this going to affect next quarter's forecast?
You sit there and start thinking that what you really need to be doing is updating your resum?. But, right now your credit union needs your help.
So as you begin preparing answers for the questions flying around the room, you can't help but think of how things might have been. You know in your heart that in today's connected world, filled with ever increasing threats, it's impossible to be 100% secure. But, you wonder what the situation would be now if only you had been able to convince these same people, earlier this year, to develop and publish a security incident response plan. If we'd done that, would we still be sitting here in the conference room shouting questions and unsure about how to respond to the news crew in the lobby? Maybe, but I think not.
More questions begin flying around the room. The CEO asks, what do I say to the reporters about how we let this happen? Do I use the standard response given by everyone else?
"Our member's personal information is very important to us, and we are committed to protecting it," he mutters. "We regret that this breach has happened, and I promise you we are taking steps to make sure it never happens again. Is that what I tell them? How about I tell them we will be upgrading our firewalls and sending a letter to all our members offering free credit reports? How much will that cost by the way?"
The room goes quiet and everyone seems to be looking at you. You squirm in your chair a little and say, "That answer may satisfy the reporters in the lobby, but we need to answer another question. 'Could you please elaborate on your planned corrective actions so I can believe they are real?' That question will be on the mind of every one of our members."
The CEO asks, "What do you propose?"
Again, all the eyes in the room are on you. You take a deep breath, glance at the CTO and begin. As I see it, when it comes to information security, our members expect and demand that we will acknowledge the value of their personal information and apply safeguards to assure its protection from unauthorized access and misuse. The question is, how do we convince first ourselves and then our members that we do in fact fully understand the nature, extent and potential impact of the data breach along with the necessary corrective action?
What if we announce that, as part of our information security program, we will be developing a formal response program to deal with unauthorized access to member information in accordance with the guidelines in Appendix B to Part 748? That would be real corrective action and should begin the process of rebuilding trust and confidence with our members and business partners.
The CEO looks interested and says, "Tell me more." Another deep breath and you begin listing the components of a fully compliant response program.
Full assessment of the incident.
Identification of the member information systems and types of information that have been accessed or misused.
Defined process for NCUA notification.
Process for submitting Suspicious Activity Reports.
Process for taking steps to contain and control the incident.
Defined process for member notification.
A clear definition of the CU's and service provider's responsibilities for notifying members.
You could go on about the benefits of incorporating the best practices defined in security standard ISO/IEC 27001:2005, but you've said enough. After some silence, the CEO looks at the CTO and says, "See me first thing tomorrow with your plan to fully implement the guidelines in Appendix B and start preparing the letter announcing our plan to the members."
Suddenly, I feel a sharp pain in my side.
It's my wife poking me to get up. She says, "Don't you have to be at the office early today for that data breach simulation exercise?"
As I roll out of bed, my nightmare sticks with me. I start feeling better only after my head clears and I remember that we do have a fully compliant incident response program. Today we are planning our second exercise to be sure we are well-prepared. Walking out the door I just shake my head and say out loud, "So that's how it would feel if we suffered a data breach without a documented response program." I have to stop reading those security magazines right before going to bed.