personnel for high-impact incidents. A template IR policy is provided in Appendix G in the Main document. o
fCybersecurity incident response team (CIRT): a pre-formed and “on the ready” group that knows how to navigate issues when critical- or high-severity security incidents arise. This team develops and manages your organizational response. Most commonly, CIRTs are formed in the HPH sector when potential data breaches occur and the organization must manage the potential breach in compliance with HITECH. It is important to identify the incident commander, the most senior official who will oversee managing cybersecurity incidents. The incident commander is usually the CISO or equivalent. Note that the incident commander should not dive into the technical weeds of the incident, but should keep the various teams organized and focus on their objectives. Table 11 describes the teams may be involved in resolving a critical security incident and potential breach. Table 11. Roles and Responsibilities for an Organizational CIRT Team
Description
Executive/Senior Leadership
!n organiza �on’s C-suite or most senior execu�ves. They provide overall direc�on and approvals required to resolve significant cybersecurity breaches. These individuals should be kept informed throughout the lifecycle of a significant cybersecurity incident.
Cybersecurity Teams
Teams comprising people with cybersecurity exper�se who understand a�acks, vulnerabili�es, and the methods by which threat vectors are exploited. They provide technical depth and detail to technical teams and execute procedures in the playbook.
Technical Teams
Teams comprising SMEs for the technologies that have been compromised and who are engaged in developing and implemen�ng the response. These SMEs may be system owners, system administrators, or other individuals with specialized IT exper�se. They take instruc�on from the cybersecurity teams as part of the playbook execu�on.
Legal Teams
Teams comprising a�orneys in your general counsel (internal or external) that help manage the incident under privilege as well as consult on regulatory expecta�ons.
Public Affairs/Marketing and Communications
People who manage external communica�ons to deliver a consistent voice and message in the event of a high-visibility cybersecurity incident. This team is important to managing the reputa�on of the organiza�on.
79
