The Art of Incident Rating

Analyzing the severity of data security incidents is an ongoing exercise that can pay off big in organizational efficiency and lower compliance costs.

In recent years, more and more organizations have introduced some kind of system for categorizing data security incidents and data breaches. There are so many factors to be considered in responding to a data security incident, that boiling it down to a rating may seem like gross over-simplification. How can a single rating reflect the complex web of causes and effect, regulations and requirements that must be considered in determining incident response? The answer, like so many other things in life, is that it’s not the result but the process that matters, and the rating process can have significant benefits to your organization.

Ransomware 101 ebook: What to Do When Your Data is Held Hostage

Rating Brings Relief

At the 2016 SANS Institute Data Breach Summit in Chicago, I participated in a panel discussion on best practices for determining incident severity. The other panel members were Meredith (Phillips) Harper, chief information privacy and security officer at the Henry Ford Health System and Erika Riethmiller, who directs a corporate privacy incident program at a major health insurer. It was interesting to see that, while ranking systems vary, our panelists and the audience agreed on the benefits of incident rating: consistency and scalability.

Meredith Phillips says that about five years ago, her organization realized they needed an evaluation process “where not every incident required getting VPs in a room.” She says the severity rating system empowers her team members to manage the majority of incidents autonomously, without bringing in executives. A large organization can have hundreds of incidents a year, so this allows top-level team members to focus on improving privacy and security and on managing the incidents that really are breaches with significant risk to customers and the organization.

The other huge benefit of severity ratings, according to all participants, is that they ensure consistency in evaluation and documentation, and that is a huge help with compliance, no matter what industry you’re in. By going through a systematic process of evaluating and documenting the scope and severity of each incident, you prepare your organization to show compliance and to defend any decision not to notify agencies, the public, or individuals.

Developing a Rating System

As one of our participants said, a ratings system should start with the laws that your organization is subject to. In healthcare, the HIPAA regulations offer a 4-factor analysis that organizations can use to determine if an incident is a breach and requires notification. Other industries have compliance requirements as well. For example, financial companies have to meet the requirements of the Gramm-Leach-Bliley Act (GLBA), and many retail businesses fall under the FTC’s Red Flags Rule or Payment Card Industry (PCI) security standards.

The basic questions are the same for any industry:

• What types of information was exposed, and how much?
• Was or could the exposed information be linked to individuals?
• How was it protected?
• What unauthorized person(s) did gain or could have gained access to it?
• What efforts were taken to mitigate the effects of the incident and were they successful?
• What are the risks to affected individuals and to your organization? (For example, if there was a small amount of information exposed but a high-risk population.)

How you interpret and weight those will depend on your business. Some organizations opt for a “low/medium/high” severity rating. Others need more granularity, such as a 1 to 5 rating, and still others opt for a “heat map” approach showing whether the incident is in a risk red, amber, or green zone.

Your privacy, security, and risk management staff should all participate in developing an incident rating system. Not only will each function bring in a different perspective and best practices, it will also foster commitment to the new process across the organization. Meredith Phillips also recommends talking to counterparts in your own and other industries. “I can’t say enough about building relationships with your colleagues. We are all dealing with the same basic issues, and you can learn a lot from your partners.”

As you design your severity rating system, consider the requirements of the governing state, federal, and industry regulations and be sure to document of your decisions, as that will help with compliance and even with potential future litigation.

Rating Work Is Never Done

Our panel also agreed that a rating system has to be a living document, changing to reflect new threats, new regulations, and new business models. One of our SANS panelists raised the issue of ransomware and how to account for that in a breach scenario? Another mentioned a change to Tennessee state law that no longer allows a safe harbor for encrypted information on lost devices that contain protected information. Meredith Phillips says Henry Ford includes the ratings systems in their annual review cycle for all documents and procedures, but they update more often if regulations change or a new issue comes up.

Ratings also need to be gut-checked in the context of actual incidents. Another SANS participant said that if the ratings system yields one result and the response team’s experience leads to a different conclusion, they immediately schedule a meeting to review the incident, decide what factors weren’t accounted for in the ratings system, and update it. Meredith Phillips also said that her team conducts table-top exercises for each new version of their ratings system, using a range of hypothetical incident scenarios.

The Proof is in the Process

It takes some work to develop a severity rating system, but remember that the process is what makes your organization stronger. If you involve the right people, you will improve communication and collaboration and learn a lot in the process. It’s like starting a fitness program: it has to take account of where you are at the start, be tuned as your situation changes, and be maintained. It can take some work to get started, but it lowers risks and improves quality of life in the long run.

Ransomware 101 ebook: What to Do When Your Data is Held Hostage