Restoration of Confidence

Restoration of confidence is very difficult. Once an impression is made, it is difficult to change it. This is why you must be proactively prepared to report on the incident in a very positive light. You must show that you have always been on top of the situation and that you were able to detect the situation and respond quickly to protect the vital information assets of the organization.

This is the area where an incident plan is most useful. A good incident plan will direct what information is released when and by whom. It can prevent a loss of confidence.

There are a number of groups about whose confidence you need to be concerned .

• Management has control over setting priorities and allocating budgets . Management confidence is critical to all projects and departments in the organization.

  Management must be confident that the situation is being handled quickly, quietly , and in the best interest of the company. It needs to be confident in the information security organization and its ability to handle the situation.

• Stockholders are the ultimate owners of the corporation and, as the owners , they need to understand the financial impact of security incidents. However, due to the fact that it is a publicly held corporation, any information that is made available to the stockholders is also made public.

  Much like the message to management, the message to stockholders should indicate that everything was handled quickly and in the best financial interests of the corporation. They need to be assured that their interests are always being protected.

• Users are the people who are directly affected by the unavailability of data caused by a security incident. It is their work that is interrupted and they are the ones who must trust the system to use the system. Users must be confident that the systems are restored to provide rapid and accurate results.

  Without confidence in the systems they employ , users will find other methods to accomplish their work. This may include using other systems that were not designed for the task at hand or going outside the organization for their information systems needs. These choices are often not cost-effective and may reduce the overall security and efficiency of the organization.

• Partner relationships are created to mutually benefit both organizations. They add value to an organization by supplying something which the other organization does not have. The partner relationship is built on trust and sharing. These are two attributes that can be severely damaged by a security incident.

  Partners must be confident that their trust in another company is well-founded and that the information that is shared between the companies is given adequate care. They must believe that the partnership does not raise their exposure to danger and that the partner's systems will not be used to exploit their own systems.

• The public must have confidence in the quality and responsibility of the company. People must feel that the company is capable of handling any situation that arises and that it is safe to do business with the company. The public should feel that the company is doing what is best for the public good.

Public Relations

Public relations, perception management, rumor control ” whatever you call it ” may be more important than any other aspect of response because, even if everything is done perfectly , if the perception is that things were out of control, then the truth doesn't matter. Customer perception can ruin a company.

Letting people know at the right time will limit the rumors that may otherwise be created. All those involved with the security incident should be given the same story. Policy should state how, when, and by whom information about a security incident is disseminated to management, to employees , and to the public. Companies should limit the number of people who talk to the press, preferably leaving this to individuals who are trained in handling the press.

The same incident might be reported "Hacker Cracks Corporate Computers" or "Local Company Aids Police in Tracking Down Hackers." The only difference is perception.

Public relations is best left to the professionals who can weigh the issues of bad press from going public with the incident versus bad press if news of the incident is leaked, and can put the incident in the best light for the company.