June 16, 2015 Article

Department of Justice Best Practices on Cybersecurity: Guidance for Smaller Organizations

Protecting your business from cyber breaches can be a daunting task. This is especially so with limited budgets and personnel. Most know of the horror stories, some think "it will not happen to my company", "we’re too small to care about", "we’re not vital to the industry", "we have adequate security". . . . Even so, many executives still worry about the business interruption, customer data loss, company reputation, the cost of protecting cyber information and possible litigation.

The U.S. Department of Justice has recently issued a cybersecurity “best practice” guidance document written for smaller organizations which provides helpful, cost efficient practices. It was drafted with smaller, less resourced organizations in mind; but, even larger organizations with more experience in handling cyber incidents may benefit from it.

What is important about the DOJ cybersecurity guidance for smaller organizations is that, if followed, it may well serve to help mitigate litigation expense while providing a cost effective means to enhance your organization’s cybersecurity program.

We understand that many smaller energy organizations may have in place hardware and software to protect their corporate computer systems. We also understand that many smaller organizations may have some systems in place to address data security and client data protection.

Nevertheless, we have learned that prudence dictates that all organizations have in place cybersecurity “programs”, not just protection hardware and software, but written cybersecurity “programs” that meet some recognized standard for their corporate computer systems and computer systems that may contain client information. The DOJ cybersecurity “best practices” for smaller organizations may well serve as a recognized standard and thus help protect your organization and mitigate expensive litigation.


Highlights from the DOJ Cybersecurity “Best Practices” Document – Version 1.0 (2015)

Excerpt:

Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs.

This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.


U.S. Department of Justice – Cyber Incident Preparedness Checklist


Before a Cyber Attack or Intrusion

  • Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
  • Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cyber security Framework.
  • Create an actionable incident response plan.  
    • Test plan with exercises.
    • Keep plan up-to-date to reflect changes in personnel and structure.
  • Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
  • Have procedures in place that will permit lawful network monitoring.
  • Have legal counsel that is familiar with legal issues associated with cyber incidents.
  • Align other policies (e.g., human resources and personnel policies) with your incident response plan.
  • Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cyber security firms that you may require in the event of an incident.


During a Cyber Attack or Intrusion

  • Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch.
  • Minimize continuing damage consistent with your cyber incident response plan.
  • Collect and preserve data related to the incident.  
    • “Image” the network.
    • Keep all logs, notes, and other records.
    • Keep records of ongoing attacks.
  • Consistent with your incident response plan, notify—  
    • Appropriate management and personnel within the victim organization.
    • Law enforcement.
    • Other possible victims.
    • Department of Homeland Security.
  • Do not—  
    • Use compromised systems to communicate.
    • “Hack back” or intrude upon another network.


After Recovering from a Cyber Attack or Intrusion

  • Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network.
  • Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan.

  • Preti Flaherty assists organizations of all sizes develop and implement cybersecurity programs for their corporate and operations computer systems. For the full 15-page DOJ cybersecurity “best practices” document, or for additional information, please contact William Roberts at [email protected] or call 617.226.3800.

    Firm Highlights

    Press Coverage

    Officer-involved Shootings Video - Maine Behind the Curve on Public Access to Information

    More than three months after officers were involved in a fatal shooting of a Minot, Maine, resident, the Androscoggin County Sheriff's Office and the Office of the Attorney General continue to deny requests to...

    News

    Preti Flaherty Attorney William Saturley Named Among America’s Top 100 “Bet-the-Company Litigators” for 2020

    Preti Flaherty is proud to announce that attorney William Saturley has been selected for inclusion on the list of America’s Top 100 “Bet-the-Company Litigators” for 2020. America’s Top 100 recognizes the most qualified and...

    Publication

    Legislative Alert: Governor’s Economic Recovery Committee Update

    The Governor’s Economic Recovery Committee met on Friday June 26 th to hear reports from the Chairs of all six subcommittees. In the reporting on Friday the biggest monetary ask was from the Infrastructure...

    Press Coverage

    As More States Release COVID-19 Cases by Town, Maine Says It Could Take 6 Months

    As more states continue to release information on the number and distribution of coronavirus cases, officials from Maine's public health agency claim that making tallies available to the public under the state's Freedom of...

    Publication

    Maine Workers' Comp Alert: WCB Transition to In-Person Hearings Likely to Occur No Sooner Than August 2020; Section 312 IME’s Have Resumed

    A conference with Maine Workers' Compensation Board Executive Director John Rohde was held last week to discuss the transition to in-person hearings at the WCB. The WCB Subcommittees also met to discuss recent developments...

    Publication

    Preti Flaherty COVID-19 Resources

    In response to the ongoing COVID-19 pandemic, Preti Flaherty's attorneys have maintained a constant stream of the most up-to-date information and resources for our clients, business partners, and others struggling to navigate these complex...

    News

    ACTIONS. NOW. FOR CHANGE.

    Our country and our communities are suffering and in turmoil due to the racial injustices that have occurred for centuries and are still happening all around us today. It is difficult to comprehend and...

    News

    Eighteen Preti Flaherty Attorneys Selected as Chambers USA Leaders in Their Field

    Eighteen Preti Flaherty attorneys and five practice groups have been selected for inclusion in the 2020 Chambers USA Guide to America's Leading Lawyers for Business , the highly regarded directory of leading attorneys and...

    Press Coverage

    Maine drops residency requirement for recreational marijuana businesses

    Since Mainers voted to pass the Maine Marijuana Legalization Act in 2016, lawmakers have been wrestling with how to regulate sales. Last week, recreational marijuana businesses in Maine cleared a major hurdle to operation...

    Publication

    Contractor's Guide to Mitigating Risks in the AIA A201-2017 General Conditions

    The AIA A201-2017 is generally a well-understood contract document and is used in a significant number of construction projects each year. While this standard contract covers most risks, there are a number of areas...