Problem solve Get help with specific problems with your technologies, process and projects.

During a breach, how much information should be given out?

A security manager's nightmare: There's been a data breach, and it's time to pick up the pieces. But to recover as quickly as possible, who needs to know what about the data breach, and when? Security management expert Mike Rothman gives advice.

During the immediate aftermath of a security breach, how much information am I required to give to other people working in the company? As a security professional, do I just need to let them know how business operations will be affected, or should I let them know details of the breach so they know what might have been compromised and where to be careful?

When thinking about incident response, communication is critical. Organizations need to think about communication in two phases. The first phase takes place during the incident; say as little as possible because it may be unclear who is responsible, and giving away too much could impede a possible investigation. Send out a blanket statement saying there has been a security breach, it's under investigation and the company will have an official statement as quickly as possible. The people that are directly affected need to understand how and what they should be doing, but until the storm blows past, keep a tight lid on information.

In the aftermath of a security incident, it's wise for organizations to do a formal post-mortem. This is the second phase of communication. Employees need to understand what happened, who was responsible and, most importantly, what new processes and/or controls should be implemented to make sure it doesn't happen again. A big part of these lessons learned is to communicate to the staff at large.

Don't point fingers or make an example of anyone, but do use the security incident as an internal case study; it's a great example of how to leverage something current and timely to educate employees. Alternatively, consider using another company's breach as an educational device. Of course, that won't be as timely or effective, but at least it won't be coming on the heels of the company's own breach.

More information:

This was last published in May 2008

Dig Deeper on Information Security Incident Response-Information

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.