Incident Analysis is conducted to ensure adequate response and support recovery activities. Measure effectiveness and update security incident response procedures to reflect lessons learned, and identify actions to take that will improve security controls after a security incident.
1: Notifications from detection systems are investigated
2: The impact of the incident is understood
3: Forensics are performed
4: Incidents are categorized consistent with response plans
When coupled with EnCase Forensic, EnCase Mobile Investigator empowers forensic investigators to seamlessly acquire, review, analyze, and report on mobile evidence from the widest variety of devices so that no evidence is hidden.
F–Response is an easy to use, vendor neutral, patented software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. F–Response is not another analysis tool.
Analysis of [Incident Name]
[Prepared under direction of General Counsel]
[Attorney Client Privilege] (when filled in)
Date [ ]
Prepared by [ ]
[Be brief – this should be less than a page]
a) Discovery
b) Determination
c) Response
d) Internal Notification
e) External Support
f) Actions Taken
g) Recovery
[It is always assumed to be a Reportable Breach, then work backwards to see if it meets an exception or low probability of compromise]
a) Evidence 1 Summary & Storage Location
b) Evidence 2 Summary & Storage Location
c) …
[Discuss the external parties you engaged, and if those were engaged under attorney client privilege].
[Also discuss if you used external Counsel to review your documentation and their findings.]
a) Does this event meet the definition of a Breach?
Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
[Discussion on why this incident meets the definition of a Breach]
b) Does this event create a violation of the Privacy Rule?
c) Was any unsecured protected information acquired, accessed, used, or disclosed?
d) Does this event meet any of the defined exclusions?
e) Do the facts of this event demonstrate that there is a low probability that the PHI has been compromised based on the following four factors?
Then have a discussion about each of statements below:
i) The nature and extent of the protected information involved, including the types of identifiers and the likelihood of re- identification;
ii) The unauthorized person who used the protected information or to whom the disclosure was made;
iii) Whether the protected information was actually acquired or viewed; and,
iv) The extent to which the risk of the protected information has been mitigated.
f) Recommendation based on the evidence.
Discuss who has the authority to make the final determination.
[Breach, or No Breach]
[Decision Authority]
[Decision Date]
[Discuss if notification is required, and if so, the legal, regulatory, and contractual timelines.]
[Signature of Decision Authority] [Signature of Counsel]
[Date] [Date]
Are you looking for a partner to help develop industry best practices into your security program?Leading security professionals with the experience and professionalism you desire are at your fingertips.
Contact us today and let us know how we can be of service!
