The Cyber Security Incident Response Plan: AP’s Role

cyber security incident response plan

What is the role of the asset protection department in the event of a cyber incident? It’s true that IT is typically in charge of the bulk of the prevention methods, such as firewalls, endpoint security monitoring, network device configuration, and so on. But an effective cyber security incident response plan should extend beyond IT and into other organizational departments—including AP.

[text_ad use_post=’2389′]

Tom Meehan, CFI, contributing writer, exhorts asset protection professionals to reframe their thinking in a recent article for LPM Online. Since the core responsibilities for cyber event prevention commonly fall under the realm of IT, he suggests, then it behooves AP professionals in a retail organization to learn how they can help respond to an incident when it arises. Investigations are one such example. From the article:

- Sponsors -

It’s Friday, and you are the vice president of AP. You get a phone call from your organization’s chief information security officer (CISO). You have never received such a call before. He or she tells you about an unauthorized device detected on a computer in one of your stores. The IT team can perform an investigation from a cyber‐forensic standpoint and needs your help to do the physical investigation. You are officially involved in the cyber incident and asked to investigate it. The CISO says anyone involved in the investigation must sign a nondisclosure agreement (NDA) and work directly with the chief privacy officer (CPO) and CISO of the company before taking any actions.

Much like any investigation, you gather the facts from the CISO. In this example, someone plugged a keylogging device into a computer in a hiring center. A keylogger is a keystroke‐logging (or keyboard‐ capturing) device or software that records everything typed on a keyboard, generally covertly. Data can then be retrieved.

Now you have the facts, and you start your investigation with a quick evidence assessment and acquisition: is there video, access or alarm logs, time‐clocking info, or Wi‐Fi login info? In this case, you happen to have an excellent video of the person placing the keylogging device on the computer. The suspect works for the company. You create a report in conjunction with your CISO and CPO. The decision is made to interview the suspect. In this case, the suspect admits to trying to steal info from the computer. Luckily, the prevention methods blocked the device from working, and no information was vulnerable.

Check out “Stop Trying to Prevent a Cyber Incident and Start Planning for One” from the February 2018 issue of LPM Online to learn more and read the top five things to consider when you’re investigating a cyber incident.

If you’ve missed any of our previous LPM Online editions, go to the Archives page at the end of the February 2018 edition to see what you’ve missed. Be sure to be an LPM digital subscriber so you are the first to know when new issues are available. If you haven’t already, sign up for a FREE subscription. (Note: if you’re already subscribed, the previous link will take you to the current issue of the print magazine.)

Stay Updated

Get critical information for loss prevention professionals, security and retail management delivered right to your inbox.