A recent memo released by the National Governor’s Association brings context to the varying plans that states have prepared for responding to incidents and disruptions affecting computer networks.
The group compared 32 plans across 26 states, profiling each plan and isolating best practices. There’s also a brief history of each plan alongside its structure, governing bodies, guiding philosophy and protocol.
The memo notes a distinction between cyber-incident response plans, which pertain to events that affect data, such as breaches and stolen personal information; and cyber-disruption response plans, which address events that can be either man-made or natural and might temporarily disable critical infrastructure. Of the 32 plans profiled, 17 were incident-response plans and 13 were disruption-response plans. An additional two were planning documents to create response plans.
Though states can take differing approaches to handling cyber-incidents and cyber-disruptions, the NGA found that the commonalities were most revealing. Most state plans are procedural documents that reside within the purview of the state IT agency or an annex to the statewide emergency operations plan (EOP).
The association isolated these best practices:
1) Have a plan.
“Regardless of their size, population, economy or assets, every state is vulnerable … therefore, every state needs a comprehensive response plan with threat levels that are activated during significant cyber events.”
2) Consider a plan within the state’s EOP.
There are two standard approaches to a cyber-response plan, each with their advantages:
The first approach has three advantages, the memo notes. First, it avoids duplicate or contradictory plans because it calls on existing and experienced emergency support entities. Second, this approach makes use of a unified command system, thereby improving coordination across involved entities. Third, this approach reinforces the need for a statewide response to cyber events.
3) Set goals.
Whatever approach a state takes, the memo notes the importance of setting goals. Wisconsin epitomizes this, the memo notes, through the creation of goals that must be met before a plan could be implemented:
“Heavily emphasizing the preparation phase of the response plan mitigates the impact of a potential cyber event and lessens the burden of the response and recovery phase,” the association wrote.
4) Put someone in charge.
States should consider their own needs, according to the memo, but an oversight body is needed to ensure a plan can be effective. States should consider creating a governance body or increasing the authority of an existing entity to ensure the plan’s many components are implemented.
The 24-page memo can be downloaded from the NGA website.