Contact with Authorities
“There are risks and costs to action. But they are far less than the long range risks of comfortable inaction.”
ISO Control A.6.1.3: Guide for Engineers, Analysts, Managers, and Auditors
ISO Control A.6.1.3 mandates that organizations “Maintain appropriate contacts with relevant authorities.” This control underscores the importance of establishing and nurturing relationships with regulatory bodies, law enforcement agencies, and other relevant entities in the cybersecurity landscape.
By fostering these connections, organizations can ensure they have open channels of communication to facilitate timely reporting and response in the event of a security incident. This proactive approach can significantly minimize the impact of a breach, enabling swift action to contain the threat and mitigate potential damage.
Beyond incident response, maintaining contacts with relevant authorities plays a pivotal role in ensuring ongoing compliance with evolving regulations and standards. Regular interactions allow organizations to stay abreast of the latest legal requirements, ensuring their information security practices align with industry best practices. Additionally, these relationships provide a valuable source of threat intelligence, enabling organizations to stay informed about emerging threats and vulnerabilities, and proactively adapt their security measures to address these risks.
Why It Matters
Maintaining appropriate contacts with authorities is not just a checkbox exercise—it's a critical component of a robust security strategy. As Bruce Schneier, a renowned security expert, once said,
"Security is a process, not a product."
Part of this process involves collaboration with external entities, including relevant authorities. Proper implementation of this control can:
Expedite incident response and resolution
Ensure compliance with legal and regulatory requirements
Provide access to valuable threat intelligence and best practices
Facilitate smoother operations during crises or significant security events
For Engineers
Engineers play a crucial role in implementing the technical aspects of maintaining contact with authorities.
Responsibilities include:
Implement secure communication channels for contacting authorities
Ensure systems can generate the necessary data for authority reporting
Maintain the technical infrastructure to support information sharing
Key Actions:
Develop and maintain secure data exchange protocols with relevant authorities
Implement logging and reporting systems that align with authority requirements
Ensure network configurations allow for secure communication with authority systems
Regularly test and update communication systems used for authority contact
Best Practices:
Stay informed about technical standards and protocols used by relevant authorities
Participate in technical working groups or forums that involve authority representatives
Document all technical processes related to authority communication
For Analysts
Security analysts are often at the forefront of interpreting and acting on information shared with authorities.
Responsibilities:
Monitor and analyze security events that may require authority notification
Prepare detailed reports for submission to authorities
Interpret and apply threat intelligence received from authorities
Key Actions:
Establish criteria for events that require authority notification
Develop templates and procedures for authority reporting
Analyze and disseminate threat intelligence received from authorities
Maintain a database of relevant authority contacts and their areas of responsibility
Best Practices:
Regularly review and update notification criteria and reporting procedures
Participate in information sharing programs run by relevant authorities
Conduct periodic tabletop exercises simulating scenarios requiring authority contact
For Managers
Managers are responsible for overseeing the strategic aspects of authority contact and ensuring organizational compliance.
Responsibilities:
Establish and maintain relationships with key authority figures
Ensure the organization has clear policies for authority contact
Allocate resources for maintaining effective authority communication
Key Actions:
Develop a comprehensive policy for authority contact, including roles and responsibilities
Establish a team or designate individuals responsible for authority communication
Ensure regular training on authority contact procedures for relevant staff
Review and approve formal communications with authorities
Best Practices:
Attend industry events where authority representatives are present
Regularly review the effectiveness of authority contact procedures
Ensure authority contact is integrated into the overall incident response plan
For Auditors
Auditors play a crucial role in ensuring that the organization's practices for authority contact meet required standards.
Responsibilities:
Verify compliance with ISO Control A.6.1.3
Assess the effectiveness of authority contact procedures
Identify areas for improvement in authority communication
Key Actions:
Review documentation of authority contacts and communication procedures
Verify that appropriate staff are aware of and trained on authority contact procedures
Check that secure communication channels for authority contact are in place and functional
Assess the timeliness and appropriateness of past authority communications
Best Practices:
Stay informed about regulatory requirements related to authority contact
Conduct interviews with key personnel involved in authority communication
Review logs and records of past authority communications
General Best Practices
Maintain an up-to-date contact list of relevant authorities
Regularly review and update authority contact procedures
Conduct annual tabletop exercises involving authority contact scenarios
Ensure clear escalation procedures for authority communication
Document all communications with authorities
Noteworthy Statistics and Events
According to the Ponemon Institute's 2021 Cost of a Data Breach Report, involvement of regulatory authorities increased the average cost of a data breach by $340,000.
The 2021 Verizon Data Breach Investigations Report found that 86% of breaches were financially motivated, highlighting the importance of maintaining contact with law enforcement authorities.
In 2020, the SolarWinds supply chain attack affected multiple government agencies, emphasizing the need for strong public-private partnerships and communication channels with authorities.
A 2022 survey by ISACA found that only 43% of organizations always notify relevant authorities of cybersecurity incidents that affect them.
The Colonial Pipeline ransomware attack in 2021 demonstrated the critical role of authority contact, as the FBI's involvement was crucial in recovering a significant portion of the ransom payment.
Conclusion
As former FBI Director Robert Mueller once said,
"There are only two types of companies: those that have been hacked, and those that will be."
In this context, having established relationships and communication channels with relevant authorities can make a significant difference in how an organization weathers a security crisis.
By following the guidelines in this document and staying proactive in authority communications, organizations can enhance their security posture, ensure regulatory compliance, and be better prepared to handle security incidents when they occur.
