Developing An Incident Response Plan for Elections

Election Incident Response Planning

Developing an Incident Response Plan is a critical step in designing a strong cybersecurity program. In the event of an attack, a well-constructed plan can be the crucial difference between operating in reactive mode or taking a more proactive stance that thwarts the attack in its early phases and mitigates the potential damage. While it’s valuable for any organization, it is particularly meaningful for election departments focused on preparing for the 2020 election and defending the vote against cyberattack.

Creating an Incident Response Plan for election environments requires a distinct approach compared to plans developed for businesses. Elections involve multiple organizations across different locations and varying tiers of staff members and volunteers. Elections are also inherently time sensitive. A successful plan will accommodate this specific range of factors, and to go further, a good plan will account for the most plausible attack methods and how to handle them during an election.

Each organization should have a plan customized to its unique processes and environment. While no two plans will look alike, there are some common elements that form the basis of a sound Incident Response Plan.

  1. Define which events require escalation and action

    Not all cybersecurity alerts indicate a serious threat. Have criteria in place that defines what warrants immediate, urgent action and decide an escalation path that defines who should be notified. Outline what to look for and how to contact the people who need to step in to handle the issue.

  2. Determine your response for each likely attack type

    Consider each potential threat and map out a plan for addressing each. Many attacks require isolating the threat by quarantining devices and systems. Other attacks may require involving other teams and departments to orchestrate the right response. Plan concrete steps that can be clearly followed and consider responses both for an attack within your own network as well as how to handle an attack outside of your network that may have the potential to impact your environment through data sharing or other connectivity.

  3. Decide how you would respond to ransomware demands

    The decision to comply with ransomware demands or not involves multiple stakeholders, often across several departments, which can take time to coordinate – time you don’t have during an attack. Have the tough conversations before you’re faced with the real-life decision so you can carefully weigh the consequences and come to a clear conclusion if the worst happens.

  4. Have a communications plan in place

    Any cybersecurity incident involving public data or interests warrants disclosure, and this is particularly true with elections. Identify what organizations should be notified, including the media and law enforcement, and have specific contact information established beforehand.

Incident Response planning is well-worth the effort. Knowing that you are prepared to handle a cyberattack scenario helps teams avoid fear mongering and stay focused on running smooth elections.

For guidance on developing your Incident Response Plan, download the CyberDefenses Incident Response Plan Template.

About the author

Brian Engle

Brian Engle is the CISO and Director of Advisory Services, a role in which he leads the delivery of strategic consulting services for CyberDefenses's growing client base with risk management support, information security program assessment and cybersecurity program maturity evolution. Prior to working at CyberDefenses, he was the founder and CEO of Riskceptional Strategies, a consulting firm focused on enabling the development of successful strategies for implementing, operating, and evolving risk-based cybersecurity programs. Brian’s previous information security roles include Executive Director of Retail Cyber Intelligence Sharing Center (R-CISC), CISO and Cybersecurity Coordinator for the State of Texas, CISO for Texas Health and Human Services Commission, CISO for Temple-Inland, Manager of Information Security Assurance for Guaranty Bank, and Senior Information Security Analyst for Silicon Laboratories. Brian has been a professional within Information Security and Information Technology for over 25 years, and serves as a past president and Lifetime Board of Directors member of the ISSA Capitol of Texas Chapter, is a member of ISACA, and holds CISSP and CISA certifications.