Internal communications are those communications that are limited to the business or organization's internal personnel and reporting structure. There are several business units that need to be part of communications. The legal department will need to be kept abreast of the incident, as they will often have to determine reporting requirements and any additional regulatory requirements. Marketing and communications can be leveraged for crafting communications to external parties. This can best be facilitated by including them as early as possible in the process so that they have a full understanding of the incident and its impact. If the incident impacts any internal employees, Human Resources should also be included as part of internal communications.
One of the critical groups that are going to want to be informed as the incident unfolds is the C-suite and, more specifically, the CEO. A CSIRT will often fly well below the line of sight of senior leadership until there is a critical incident. At that point, the CEO will become very interested in the workings of the CSIRT and how they are addressing the incident.
With all of these parties needing to be kept in the loop, it is critical to ensure orderly communications and to limit misinformation. To limit confusion, the IC or CSIRT team lead should serve as a single point of contact. This way, for example, the legal department does not contact a CSIRT analyst and receive information about the investigation that is, at that time, speculative. Reliance on that type of information can lead to serious legal consequences. To keep everyone informed, the CSIRT team lead or ICÂ should conduct periodic updates throughout each day of the incident. The cadence of such communications is dependent on the incident type and severity, but having a cadence of every 4 hours, with a conference call during the working period of 6 a.m. to 10 p.m., will ensure that everyone is kept up to date.
In addition to a regular conference call, the CSIRT team lead or the IC should prepare a daily status report, to be sent to senior leadership. This daily status report does not have to be as comprehensive and detailed as a digital forensics report but should capture significant actions taken, any incident-related data that has been obtained, and any potential factors that may limit the ability of the CSIRT to function. At a minimum, a daily status meeting, in conjunction with this report, should be conducted with senior leadership and any other personnel that are required to be in attendance during the course of the incident.