[BreachExchange] Building an Effective Incident Response Plan

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 29 14:16:39 EDT 2016


http://www.infosecurity-magazine.com/opinions/building-an-effective-incident/

When it comes to incident response and a company’s ability to manage a data
breach, no organization can afford to be caught off guard. The effects of
an uncontrolled and poorly managed data breach can be catastrophic to
businesses of all sizes, not to mention the public relations nightmare and
subsequent liability that can ensue when an organization drops the ball in
the wake of a cyber-attack.

So the best way to prepare for a data breach is to have an effective,
company-sanctioned incident response plan in place. An incident response
plan will most often fail because of the following reasons:

1. Reality versus plan - it does not accurately or realistically address
how the organization handles security incidents in real-time.
2. Lack of regular testing procedures – Every incident response plan needs
to have the right tests and table top exercise plan in place so that the
effectiveness can be evaluated.
3. Lack of clear communication and process protocols in the incident
response plan – If the plan does not have accurate information on who to
contact and what to do, it will not be effective in the hour of need.

Finally, if a plan falls short of considering the totality of the
circumstances surrounding an actual incident, threats may linger and cause
further damage after an organization has remediated and feels in the clear.

The 5 W’s of a comprehensive incident response plan’s fundamental elements
are:

Who: An established framework of key personnel responsible for
investigating and responding to an incident.
When: At what point during a suspected incident are key personnel alerted
to the potential breach, and when is the matter escalated to the
appropriate parties?
What: Clearly delineate the approved resources available to team members
both inside and outside the organization.
Where: Implement an evidentiary data collection system to record details of
the incident process, where the incident occurred, and what parts of the
organization have been affected.
Why: Learn from past events. Take the information log described above and
use it to analyze and prepare for future attacks; have a process in place
to understand where the organization’s vulnerabilities are and why an
attacker targeted specific resources.

Top 10 Steps to an effective incident response plan

Coming up with a company-wide incident response plan doesn’t mean an
organization is preparing for or expecting its IT team to fail – it means
the organization is being realistic in a climate where data breaches are
not a matter of “if,” but “when.” Organizations are encouraged to follow
these Top 10 steps in drafting an effective security incident response plan.

1. Form a dedicated incident response team. Assign a specific group to lead
response efforts and keep key company officials abreast of any situations.
Be sure that the team represents organization-wide interests and
responsibilities.
2. Have clear guidelines for internal incident communications. Direct
employees in properly escalating incidents based on specific protocols and
timelines.
3. Establish an incident journal where the IR team can monitor and record
evidence and information regarding the incident events.
4. Establish and enable effective communication channels within the IR
teams during the breach as time is of essence during response.
5. Consider liability and how and when to incorporate the legal team while
and incident unfolds.
6. Establish clear communication protocols for public relations and keep
customers informed as to whether they have been affected.
7. Disseminate all pertinent internal contact information so that company
employees know who to call and where to direct their concerns.
8. If the company outsources its IT, compile a list of appropriate,
preapproved contacts that employees can turn to in an emergency.
9. Conduct table top exercises (simulations) in realistic scenarios to
fully understand how different elements of the plan will play out, and how
effective they will be. If needed the plan should be updated with findings.
10. Conduct regular employee training and information sessions to keep your
team on the same page regarding company policies. Regular company briefings
help keep key personnel abreast of any new or evolving security threats
that they are required handle according to the company incident response
plan.

While no organization can predict every potential attack that may come its
way, a thoroughly prepared organization will suffer much less fallout when
a comprehensive incident response plan is adopted and in place.

Putting all these pieces together before an incident occurs will help keep
and organization up-and-running during attacks, before they lead to data
disasters and public relations nightmare.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160729/71dd5e50/attachment.html>


More information about the BreachExchange mailing list