The following article on incident response planning was authored by Sayers, Inc., an information technology solutions provider, and is republished with their permission.
October 2016 - A cybersecurity incident response plan is considered to be one of the top security controls by a number of respected authorities. Industry research indicates an effective response to a cybersecurity incident reduces the actual cost by 11 percent. Developing an incident response plan is not only a best practice, it is good business. And, for many organizations, it is a legal or regulatory requirement.
The Dimensions of Incident Response
A good plan addresses four key dimensions of incident response:
Scope – Identify incident categories and types addressed by the plan. For example, a plan may address malware, compromised assets (including breached data), and lost equipment.
Team – Start with the core individuals responsible for handling the incident; add extended team members required in select situations, for example, human resources or legal; identify third parties who support the response, for example, an Internet service provider or a forensics firm.
Impact and priority – Identify impact areas that might be effected by an incident: financial, reputational, and legal; identify impact levels or measures for each of these areas; this supports setting appropriate incident impact and this aligns with enterprise risk assessments.
Response actions – For each category and types, identify actions for responding to the incident. Actions may include examining log files, requesting a legal review, communicating with the media, or involving a consultant.
The elements of the four dimensions interact throughout the response effort. The response team identifies the likely incident category and type, which informs their action plan. As they execute the plan, they collect and analyze. They measure impact to establish priorities and communicate with management. Additional resources and actions are invoked as needed and as authorized. Ultimately, the incident is contained and the cause is eradicated. Finally, the organization benefits from the lessons learned.
The Incident Planning Process
The incident planning process starts with the template, which reflects the four dimensions. An iterative approach is used to interview team members, solicit their input, and build out the plan. The plan is distributed to the team. After review, one or more group meetings are held to discuss the plan. Then a final draft is prepared for review and approval.
The planning process serves a number of key objectives:
Develop the Plan – First and foremost, the incident response plan is developed and documented.
Socialize the Plan – The planning process “socializes” the incident response plan as well as the roles and responsibilities of the response team members. Team members learn from the planning process, working together to consider “what if” different events or outcomes occur.
Gap Analysis – The planning process often identifies shortcomings in the response capability. Team members fill the gaps through training, acquiring equipment or technology, and engaging external resources as needed.
The ultimate deliverable of the engagement is a codified cybersecurity incident response plan. The plan will withstand regulatory scrutiny but, more importantly, position the organization to respond to incidents in a consistent, unified manner while minimizing the overall impact of these events to the organization.
Disclosure: FHLBank Atlanta has not received any compensation in connection with this article, nor does it have a material connection to, or endorse, the companies, brands, products, or services mentioned. Regardless, FHLBank Atlanta believes the foregoing information is beneficial to provide to our shareholders.