The Road Show
Last week Zach Turpen and Nate Rice took the show on the road for a series of workshops with executive teams from various industries. Our topic: the ever-divisive Cybersecurity Incident Response Plan (CSIRP). Our goal was to inform these business leaders of the purpose of a CSIRP, make sure they have one in place, and that it was regularly tested. We conducted mini-tabletop exercises to drive home the importance of having a plan and get the groups thinking about how their own organizations would handle these situations.
For many, our workshop was eye-opening. There seemed to be a lot of these individuals learning for the first time what this type of planning was. Most couldn’t say for certain that they had a plan in place let alone if it was effective. This is certainly not uncommon. In fact, according to a March 2018 study by the Ponemon Institute 77% of the nearly 3,000 surveyed do not have a CSIRP that is consistently applied across the organization.
Blueprints for Incident Response
I have always been fan of the NIST Computer Security Incident Handling Guide and use it as a guide for our own Incident Response plan as well as when we have Incident Response planning or tabletop engagements with our clients. The guide breaks incident response into five stages: Preparation, Detection & Analysis, Containment, Eradication, and Recovery. It also describes some of the necessary components of a successful CSIRP.
Your plan should contain at least the following components:
- Incident Category and Severity Definitions - Your response will vary greatly depending on the type of incident and the impact. Clearly defining these within the plan provides direction to whoever is acting as the Incident Response Lead or the Incident Handler.
- Roles and Responsibilities – Defining who does what during an incident before it actually happens will avoid a lot finger pointing and running around with hair on fire (i.e. wasted time) when time to response is so crucial.
- Communication Plans – Communication both internal and external is tricky during an incident. You want to have plans in place to communicate to the Incident Response Team (IRT), to broadcast out to employees. What about Public Relations if the local news team is on the other end of the line? How’s your Social Media Policy, by the way? What if your email server is compromised and you can no longer communicate via email? There are a lot of things that can go wrong with communication and a bit of pre-planning here goes a long way.
- Processes and Procedures – Finally, at the end of the day, the IRT needs to know what action to take. There is a lot less debate, much faster response time, and less chance for something to be forgotten when it is written down. This also gives the opportunity for different groups within your organization (IT, Communications, HR, Executive Leadership, etc.) to review and provide input into a plan before it is put into place.
Having a detailed CSIRP reduces risk in your organization. It is important not just to have a plan but that everyone knows their role in that plan beforehand. A response plan for Cybersecurity Incidents is like any type of preparedness plan whether it’s Disaster Recovery, Physical Security Incidents, Fire Drills, etc., they all need to be practiced. Doing a tabletop or simulation annually, at a minimum, is the only way you ensure that the plan is properly communicated to your Incident Response Team and identify gaps before the plan is executed for real.
ProTip: The person who normally runs the incident response for your organization will inevitably be on vacation when the “big one” hits, so having this stuff documented and well communicated within your organization is a good thing.
If you need assistance in developing a new plan, improving an existing plan, or conducting tabletop exercises TechGuard can help.