Nearly all organizations need an incident response plan. Security incidents are inevitable. The time to think about responding to an incident is NOT during the incident. Incidents are stressful, often chaotic (especially when you have no plan).
A formally documented, incident response plan helps organizations identify, contain, and remediate security incidents.
Key Components of Incident Response Planning
- Detection capabilities
- Incident Response Team
- Create a Run Book
- Breach Identification and Classification
- Breach Containment
- Evidence Preservation / Incident Documentation
- Lessons Learned
Without adequate detective capabilities, your organization may learn of a breach from law enforcement or even worse – your customers. Organizations must have adequate system logging and intrusion detection systems or they will be essentially flying blind.
Incident Response Team
Create an incident response team with defined roles and responsibilities for responding to a potential security incident. The team must have the technical skills to research potential incidents and take action.
Create a Run Book
Document steps to take for as many potential incident scenarios as you can think of. There will not be time to think through the appropriate response during the incident.
Breach Identification and Classification
The plan must define criteria for identifying and classifying a breach. Breaches will trigger notification based on the classification of the incident. Notification may include an escalation team internally, and potentially may include law enforcement, and customers depending upon the severity of the incident.
Breaches should be contained as soon as possible to limit the impact of the breach in terms of numbers systems affected and the amount of data lost/exfiltrated out of the organization.
Once a breach has been contained and assessed, the cause of the breach must be remediated to ensure the issues causing the breach no longer represent and exposure.
Evidence Preservation / Incident Documentation
Incident response plan should include provisions for maintaining evidence of the breach so that evidence can be later provided to law enforcement or in legal proceedings. Steps taken during a security incident should always be formally documented.
Incident response plans should include requirements to conduct a formal ‘lessons learned’ session or incident post mortem. The lessons learned must then be incorporated into future iterations of the plan.
Once created, incident response teams should be provided training on the details of the plan. Mock security breaches and drills will help to comprehensively evaluate how your employees put the incident response plan into action. This gives management the opportunity to note the strengths and weaknesses of the plan while making goals for remediation and improvement.
Related article: read about PCI DSS 4.0 Is Expected to Change in 2020.
How I.S. Partners can help
If your organization would like assistance with incident response planning, would like an assessment of your current response plan, or would like I.S. Partners to help facilitate mock incidents for your organization. Call us today at 215-675-1400 to start the conversation.