Building an effective Incident Response Program often begins by discussing and setting the right expectations and guidelines for activities. A good way to begin forming your organization’s approach to this centers on an often-forgotten element of your Incident Response Program: your Incident Response Policy.
When discussing with your executive team/decision makers on this area of company policy, the following topics/items should be nailed down:
- A statement which embodies the commitment of senior leadership to address incident response as a business priority.
- The specific purpose and objectives of the policy, which should include (but are not limited to): An appropriately formed scope (who the policy applies to, and under what circumstances), definition of security incidents, threats, vulnerabilities, and other related terms.
- A chart depicting the roles, responsibilities, and decision-making authority rights of different members of the incident response team on everything from investigation/isolation of systems/assets when suspicious activity is detected or suspected, the requirements for reporting incidents by type, breach reporting requirements/connection to your Breach Notification Policy, information sharing guidelines for 3rd parties/customers, and the gates/associated process for escalation of incidents
- A chart depicting the baseline/definitions of incidents by severity and scope/scale
- A statement outlining the analysis/review methodology and what data is collected/needed during incidents for such purposes. For example, the number of hours spent by type of resource on incidents, related threats and vulnerabilities that were observed/addressed per incident, number of hours spent on recovery/remediation mid/post-incident, time to contain, time to remediate, and other such metrics/KPIs
- Contact Forms/Links to appropriate communication channels for reporting and general communication before/during/after incidents
Fortunately, for organizations just getting started, NIST has published the Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (or NIST CSF for short) which includes some very detailed and actionable guidance on building Response capabilities. Within the Respond (RS) function, some great examples of these elements are found in the Communications (RS.CO) catagory, such as RS.CO-1 which says “Personnel know their roles and order of operations when a response is needed” which is further defined by the examples/references provided.
One such example is the Center for Internet Security: Critical Security Control #19 – Incident Response & Management, which is referenced throughout the Respond function of the NIST CSF.
If you’d like to learn more about building your Incident Response Program, or any individual element therein, book your free Detection & Response assessment with us here.
Stay tuned for our next entry in the Breach Preparation 101 Series – Crafting your Incident Response Plan.