custody, breach
notification and disclosure law, these are terms not used in many CCIE or MCSE
circles. When a breach occurs there is
much more at stake than just getting the system restored. There may be legal liabilities, potential
contract breaches, customer reporting requirements. How the incident is handled can mean the
difference between a few extra minutes of downtime and years of paying fines, negative
press, lost customers, and large legal fees.
In today’s heavily regulated and constantly
attacked world it is important to plan ahead and handle security incidents
correctly. As the handling of a security incident is more than a technical issue
it needs to involve more than technical resources. Senior Management is
required to make decision that affect the risk to the company; security
regulation experts are required to interpret requirements and guide the
response; and communications directors are required to ensure an appropriate
response to affected customers and to the public. Too often a system administrator is all these
calls when they lack the proper training, expertise, or responsibility.
In an emergency a measured and
effective response is everything. Organizations
that don’t prepare for the event of a fire or an active shooter may find
themselves placing themselves in greater danger by their ad-hoc response or
even panic. Without effective
information security response planning your organization may find themselves in
the same situation when if anonymous comes knocking; a laptop with social
security numbers is stolen; or a reporter calls with evidence of you customer’s
private records made public.
Here are ten steps to planning an effective incident
response.
- Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
- Develop categorization of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
- Develop easily accessible quick-response guides for likely scenarios.
- Establish processes for making major decisions, such as when to isolate compromised areas of the network.
- Maintain relationships with key external stakeholders, such as law enforcement.
- Maintain service-level agreements and relationships with external breach-remediation providers and experts.
- Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
- Ensure that all staff members understand their roles and responsibilities in the event of a cyber-incident.
- Identify the individuals who are critical to incident response and ensure redundancy.
- Train, practice, and run simulated breaches to develop response “muscle memory.” The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers’ awareness and fine-tuning their response capabilities.
When a security incident next affects your organization may
be unknown but it is nearly certain that it will. The 2013 Data Breach
Investigations Report shows a staggering number of attacks for both small and
large organizations.
Without addressing the 10 steps
above your current incident response process is a purely technical response
that drives up the damage of any security incident. .
Matt Malone
Sr. Security Consultant
SLAIT Consulting
Office:
512-692-0824
Cell:
512-537-8285
matt.malone@slaitconsulting.com
www.slaitconsulting.com
