Maturing IR Capabilities into an Incident Management Program – Part 1 of 3 

We’ve all heard that it’s not a matter of “if,” but “when.” This statement, while becoming its own stale mantra of sorts, is still the impetus for the necessary and dramatic shift taking place across enterprise-level cyber security program strategy.

Incident response has become one of the most critical aspects of any overall security strategy, but a solid incident response program (IRP) is something many organizations – both large and small – either lack entirely or don’t take seriously enough.

What makes a good IR plan? Maybe more importantly, what makes a bad one? What IR planning mistakes have Optiv experts helped organizations overcome?

In this three part blog series, we aim to answer these questions and more.

Incident response capabilities, where do we begin?

As a foundation, there are some critical security program components that need to be identified before an organization can build a response plan or in-house capability. Three key supporting components are:   

• ITIL fundamentals (asset management, change management, configuration management, patch management) 
• An existing enterprise risk management (ERM) program or, at minimum, the ability to identify, classify, and prioritize risks and data owned and managed by the enterprise
• Standard prevention technologies (firewalls, antivirus, etc.)

What needs to be part of an IR plan?

Good incident response plans incorporate a full complement of stakeholders across the enterprise. An IR playbook is required for the technical response tactics, forensics, chain of custody for evidence, etc. However, a full response plan incorporates legal, enterprise risk stakeholders, business line owners and marketing/communications.

Formulating the plan requires a programmatic approach and must take into account a company’s most critical assets and business processes. From there, determining business line stakeholders or involving key people who have the most insight into the critical assets and business processes, as well as the actual security incident response owners, legal and ERM provides an enterprise-wide view of what constitutes a full response plan.

Incident prioritization must take into account varying enterprise stakeholder perspectives. Key response and recovery procedures must include designated points of contact within each stakeholder group. Good IR plans include procedures and points of contact within each phase of an incident: preparation, detection, analysis, recovery and post-incident. 

Why do so few companies have an IR plan?

Traditionally, companies either assume information technology and/or information security/risk own IR planning, which is not always the case. Unfortunately, IR planning is too often “event-driven” and doesn’t receive the proactive recognition or attention it requires. Unrehearsed and unstructured incident “reaction” typically results in miscommunication, mishandling of evidence and, ultimately, a very expensive and embarrassing lesson. 

IR planning is too often viewed as a project, instead of an ongoing program. It is viewed as a “necessary evil” instead of adding value to the company. The plan has to be a living document which is constantly tested, reviewed and updated to account for lessons learned and changing industry conditions or environment upgrades/installs.

What’s next?

In part two of our blog post series, we will move to the more tactical and specific aspects of IR planning – what mistakes Optiv’s expert IR consultants consistently find that companies make in creating their IR plans, and learn from their mistakes to institute a solid plan.