Skip to main content

Maturing IR Capabilities into an Incident Management Program – Part 2 of 3

April 12, 2017

The capability to respond effectively to cyber incidents is one of the most critical components of an enterprise security program. However, many companies still lack a solid incident response program (IRP) entirely or don’t take incident response planning seriously enough.

In part one of this blog series, we surveyed where to start with incident response planning, covering some supporting components of incident response and security incident management programs. In this next section, we have tapped our incident response consultants’ expertise and asked them to tell us – from the trenches: What makes a good IR plan? And what IR planning mistakes have they seen, and worked with Optiv clients to remedy?

Maturing IR Featured 2 of 3

How do you formulate a good incident response plan?

Start with identifying important pieces of your current environment. Develop a clear and ongoing understanding of the company’s critical/sensitive business information, assets, applications and technology infrastructure (whether managed internally or by third parties) that is required by law, regulation, financial and fiduciary responsibility, and customer/employee privacy requirements to be maintained, operated, stored, handled, transmitted and disposed of in a prescribed manner.

Understand legislation and regulations for the reporting of intentional or accidental disclosure of critical/sensitive information (PCI, PHI, PII). Know where the company’s critical and sensitive information is stored, whether internally or by contracted third parties.

Engage representatives of business areas mentioned below, meet on a regular basis and establish clear and unambiguous roles and responsibilities. Assign and empower an owner with the necessary business and technical savvy and acumen to lead IR planning. Align the IRP to internationally accepted and recognized best practices (ISO, CERT, NIST), establish a common vernacular and leverage common processes (communication, classification, action plans) across the enterprise to ensure program consistency, transparency and defensibility.

Who needs to be part of an IR plan? What processes need to be included?

A clear IRP owner who will administer and operate the program should be identified. He/she should assemble a team of decision-makers authorized and empowered by the company’s executive management team from information security/risk, legal counsel, compliance, public relations, human resources, information technology and contracted/certified third parties who will assist with response, evidence collection, preservation and forensic activities.

All employees and applicable third parties must understand their roles and responsibilities (via acceptabel use policies) to recognize and report suspected security program weaknesses and potential incidents.
What the organization classifies as an incident should be included and it also should include a severity scale based on the organization and their industry. Additionally, making sure that an after-action report or continuous improvement framework is in place for post-incident is critical and allows an organization to improve their security posture based on an actual incident.

What mistakes do firms make with their IR plans?

The biggest problem facing most enterprises is the “big picture” view of the incident response program. The IRP needs to empower the IR team and security organization with adequate authority to effectively do the job. Buy-in at the executive level is required, to make the IR plan a component of corporate policy and help ensure cooperation from the rest of the business.

When we look more tactically at the execution of IR plans, the biggest mistakes we see security organizations or CERT teams make have included varying degrees of some of the following issues: 

  • Not understanding their legal, regulatory, financial and customer/employee information responsibilities 
  • Not understanding where this information is stored, either internally or externally
  • Not establishing clear channels and responsibilities for internal and external communications
  • Viewing IR activities as a stand-alone project, not an ongoing and iteratively improving program
  • Trying to reinvent the wheel vs. following accepted and recognized IR practices
  • Not testing the IR plan as a whole at regular intervals

What’s next?

In part three of our blog post series, we will discuss required capabilities of a mature IRP, and why the best companies are looking to grow their IR capabilities into a comprehensive security incident management program.

    Curtis Fechner

By: Curtis Fechner

Senior Incident Management/IR Consultant

See More

Related Blogs

March 24, 2017

Maturing IR Capabilities into an Incident Management Program – Part 1 of 3

We’ve all heard that it’s not a matter of “if,” but “when.” This statement, while becoming its own stale mantra of sorts, is still the impetus for the...

See Details

April 21, 2017

Maturing IR Capabilities into an Incident Management Program – Part 3 of 3

Incident response has become one of the most critical aspects of any overall security strategy, but a solid incident response program (IRP) is somethi...

See Details

October 03, 2018

Do You Know Where Your Evidence Is?

In part three of our series focused on the Enemy Perspective, we’ll focus on an important element of incident response: digital forensics investigatio...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

August 24, 2017

Enterprise Incident Management Brief

Learn how Optiv’s workshop helps security leaders evolve their technical incident response practices to broad scope enterprise incident management.

See Details

June 14, 2017

Incident Management Plan Development

We have the experience and knowledge required to help your organization develop a strong incident management plan.

See Details

October 11, 2017

Security Solutions

Optiv is a market-leading provider of end-to-end cyber security solutions. View our services here.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.