Maturing IR Capabilities into an Incident Management Program – Part 2 of 3 

The capability to respond effectively to cyber incidents is one of the most critical components of an enterprise security program. However, many companies still lack a solid incident response program (IRP) entirely or don’t take incident response planning seriously enough.

In part one of this blog series, we surveyed where to start with incident response planning, covering some supporting components of incident response and security incident management programs. In this next section, we have tapped our incident response consultants’ expertise and asked them to tell us – from the trenches: What makes a good IR plan? And what IR planning mistakes have they seen, and worked with Optiv clients to remedy?

How do you formulate a good incident response plan?

Start with identifying important pieces of your current environment. Develop a clear and ongoing understanding of the company’s critical/sensitive business information, assets, applications and technology infrastructure (whether managed internally or by third parties) that is required by law, regulation, financial and fiduciary responsibility, and customer/employee privacy requirements to be maintained, operated, stored, handled, transmitted and disposed of in a prescribed manner.

Understand legislation and regulations for the reporting of intentional or accidental disclosure of critical/sensitive information (PCI, PHI, PII). Know where the company’s critical and sensitive information is stored, whether internally or by contracted third parties.

Engage representatives of business areas mentioned below, meet on a regular basis and establish clear and unambiguous roles and responsibilities. Assign and empower an owner with the necessary business and technical savvy and acumen to lead IR planning. Align the IRP to internationally accepted and recognized best practices (ISO, CERT, NIST), establish a common vernacular and leverage common processes (communication, classification, action plans) across the enterprise to ensure program consistency, transparency and defensibility.

Who needs to be part of an IR plan? What processes need to be included?

A clear IRP owner who will administer and operate the program should be identified. He/she should assemble a team of decision-makers authorized and empowered by the company’s executive management team from information security/risk, legal counsel, compliance, public relations, human resources, information technology and contracted/certified third parties who will assist with response, evidence collection, preservation and forensic activities.

All employees and applicable third parties must understand their roles and responsibilities (via acceptabel use policies) to recognize and report suspected security program weaknesses and potential incidents.
What the organization classifies as an incident should be included and it also should include a severity scale based on the organization and their industry. Additionally, making sure that an after-action report or continuous improvement framework is in place for post-incident is critical and allows an organization to improve their security posture based on an actual incident.

What mistakes do firms make with their IR plans?

The biggest problem facing most enterprises is the “big picture” view of the incident response program. The IRP needs to empower the IR team and security organization with adequate authority to effectively do the job. Buy-in at the executive level is required, to make the IR plan a component of corporate policy and help ensure cooperation from the rest of the business.

When we look more tactically at the execution of IR plans, the biggest mistakes we see security organizations or CERT teams make have included varying degrees of some of the following issues: 

• Not understanding their legal, regulatory, financial and customer/employee information responsibilities 
• Not understanding where this information is stored, either internally or externally
• Not establishing clear channels and responsibilities for internal and external communications
• Viewing IR activities as a stand-alone project, not an ongoing and iteratively improving program
• Trying to reinvent the wheel vs. following accepted and recognized IR practices
• Not testing the IR plan as a whole at regular intervals

What’s next?

In part three of our blog post series, we will discuss required capabilities of a mature IRP, and why the best companies are looking to grow their IR capabilities into a comprehensive security incident management program.