Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Maturing IR Capabilities into an Incident Management Program – Part 2 of 3
The capability to respond effectively to cyber incidents is one of the most critical components of an enterprise security program. However, many companies still lack a solid incident response program (IRP) entirely or don’t take incident response planning seriously enough.
In part one of this blog series, we surveyed where to start with incident response planning, covering some supporting components of incident response and security incident management programs. In this next section, we have tapped our incident response consultants’ expertise and asked them to tell us – from the trenches: What makes a good IR plan? And what IR planning mistakes have they seen, and worked with Optiv clients to remedy?
Start with identifying important pieces of your current environment. Develop a clear and ongoing understanding of the company’s critical/sensitive business information, assets, applications and technology infrastructure (whether managed internally or by third parties) that is required by law, regulation, financial and fiduciary responsibility, and customer/employee privacy requirements to be maintained, operated, stored, handled, transmitted and disposed of in a prescribed manner.
Understand legislation and regulations for the reporting of intentional or accidental disclosure of critical/sensitive information (PCI, PHI, PII). Know where the company’s critical and sensitive information is stored, whether internally or by contracted third parties.
Engage representatives of business areas mentioned below, meet on a regular basis and establish clear and unambiguous roles and responsibilities. Assign and empower an owner with the necessary business and technical savvy and acumen to lead IR planning. Align the IRP to internationally accepted and recognized best practices (ISO, CERT, NIST), establish a common vernacular and leverage common processes (communication, classification, action plans) across the enterprise to ensure program consistency, transparency and defensibility.
A clear IRP owner who will administer and operate the program should be identified. He/she should assemble a team of decision-makers authorized and empowered by the company’s executive management team from information security/risk, legal counsel, compliance, public relations, human resources, information technology and contracted/certified third parties who will assist with response, evidence collection, preservation and forensic activities.
All employees and applicable third parties must understand their roles and responsibilities (via acceptabel use policies) to recognize and report suspected security program weaknesses and potential incidents.
What the organization classifies as an incident should be included and it also should include a severity scale based on the organization and their industry. Additionally, making sure that an after-action report or continuous improvement framework is in place for post-incident is critical and allows an organization to improve their security posture based on an actual incident.
The biggest problem facing most enterprises is the “big picture” view of the incident response program. The IRP needs to empower the IR team and security organization with adequate authority to effectively do the job. Buy-in at the executive level is required, to make the IR plan a component of corporate policy and help ensure cooperation from the rest of the business.
When we look more tactically at the execution of IR plans, the biggest mistakes we see security organizations or CERT teams make have included varying degrees of some of the following issues:
In part three of our blog post series, we will discuss required capabilities of a mature IRP, and why the best companies are looking to grow their IR capabilities into a comprehensive security incident management program.
October 11, 2017
Optiv is a market-leading provider of end-to-end cyber security solutions. View our services here.
Let us know what you need, and we will have an Optiv professional contact you shortly.