Security incidents can and will take place within your business, putting employees and the wider business under a great deal of pressure. Making sound decisions to minimise the impact of the event can be difficult. These incidents can also be costly in terms of downtime, loss of data and reputational damage. Only if your business is prepared and staff are aware of what to do, can they contain and minimise any losses.
Maturing an Incident Response and Management Plan enables your business to make many of the important decisions in a calm pre-incident environment. However, incident response is not about having a plan that gets dusted off when your business encounters a problem. It is a method that covers the people, technology, process, and governance, forming part of your day to day operations to strengthen your defences against future incidents.
Incident Response Methodology
The following Incident Response methodology, recommended by the NCSC, offers a structural approach. It ensures that the right people are engaged at the right time, and appropriate escalation and communication takes place.
- Triage – The first stage of process is where severity, categorisation and escalation is assessed to ensure that the correct people are involved from the outset.
- Analyse – This stage involves determining whether an incident has occurred, and if so, the nature and the extent of the incident.
- Contain/Mitigate – This stage may require critical decisions such as taking a core business system offline and to consider the consequences of any such actions.
- Remediate/Eradicate – The main objective of this stage is to remove the threat, confirm that remediation has been successful and may involve monitoring for a period.
- Recover – At this point the organisation should return to ‘business as usual’, ensuring that systems and data are restored. Review and action of any regulatory, legal, or PR issues should be considered at this stage.
- Review – A lesson learned review should be carried out at the conclusion of any incidents to assess the effectiveness of controls, identify any improvements in policies, procedures, training, and technology.
This methodology, coupled with a defined series of playbooks, helps you react quickly and precisely.
Playbooks are a set of actions that should be executed if an event occurs, usually covering the analysis to recovery stages. By having a playbook, you will have a rehearsed set of steps to deal with the incident. This way, when a real incident occurs, you are more likely to make good decisions in the heat of the moment.
The following are the most common playbooks; however, it is good practice to have playbooks for specific business incidents. For example, the loss of a client production database or other business critical asset.
- Malicious code
- Denial of service
- Unauthorised access
- Insider threat
- Data breach
- Targeted attacks
- Data theft
Testing Your Incident Response Time
Finally, your Incident Response Plan needs to be regularly tested so that business metrics can be created. Take, for example, malicious code on a production machine, leading to downtime. The metrics gathered once completed can inform the business on the average duration of the event, the downtime, impacted SLAs, impacted employed productively etc. This enables the business to understand the event in non-IT terms, determine their acceptable levels of risk and implement further improvements and mitigations.
How to create an Incident Response Plan
You will need to consider the following steps when creating an incident management plan, adopting the above methodology.
- Create the Incident Management Procedure.
- Identify key assets and critical functions.
- Perform a risk assessment and business impacts analysis.
- Gap analysis against best practice.
- Develop new or update existing policies.
- Define the severity of an incident.
- Define roles and responsibilities.
- Train your employees.
- Create/develop Communication Plans.
- Create/develop Incident Playbooks.
- Create business metrics.
- Refine the process and Playbooks where appropriate.
- Tabletop exercises.
- Walkthroughs and workshops.
- Functional exercises.
- Full scale exercises.
Incident response may seem to be a daunting process; however, once the foundations are set, you can build on your people, technology, process, and governance.
Nexor’s Incident Response consultants can support these tasks. For further information, get in touch with our team.
Author Bio - Chris Gent
Chris is a Certified Information System Security Professional (CISSP) and EC-Council Certified Security Analyst (ESCA:Practical) with over 20 years IT and 5 years cyber security experience. His recent projects include vulnerability assessing and auditing IT systems to the centre for internet security framework, helping to attain and maintain security governance such as ISO27001 and Cyber Essentials plus, and designing secure network solutions around new products and services.
Be the first to know about developments in secure information exchange