This year’s non-stop ransomware wakeup call has motivated many organizations to dust off their incident response (IR) plans—or create one for the first time. If you’ve ever endured a breach, you know the value of a well-designed IR plan. By guiding decisions in the critical first hours of an incident, the IR plan can keep a minor situation from turning into an operational shutdown, as well as help your team track down the breach’s root cause, file cyber insurance claims, manage messages to customers and more. Use the following guidelines to make sure your IR plan includes all the essentials.
Check Your Industry’s Requirements
Start by determining what others require of you. In many industry sectors, IR plans are mandated by state law, federal guidelines (such as HIPAA) or your biggest customers’ vendor contracts. For example, more than a dozen states require any company in the insurance industry to maintain a written IR plan, among other best practices. And your cyber insurance underwriter will almost certainly offer you a better rate if you have policies such as an IR plan in place.
Guides for Creating Your Plan
One go-to standard for IR plans is NIST publication 800-61, known as the “Computer Incident Handling Guide.” This 79-page document walks you through all the elements required in an IR plan considered up to industry standards. The guide provides details on tasks such as structuring an IR team, handling incidents as they occur and coordinating responses across departments and organizations. NIST’s approach boils down to this four-part Incident Response Life Cycle:
You should also review the SANS Institute’s more concise guide, known as the Incident Handlers Handbook. SANS recommends that every plan provide a specific process for these six areas:
- Lessons Learned
What to Put In Your Plan
Based on these resources and other industry guidelines, these are the key elements to include in your IR plan:
- Your definition of an “incident” – Writing your organization’s specific description of a computer security incident will determine what triggers your IR plan. Typical items that constitute incidents are loss or accidental disclosure of sensitive info, an intrusion or attack on the network or the discovery of a vulnerability that could affect operations. Vague definitions of incidents can trigger unnecessary IR responses even for low-level situations.
- IR team structure – The team’s size depends on your organization’s size and complexity. The team plan should include:
– An incident coordinator tasked with managing meetings, keeping notes and documenting actions.
– People with strong tech skills, IR experience and an understanding of the business.
– Multiple people with strong communications skills they can use to share information clearly and efficiently in the right directions.
– Representation from key related areas such as legal, HR, and the physical facilities team.
– An executive sponsor who can champion the team’s concerns up the ladder and provide visibility to the overall business.
– A system for rotating IR team members on a planned basis to avoid burnout and promote fresh perspectives.
- Roles/responsibilities – Clearly outline exactly who does what and establish a clear team leader. Some states’ regulations for certain industries require companies to officially report the name of the person of contact (POC) for information security. Be sure to consider duties your IR team may have in non-emergencies, such as training employees, monitoring threat alerts and participating in relevant industry groups.
- Incident-reporting procedure – The team’s ability to respond effectively relies on finding out about the incident in a clear, timely manner. Describe whether notifications should take place through a help desk ticket, e-mail, phone call, etc. The plan should also specify procedures for preserving potential evidence. Your company’s ongoing security training should cover the incident-reporting procedure.
- Communications plan for outside entities – You will probably need to notify people beyond your company war room about incidents. A chart like the one below from NIST shows the variety of parties with which you may need to interact. In your plan, establish clear rules of communication. Sharing the wrong information at the wrong time with the wrong entity could have implications for your cyber insurance, breach notification liabilities, class action suits, breach of contract claims and more.
- Post-event reporting – After the situation is resolved, the team should issue a report summarizing what happened and what remediations are required. Your plan should provide specifics on who will compile that report and the leaders who get a copy.
Keep It Simple
As you write the plan, remember Einstein’s rule that “Everything should be as simple as possible, but no simpler.” It’s easy for IR plans to get very long and complex, especially as you continue to revise it over the years. But in the excitement and confusion a real incident, people can only follow so many policies. So streamline your plan to the essentials so that it’s more likely to see real-world use.
Building Your External Team
Just as critical as your organization’s internal team is the lineup of external service providers you’ll call on in an emergency. It’s essential to identify and get to know your providers in advance for two reasons. First, service providers that get to know your organization in normal times will be prepared to spring into action with an informed point of view at a moment’s notice. Second, securing the providers ahead of time will help you use your preferred vendors rather than being stuck with an unknown company from your cyber insurance carrier’s preferred provider list. Once you’ve picked a vendor, ask your cyber insurance company to add them to the preferred list to ensure you get to work with your selected partners.
Your external vendor team should include:
- An attorney with cyber expertise
- A digital forensics team
- A breach coach
- Cyber insurance contact
- Public relations firm, if your industry is in the public eye
How to Test Your Plan
Your IR plan isn’t a set-it-and-forget-it proposition. You won’t know if it works unless you test it. And you won’t know if it continues to work unless you incorporate a specific, regular schedule for review. At minimum, review it once a year. If your business is highly dynamic, it may require more frequent review. Common elements that prompt plan updates include:
- Changing personnel on the IR team
- Implementing new technology platforms
- Winning contracts with new clients
- Entering new geographic or industry markets with different requirements
- Increasing budgets that expand your resources
Along with annual reviews, you should plan annual testing exercises that apply the plan to a specific simulated scenario. And whenever a breach actually occurs, review your IR plan at a “lessons learned” meeting to identify areas that need revision.
If you need help creating an IR plan tailored for your specific situation, contact Pratum today.