Blog Details

Image

Develop Your Incident Response Plan

Developing and implementing an incident response plan will help your business handle a data breach quickly and efficiently while minimizing the damage.

You can’t afford to be unprepared for a data breach’s aftermath. It’s up to you to control the situation and protect your brand in the wake of a data breach’s potentially devastating effect on your reputation. Developing and implementing an incident response plan will help your business handle a data breach quickly and efficiently while minimizing the damage.

Step 1 – Identify and Prioritize Assets

Start off by identifying and documenting where your organization keep its crucial data assets. You need to assess what would cause your organization to suffer heavy losses if it were stolen or damaged. After identifying critical assets, prioritize them according to importance and highest risk, quantifying your asset values. This will help justify your security budget and show executives what needs to be protected and why it’s essential to do so.

Step 2 – Identify Potential Risks

Determine what risks and attacks are the greatest current threats against your systems. Keep in mind that these will be different for every organization. For organizations that process data online, improper coding could be their biggest risk. For a brick-and-mortar organization that offers Wi-Fi for their customers, their biggest risk may be Internet access. Other organizations may place a higher focus on ensuring physical security, while others may focus on securing their remote access applications.

Here are examples of a few possible risks

  • External or removable media: executed from removable media (e.g., flash drive, CD)
  • Attrition: employs brute force methods (e.g., DDoS, password cracking)
  • Web: executed from a site or web-based app (e.g., drive-by download)
  • Email security: executed via email message or attachment (e.g., malware)
  • Impersonation: replacement of something benign with something malicious (e.g. SQL injection attacks, rogue wireless access points)
  • Loss or theft: loss of computing device or media (e.g., laptop, smartphone)


Step 3 – Establish Procedures

If you don’t have established procedures to follow, a panicked employee may make detrimental security blunders that could damage your organization. Your data breach policies and procedures should include:

  • A baseline of normal activity to help identify breaches
  • How to identify and contain a breach
  • How to record information on the breach
  • Notification and communications plan
  • Defense approach
  • Employee training

Over time, you may need to adjust your policies according to your organization’s needs. Some organizations might require a more robust notification and communications plan, while others might need help from outside resources. However, all organizations need to focus on employee training (e.g., your security policies and procedures).

Step 4 – Set up a Response Team

You need to organize an incident response team that coordinates your organization’s actions after discovering a data breach. Your team’s goal should be to coordinate resources during a security incident to minimize impact and restore operations as quickly as possible.

Some of the necessary team roles are:

  • Team leader
  • Lead investigator
  • Communications leader
  • C-suite representative
  • IT director
  • Public relations
  • Documentations and timeline leader
  • Human resources
  • Legal representative
  • Breach response experts

Make sure your response team covers all aspects of your organization, and that they understand their particular roles in the plan. Each will bring a unique perspective to the table with a specific responsibility to manage the crisis.

Step 5 – Sell the Plan

Your incident response team won’t be effective without proper support and resources to follow your plan. Security is not a bottom-up process. Management at the highest level (e.g., CEO, VP, and CTO) must understand that security policies–like your incident response plan–must be implemented from the top and be pushed down. This is true for organizations from mom-and-pop shops to enterprise organizations.

For enterprise organizations, executive members need to be on board with your incident response team. For smaller organizations, management needs to be fine with additional funding and resources dedicated to incident response.

When presenting your incident response plan, focus on how your plan will benefit your organization (e.g., financial and brand benefits). For example, if you experience a data breach and manage the incident poorly, your company’s reputation will likely receive irreparable brand damage. The better your goals are presented, the easier it will be to obtain necessary funding to create, practice and execute your incident response plan.

Step 6 – Train your Staff

Just having an incident response plan isn’t enough. Employees need to be properly trained on your incident response plan and know what they’re expected to do after a data breach. The regular routine of work makes it easy for employees to forget crucial security lessons and best practices. Employees also need to understand their role in maintaining company security. To help them, teach employees to identify attacks such as phishing emails, spear phishing attacks, and social engineering efforts.

Test your employees through tabletop exercises (i.e., simulated, real-world situations led by a facilitator). While tabletop exercises require time and money, they play a vital role in your staff’s preparation for a data breach. These tabletop exercises help familiarize your employees with their particular incident response roles by testing them through a potential hacking scenario. After testing your employees, you can identify and address weaknesses in the incident response plan and help everyone involved see where they can improve, with no actual risk to your organization’s assets.


Test your Incident Response Plan

An incident response plan is only useful if it is properly established and followed by employees. To help staff, regularly test their reactions through real-life simulations, or what’s known as tabletop exercises. Tabletop exercises allow employees to learn about and practice their incident response roles when nothing is at stake, which can help you discover gaps in your incident response plan (e.g., communication issues).

Types of Exercise

DISCUSSION-BASED EXERCISE

In a discussion-based table exercise, you and your staff discuss response roles in hypothetical situations. A discussion-based tabletop exercise is a great starting point because it doesn’t require extensive preparation or resources, while still testing your team’s response to real-life scenarios without risk to your organization. However, this exercise can’t fully test your incident response plan or your team’s response roles. SIMULATION EXERCISE

In a simulation exercise, your team tests their incident responses through a live walkthrough test that has been highly choreographed and planned. This exercise allows participants to experience how events actually happen, helping your team better understand their roles. However, simulation exercises require a lot of time to plan and coordinate, while still not fully testing your team’s capabilities.

PARALLEL TESTING

In parallel testing, your incident response team actually tests their incident response roles in a test environment. Parallel testing is the most realistic simulation possible and provides your team with the best feedback about their roles. However, parallel testing is more expensive and requires more time planning than other exercise because you need to simulate an actual production environment (e.g., systems, networks).

CONDUCT A TABLETOP EXERCISE

Before conducting a tabletop exercise, determine your organization’s needs by asking:

  • Has your incident response team received training about their roles and responsibilities?
  • When did you last conduct a tabletop exercise?
  • Have there been recent organizational changes that might affect your incident response plan?
  • Has there been any recent guidance or legislation that might impact your response plan?

Next, design your tabletop exercise around an incident response plan topic or section that you want tested. Identify any desired learning objectives or outcomes. From there, create and coordinate with your tabletop exercise staff (e.g., facilitator, participants, and data collector) to schedule your tabletop exercise.

When designing your tabletop exercise, prepare the following exercise information:

  • A facilitator guide that documents your exercise’s purpose, scope, objective, and scenario, including a list of questions to address your exercise’s objectives.
  • A participant briefing that includes the exercise agenda and logistics information.
  • A participant guide that includes the same information as the facilitator guide, except it either doesn’t include any of the questions or includes a shorter list of questions designed to prepare participants.
  • An after-action report that documents the evaluations, observations, and lessons learned from your tabletop exercise staff.

After conducting a tabletop exercise, set up a debrief meeting to discuss response successes and weaknesses. Your team’s input will help you know where and how to make necessary revisions to your incident response plan and training processes.

Copyright @SecurWires. Designed & Developer By MindScript