Preparing your first cyber incident response plan
In this months article committee member Peter Lescop provides some guidance in how to prepare your first cyber incident response plan. Protecting your business from attack is a key priority, but preparedness and planning for an incident is an equally important factor in your security toolset.
Preparing your first cyber incident response plan
While attending our recent talks hosted by Bruce McDougall and Matt Palmer on the subject of incident response, it struck me that the overall maturity of businesses’ approaches to incident response can vary greatly.
Often, I speak to businesses regarding the overall maturity of cyber security posture assuming basics are in place – but that is often not the case. Cyber incident response plans are one of those basics that are generally missed. Most businesses generally focus on the avoidance of an incident – and while that is an envious position, generally it is not ‘if’ but ‘when’ an incident will happen. It is incredibly important to be prepared, have a plan, and ensure it is tested.
So where and how do you begin?
Don’t reinvent the wheel!
There are many frameworks, standards, and guidelines out there that provide detailed instruction in how to manage incident response. One of the most popular is NIST 800-61. The most important point here is that you do not need to start from scratch, there are even templates available for your business to download and adapt to suit such as the Incident Response Policy Template for CIS Control 17.
Utilising these ready-made templates will provide the basis for your plan, with the core steps required for the most basic forms of incident response.
Build a successful team
Your incident response team does not need to solely be made of security analysts, in fact it is recommended to not be a closed group. It is important for your response team to be made up of a cross section of resources across your business. Key roles to consider in the make up of your team are:
· Incident Response Lead – your IR lead manages the overall running of your incident, keeping each member working within the process defined on paper. This role often has a good understanding of Incident Management and can lead a group of people and keep level-headed.
· Security Analyst / IT Analyst – including a member of your Security or IT teams is a must. Often acting as a liaison between your more technical teams containing or remediating an incident, they will provide the much-needed subject matter expertise to the team.
· Communications – a key member of the team, ensuring your plan includes the necessary processes for communications both internally and externally. Have a plan and resource to enact quick and clear communication so you can focus on the incident management.
· Senior / Executive Leadership – ensure your incident management team has the necessary senior support to ensure quick escalation where necessary. This position can also provide support for specific roles, such as communication or spokesperson support.
· HR / Health & Safety – always consider the people aspect, as the safety of people always comes first. Ensure someone is in the room to consider this as a priority and have processes in place to ensure the rotation of staff during incidents that may required management over a long period of time.
Once your team is assembled, ensure your roles and responsibilities are clearly defined and awareness shared. A successful team will be the one who knows their roles well.
Know your stakeholders.
It is important to know and understand your stakeholders during and after an incident. These are the individuals, entities or businesses that have an interest in your incident management status, such as regulators, insurers, customers, or suppliers. Have a clear plan for whom you need to communicate to and when, and be pro-active.
There are some stakeholders such as the Jersey Office of the Information Commissioner that may need to be informed under certain circumstances, within certain timescales.
Others such as customers and suppliers will want timely updates to alleviate concerns, if necessary. A proactive approach to communication can also support and avoid the potential floor of incoming communication that can cause issues with your incident response.
Post incident response
Don’t forget your post incident activities. When an incident is over and contained, and recovery is complete, we often want to take a sigh of relief and down tools. It is very important that post incident we take some time to complete activities that will greatly increase our response capabilities in the future: every incident is an opportunity to learn, so ensure you take your chance.
Ensure your have a lessons-learned process, review your incident response from a critical point of view. Include your team members within your lessons learned exercise and discuss what went right and what went wrong. Document your findings and implement a plan of action to improve.
Test, test test!
Don’t wait until a live incident to test your plan. Implement a schedule of testing, starting with the basics of a plan run-through. A plan run-through or review with all of your team present will give the option to raise awareness of the plan, and to include each individual’s role and responsibilities within. During this time each team member will have the opportunity to ask questions and prepare.
Once plan run-throughs are complete, progress towards a table top exercise. This type of exercise is a paper-based scenario that is created to role-play an incident, utilising your plan. There are a few ways to do this, the simplest being creating the scenario yourself and having a member of the team read through various prompts to similar an incident scenario. Another options available is the NCSC Exercise in a Box, which includes pre-built table top exercise for your teams to run through.
The important thing here is to test your plan, ensure it works. Any issues found, create an action plan to fix – then test again.
Summary
In summary, it may seem scary to begin the process of creating an incident response plan. However with a little bit of research there are many resources available online to support a speedy adoption of a simple plan. Your plan does not have to be complicated; anything is better then nothing. Create a plan, test and improve – then repeat the process.
