We’ve written before about the importance of having an incident response plan (IRP) for your enterprise. An incident response plan is a set of procedures your enterprise and IT security team will follow when a data breach or security event inevitably strikes. And make no mistake, a data breach is coming for your business, regardless of the size of your enterprise or the industry you operate in. Being prepared is a must, even if you have a SIEM solution.
But what makes a good IRP? What should your IRP contain? Running around in a blind panic will not result in a tidy or speedy resolution. Here are the key components of a successful enterprise incident response plan:
Incident Response Plan Practice Makes Perfect
Regardless of the specific details of your incident response plan, it’s only half the equation for success. Your enterprise and your incident response team (more on that in a moment) needs to practice the procedures laid out in your IRP so that they’re prepared for an actual security event. Employees outside the IT security team need to know where to report a potential cybersecurity threat and to do so promptly. The incident response team, in turn, needs to know how to respond to a potential threat when the alert arrives.
Practice also allows you to evaluate where your incident response plan is strongest and weakest, and therefore where reinforcement is necessary. Make sure regular practice sessions are incorporated into your IRP.
The Chain of Command in Your Incident Response Team
Quick! A security breach is happening! Your IT team leader is evaluating the situation and directing the response! Wait no! The CISO needs the team to deal with the threat differently! Wait! Drop everything! The CTO has come in and is barking orders!
This happens far, far too often in too many enterprises: they have an incident response plan but lacks a proper chain of command in their IRP. Without clear leadership, your enterprise’s response will collapse into confusion, wasted time, and more damage. Every solid plan needs a clearly delineated incident chief (ideally someone with experience in crisis management) and a clear chain of command flowing from them so communications remain clear throughout the incident and its aftermath.
An outlined incident response plan should also specify who is on the incident response team. These team members should know their roles and responsibilities during a cybersecurity incident, how they relate to other team members in the IRP hierarchy and have clear procedures for how to perform their responsibilities.
Procedures and Plans that Fit Your Enterprise’s Needs
A well-designed incident response plan should have procedures for the actual handling of the security event that fit best for your enterprise. The IRP should contain information about the most common threats your enterprise will likely face and the currently deployed cybersecurity protocols and protections that deal with those threats. It should also have procedures that work within these protocols, as well as processes to recognize if they’ve been compromised.
Additionally, your enterprise’s IRP should have procedures for gathering information and threat identification (where the breach came from, what parts of the network it’s affecting, if it’s a false positive, etc.) and appropriate containment procedures.
An incident doesn’t end once the breach is contained either. The threat needs to be removed from your enterprise’s network, the security hole that allowed the breach in needs to be closed, and the damage needs to be assessed. Having the processes for these steps clearly explained are also vital to a well-rounded incident response plan.
Honesty is the Best Policy
Every IRP should have external communication policies that are clear, immediate, and consistent for alerting your customers, relevant regulatory bodies, and investors of a cybersecurity event. Your enterprise’s IRP should identify who needs to be contacted in the wake of the breach, with specific caveats depending on what kind of breach occurred and what was affected, as well as who should contact them and how. These communications should follow industrial and governmental regulatory mandates depending on the location of your enterprise (individual U.S. states have their own laws, enterprises dealing with the EU should prepare for GDPR, etc.).
Above all, these communications must be honest. Your enterprise doesn’t need to share every detail of a breach, especially if you believe it is still ongoing, but you need to provide enough information to consumers and investors to ensure they’re adequately informed for their safety. Your IRP should not influence your external communicators to make rash denials or downplaying statements. Such actions will only harm your enterprise’s reputation in the long run. Instead, your IRP should mandate professional and honest language.
Cybersecurity does not begin and end with your SIEM solution. You need to be a participant in keeping your data safe…and being ready to respond when the worst happens is part of that.
Latest posts by Ben Canner (see all)
- Is It To Early to Think about Business SIEM in 2021? - October 22, 2020
- Gartner Names 4 Cool Vendors in Security Operations and Threat Intelligence - October 19, 2020
- Micro Focus Reveals 2020 State of Security Operations Report - October 19, 2020