There’s an old saw that says ‘Action speaks louder than words.’ Often infosec pros are more inclined to action — solving the never-ending list of problems piled on them daily– than documenting what they’re doing and why.
But in a column for Security Week FireEye CTO Joshua Goldfarb usefully reminds CISOs of the importance of documenting processes. There’s no shortage of things that have to be formalized including — especially–an incident response plan. (For a start, try this handbook from the SANS Institute). Goldfarb notes that an increasing number of parties, including auditors, insurance underwriters, customers, partners and others may want to know if you’ve got a plan, which at least shows you are taking cyber security seriously.
And don’t forget that the plan has to be tested and updated regularly to be effective when it’s needed.
But Goldfarb also there are other things to be documented, including a risk register (which lists the risks and threats the organization faces, so they can be prioritized), a list of alerts security staff will face, how data can be gathered for analytics, and important internal and external contacts (which regularly has to be updated).
He also reminds infosec leaders that they can criticize others for their documentation, but it’s better to write down how you would approach things differently given topic differently. That, he says, is the key to opening up a constructive conversation with security teams.
“I know that writing and documenting aren’t the most exciting activities,” he admits. “But they have tremendous potential, both in improving security operations and incident response, as well as in opening up a constructive dialogue that the information security community so desperately needs.”
Let us know in the comments section below how you and your organization have met documentation challenges.