If, as experts say, a data breach at every organization is inevitable, arguably the CISO’s first line of defence is an incident response plan. Incident response is what organizations do to prevent a breach of security controls from becoming a data breach.
The problem, according to a report from Verizon released earlier this month, is that if a survey is representative, even those who have created IR plans haven’t got it right. While most (79 per cent) of the 125 assessed organizations the company questioned between 2016 and 2018 had an IR plan in place, fewer than half (48 per cent) had what Verizon considers a logically constructed, efficient plan.
Among the flaws: More than one third (43 per cent) didn’t fully designate internal IR stakeholders; and 71 per cent didn’t describe end-user security awareness training. Only 40 per cent explicitly specified periodical reviewing, testing, and updating plans, 22 per cent cited no internal security policies or procedures and 38 per cent cited no legal or regulatory requirements (41 per cent partially did so) for cybersecurity, incident response, or data breach notification.
Verizon says its Incident Preparedness and Response Report (registration required) will help IR stakeholders create, maintain or improve their cyber incident mitigation and response efforts.
A reminder: Incident response stakeholders aren’t only in IT. They also include human resources, legal affairs, communications/public relations, physical security as well as others touched by an incident.
Six components
The report says incident response has six components: planning and preparation, detection and validation, containment and eradication, data collection and analysis, remediation and recovery, and post-incident assessment and adjustment. There’s a section of the report for each component. There are also five data breach scenarios, including how the organization responded and lessons learned.
Briefly, the idea is the existing or new IR team should discuss the scenarios and draft (or correct the existing) the response playbooks in the organization’s IR plan to suit possible incidents your organization is likely to face.
For those who don’t know, an IR plan describes roles, responsibilities and authorities for internal IR stakeholders. It identifies incident detection, types of attacks, and severity levels to guide internal IR stakeholders and tactical responders.
For cybersecurity incidents, the report recommends identifying six to eight incident types (for example, unauthorized access, DoS, malicious code, improper usage, scans/probes/attempted access ).
“By defining incident types, stakeholders can prepare for incidents, focus efforts and quickly engage resources when they occur,” says the report. These incident types can also determine topics for specific playbooks that support the overall IR Plan.
Finally, don’t forget to test the IR plan.
For more resources, see our previous stories “How to get the most out of your incident response plan test,” “Incident response plan must be tested,” and “What should be in an IR team Go Bag.”