Incidents Happen; So Should Incident Response Planning

September 10, 2015 by

David Kidd

In the IT world, "Target" doesn't bring to mind great deals from the retail giant, and "Ashley Madison" doesn't conjure up the married dating service. Instead, IT professionals are more likely to think of them both as examples of some of the most notorious, headline-stealing data breaches in recent times — and rightly so.

In its 2014 fourth quarter report, Target noted that its breach-related gross expenses totaled $252 million. The company recently reached a deal with Visa to settle claims over the 2013 data breach that will cost an additional $67 million. As for Ashley Madison, the online company faces one class action suit for $750 million and will likely get hit with more.

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Get Started

However, it's not just breaches that put data at risk — or the data centers that store and/or process that data. Apple suffered two major data center incidents earlier in 2015. One was a fire, possibly caused by a fault in solar panels on the roof, and another was a chlorine leak. An August 2015 explosion in downtown Los Angeles disrupted data center operations for several companies, while network connectivity issues grounded United Airlines' US flights the previous month.

The fact is that data centers can and do experience a variety of disruptions, and even the highest levels of security and preparedness can't prevent them. When things do go wrong, however, how IT professionals respond can make the difference between keeping and losing customers — and remaining in business. That's why an incidence response plan (IRP) is so important.

The What's and Why's of Incident Response Planning

In simple terms, an IRP is a set of instructions for detecting, responding to and limiting the effects of an information security event, and for communicating the incident to the relevant stakeholders. As a component of business continuity, it keeps organizations operational and outlines how to deal with adverse situations—not just recovery.

While IRPs are not requirements for data centers, they are required of any business subject to a various regulatory requirements, including HIPAA (section 164.308(6)(i)), GLBA (section 314.4(b)(3)) and PCI DSS (section 12.9).They are also just good business. Done right, IRPs can help limit damage, increase the confidence of external stakeholders, and minimize recovery time and the associated costs, and more.

The Key to Successful Incident Response Planning

So what is required for a successful IRP? Here are just a few of the things to consider:

1. First and foremost, focus on your people. Think about your team, what they can do and how quickly they can do it if and when an incident occurs. Remember that training is essential. It is particularly important to make sure your team has the resources they need to be successful.

   That can't happen without senior management support. Like disaster recovery planning, incident response planning can be a hard sell to the C-suite. To convince the upper echelon to spend more on incident response planning, it may simply be a matter of showing them the cost impact of these incidents as noted in the headlines, including the previously mentioned cases of Target and Ashley Madison.

2. Forgo boiler plate plans that don't address the specific needs of your organization. Determine what your threat landscape is, and plan only for incidents that could happen to your business. Focus on what's possible, but don't be afraid to think about the "what ifs." Plan how to respond to these threats based on the resources you have available, not the ones you wish you have.
3. Focus on processes and procedures for getting up and running and/or remaining operational. They should be easy to understand and enact. If the necessary skills or manpower doesn't exist in-house, plan to retain outside help that can be available when needed. Keep your plan flexible as well. It should be able to adapt to a variety of situations. Make sure it can accommodate a change in team members and what resources are available or required to mitigate various types of incidents.
4. Make internal and external communication a key element of your IRP. Have boilerplate communications ready to deploy; all you need to do is fill in the pertinent details. Keep the communications short and concise. Provide the relevant facts as they are available, and don't speculate on root causes. Disseminate information quickly to all stakeholders and follow up with them regularly. Resolve any incorrect information.
5. Review and test your IRP. It won't do any good just sitting on a shelf. Run through and regularly update your incident response workflows. Make sure your documented procedures make sense, and your team is equipped to enact them. The time to find out your plans don't work is not in the midst of a disaster. Also remember that "fast" is not "fast enough" when it comes to responding to any kind of failure or disaster. Always strive to improve response times.
6. Learn from mistakes — during testing and during an actual event. Analyze the incident. Evaluate how it was handled. Determine how to improve responses in the future. Update your IRP, and make changes in people, processes or technology. Practice new workflows. Assess systems closely for any sign of weakness or recurrence, and fix them.

Prepare for the Inevitable

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Get Started

It may sound cliché but when it comes to data breaches and other disasters that can befall data centers, it's not a matter of "if" but "when." Storms, cyberattacks, power surges or any number of other incidents could result in downtime. With an IRP, the negative impacts can be minimized — and the headlines avoided.