Incident Response Planning
Boring topic? Maybe.
But if you believe what Gartner has to say: "Through 2016, 75% of CISO's who experience publicly disclosed security breaches, and lack documented, tested response plans, WILL BE FIRED."
Gartner said that (2012 Gartner Predicts) - CISO's may be fired for not having CIRP's…..
I'm a big believer in Response Planning, but I would have never said something that bold.
Fail PCI without a CIRP? Yes
Fail to follow industry 'best practice' framework like ISO 27K without a CIRP? Yes
I guess if you are a CISO/CSO and HOPE that you won't have an incident, maybe you should be fired.
You're a CISO/CSO who doesn't believe in documented Due Diligence? Maybe you should be fired.
Because Gartner said so and you STILL didn't bother to develop a CIRP, maybe you should be fired.
You're a CISO/CSO whose motto is "What, me worry?" You know the answer….
I don't understand why so many people out there don't have CIRPs. They're pretty simple.
Start with some basic concepts:
Say to yourself: "I am going to have a data breach in three weeks" – believe it; Now what would you do NOW to deal with it? What obligations does my organization have to meet? What resources will I need? How will this adversely affect my organization? What kind of ad-hoc organization will I need to respond to this crisis?
Socialization Who else in the organization will either need to be involved in the response or who has ideas about how we should respond? Suggestions: Legal, public affairs, applicable folks in IT, Forensics, Compliance, Shareholder Communications (if you are publicly traded), Corp Insurance (if you have cyber insurance) – just to name a few. How do they "interpret" an "incident"? Be sure to leverage them in an "advisory committee". Brief them monthly and solicit their feedback. Don't be afraid to look outside of the organization.Research
What information (Network diagrams, Point Of Contact listings, etc.) will I need to have immediately available at the time of crisis? What external resources may I need to call on?(Third party consultants, law enforcement, identity protections services, PFI's, etc.) How do I notify my acquiring bank(s)?
This is just a start. For planning to be an effective mechanism in mitigating risk, it must provide a solid foundation as to its execution, specific information so that participants are empowered with current and relevant knowledge, and yet it must be broad as to not constrict an organization's ability to respond to unforeseen events. Planning will rarely answer all the questions that come up during an incident, but it should provide a repository of thoughtful anticipation, collaboration and research. Furthermore, to assure a plan's continued usefulness, it should be tested and updated on a regular basis. A plan's true value is measured by the relevance of the information and processes it provides at a time of crisis.
Document Your Plan
Leverage the National institute of Standards and Technology (NIST) SP 800-61 document. Open a new Word doc, start with the following "Heading 1"s:
- Plan Introduction – this is where you put the nuances of the plan (ownership, objective, scope, assumptions, limitations, etc.)
- Incident Preparation – all the things you can do NOW to prepare for that day (Contacts, diagrams, third party services, etc.)
- Incident Detection, Analysis & Notification – How do you know when you have an incident? How does your organization (not just IT) define an "incident"? Who are you going to call?
- Incident Response – 'who' does 'what' in a manner that is most efficient (parallel vs. serial efforts)? How are you going to make decisions? How do you keep things 'organized & calm'? Does everyone know their Role & Responsibilities? Have you included everyone you need?
- Plan maintenance and post incident responsibilities – When is it really over? Annual testing? "Lessons Learned", documentation in case of post event litigation.
Embrace the idea of "transparency" – knowing that by doing so you are documenting your professional Due Diligence.
Share your plan with others. Solicit their feedback knowing that it is implicit approval and that there are numerous perspectives on what you may think is just a "computer" incident. Recognize those who have 'contributed' to the plan in the plan itself so that anyone reading your plan (My CEO has read mine) can see the depth of your effort in the document. What a great opportunity to demonstrate business value.
CIRP's aren't just for data breaches. I have CIRP's for malware outbreaks & internal E-mail based attacks (Phishing). We're currently working on one for when our Fortune 100 brand is exploited by others for spam & phishing. I'm sure ADP wishes they had one when their customer service lines started ringing off the hook in mid-August when their BRAND was used by criminals to trick folks into "clicking the link" to a rogue website in the Czech Republic.
This really isn't that hard. And don't pay those big consulting firms to come up with one for you. There are so many benefits to doing it yourself. The relationships you will make outside of IT, with people that are also critical to the organization, will pay dividends beyond simply preparing for a crisis. Leverage your CIRP efforts to introduce yourself to the local law enforcement resources you may need and hopefully develop an ongoing dialog with them. CIRP's can also provide you a mechanism to become more proactive during periods of heightened risk (malware especially).
By all means, don't find out the hard way that Gartner was right.
N. K. McCarthy is the author of The Computer Incident Response Planning Handbook published by McGraw-Hill and available for sale at Amazon.com.