Coordinated Response
Services and tools for incident response management

ISACA Incident Management and Response

ISACA – The Information Systems Audit and Control Association – is a good resource for Incident Response Teams.

The ISACA Web Site offers a white paper: Incident Management and Response. This is a link to the base page with access to the white paper as well as a good set of additional resources for Incident Planning and Response.

The paper makes key points that help strengthen a response plan including:

  • The importance of the link between risk planning and response planning;
  • The business value of a good response plan; and
  • The importance of supporting enterprise governance in the response plan.

Attacks Expose the Enterprise to a Variety of Risks and Associated Impacts

Risk planning and response planning are linked. The risks and resulting impacts occur in the following areas:

  • Reputational Risks including public relations or legal issues with customers.
  • Regulatory Risks including the inability to meet regulatory compliance.
  • Operational Risks including the inability to deliver key business capabilities.
  • Internal, Human Relations Risks including inability to process payroll or violations of employee privacy.
  • Financial Risks including loss of physical assets or remediation expenses.

This is an idea that Coordinated Response embraces in The Risk Management Framework specifically in the area of Impact Assessment and Incident Prioritization.

Business Value – An Effective Response Plan Addresses Response Risk

A robust incident response program reduces the risk of response – the probability of the response itself contributing inadvertently to risk exposure. The paper stresses the characteristics of an effective program:

  • Is the plan endorsed by management?
  • Is the team well-trained?
  • Is the team interdisciplinary? Does the team include operational, administrative, legal, HR, PR, and management?
  • Does the program employ proven plans and processes for operations and execution?
  • Are metrics employed for evaluating effectiveness and identifying gaps?
  • Is there a charter for the team?
  • Does the plan address declaration and notification procedures? A well defined communication plan?

Impact Levels

For each impact area, it is important to provide metrics or descriptions that differentiate the impact level. Low, medium, and high are not enough as impact measures. Without metrics different people assign different meanings to the terms low, medium, and high.

An Incident Response Plan Review

It’s worth stressing that the impact component of the risk assessment can and should be used during the Incident Impact Assessment. The Response Team measures adverse impact to determine the needed response.

With this information the response team makes informed decisions on what resources to apply and what actions to take. Refer to our Response Management Framework for added insight.

Let us help you with a response plan review that considers your information security risk assessment.