A cybersecurity incident response plan is considered to be 1 of the top 20 security controls by a number of respected authorities. Industry research indicates an effective response to a cybersecurity incident reduces the actual cost by 11%. Developing an incident response plan is not only a best practice, it is good business. See References and Research at the end of this page.
NOTE: This highlight is available as either a Document or a Presentation as a PDF file. See links at the bottom of this page.
A good plan addresses four key dimensions of incident response:
The elements of the 4 dimensions interact throughout the incident response. The response team identifies the likely incident category and type. This informs their action plan. As they execute the plan, information is collected and analyzed. Impact is measured to establish the priorities and communicate with management. Additional resources and actions are invoked as needed and as authorized. Ultimately, the incident is contained and the cause is eradicated. Finally, the organization benefits from the lessons learned.
The incident planning process starts with the template reflecting the 4 dimensions. An iterative approach is used to interview team members, solicit their input, and build out the plan. The plan is distributed to the team. After review, 1 or more group meetings are held to discuss the plan. Then a final draft is prepared for review and approval.
The planning process serves a number of key objectives.
Develop the plan – first and foremost, the incident response plan is developed and documented.
Socialize and exercise – the planning process “socializes” the incident response plan as well as the roles and responsibilities of the response team members. Team members learn from the planning process. The interviews and group sessions exercise the plan. Team members working together consider “what if” different events or outcomes occur.
Gap analysis – the planning process often identifies short comings in the response capability. Filling the gaps might be as straight forward as training team members or acquiring equipment needed for response. Filling the gaps may also require working with service providers to acquire additional resources when needed.
National Institute of Standards and Technology (NIST)Special Publication SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, identifies Incident Response (IR) as 1 of the 18 families of information security controls:
NIST also provides SP 800-61 Rev 2: Computer Security Incident Handling Guide, August 2012 to help organizations develop their incident response program:
The International Standards Organization defines ISO 27035:2011 as the standard for Information Security Incident Management: http://www.iso.org/iso/catalogue_detail?csnumber=44379.
Ponemon Institute performs an annual survey of organizations that experienced a data breach in the past year. The survey is global, but the numbers provided here are for the United States. The survey included 62 companies, across 16 industries.
Ponemon Institute, 2015 Cost of a Data Breach: United States, May 2015, sponsored by IBM.
Retrieved 08/15/2015 from: http://www-03.ibm.com/security/data-breach/.
For more information refer to our Response Management Framework.