Maksim Kabakou - Fotolia
Incident response planning requires constant testing
What goes into a good incident response plan, and what steps should security professionals take to ensure they are appropriately prepared for the almost inevitable attack, and secure buy-in from organisational leadership?
The primary step towards a robust incident response plan is to get testing. It’s crucial not to wait until you’re faced with an issue to test all elements of the plan, especially around critical systems and processes.
Involve relevant stakeholders across the business as though a serious incident is occurring to test the process, technologies and people.
Tabletop exercises can be a great way to include all the elements as the team will understand why drills matter whilst undergoing a practical simulation of what it feels like when under pressure during an incident.
An incident response plan should be robust and cover business priorities; not all systems are equally important and knowing which the focus is to secure and restore ahead of other systems is essential.
Read more on this topic
- A ransomware incident response plan may be the difference between surviving an attack and shuttering operations. Read key planning steps, and download a free template to get started.
- The NCSC has added a level to its CIR programme to enable more cyber attack victims to take advantage of the service, which offers access to assured incident response specialists.
- The high-rolling city of Las Vegas experiences unique cyber security challenges rarely seen elsewhere. CIO Mike Sherwood reveals how he turned to Darktrace to help address incidents quicker and with confidence.
The plan should cover the full estate with an additional spotlight on interlinking systems, and be aware that sometimes the systems that you rely on as part of the plan could be down too!
Although it may seem overkill, a top tip is to ensure everyone who might be part of an incident should have a printed copy of the incident response plan at home and at work.
Ownership of the incident response plan should fall to a single owner plus a back-up deputy; their role is to run the plan and liaise with other stakeholders to prevent confusion and potential time wasting.
The owner also needs to track progress and ultimately note pitfalls to improve the plan for future incidents.
Taking time after the incident to review what work and what didn’t is hugely important and must be rigorous; there’s no point having a plan that doesn't evolve to ever-changing incidents.
Jack Chapman is vice president of threat intelligence at Egress.
The Computer Weekly Security Think Tank on incident response
- Mike Gillespie, Advent IM: Incident response planning is vulnerable to legacy thinking.
- Sam Lascelles, PA Consulting: Use existing structures to build your incident response plan.
