Incident Response – Being Prepared for the Worst-Case Scenario

It is no secret that in today’s world, information is more at risk than ever before. Unfortunately, we now must deal with the realization that it’s not if an attempted breach will occur on your network, but rather when. Despite an organization’s best efforts to secure networks and information, human error and system vulnerabilities will continue to exist. Considering that reality, organizations must be sure to prepare an actionable plan for when the worst-case scenarios play themselves out.

Incident response is the process of establishing a plan for responding to these worst-case scenarios. The ability of an organization to react to and contain incidents in a prompt and efficient manner is equally as important as the tools and procedures that are put in place to prevent such scenarios. This means not only having the tools in place to detect potential threats, but also having the personnel on hand to respond and react efficiently.

Who needs incident response?
In short: everyone. All businesses have intellectual property, personally identifiable information (PII), financials or some form of sensitive information that can be dangerous when in the wrong hands. Establishing an actionable plan will result in faster response times and minimize damages as a result of an incident.

The potential risks your organization faces as the result of poorly responding to an incident are vast and may vary based on industry. That said, below are some of the more common risks to consider when evaluating the value of your organization’s incident response plan:

Operational risks. An incident such as a system breach could result in critical systems and applications becoming inoperative. This may lead to a loss of core business functions (such as a production line being shut down) as well as potential security vulnerabilities.

Reputational risks. Responding poorly to an incident can have severely negative impacts on your organization’s public image, as well as in the eyes of your current and potential customers/clients.

Compliance risks. In some instances, an incident may result in an inability to meet regulatory requirements and introduces the potential for fines and/or penalties from governing bodies.

Financial risks. All the previously mentioned risks have the potential to result in negative financial impact to your organization. These, along with the potential for lost assets, the cost of repairs, legal fees and other unexpected costs should be considered.

Determining the components of a successful incident response plan will vary from business to business, but at its core should deliver the following:

• An executive commitment and endorsement of the incident response initiative
• An Incident Response Team (IRT) comprised of members with varying areas of expertise ranging from IT to legal and communications
• A defined communication plan
• A plan to support, maintain and test the incident response plan on a regular basis
• An organized, structured approach that clearly defines the roles and responsibilities for all parties involved
• A clearly stated definition of what an incident means to your organization and how incident response aligns with existing organizational security efforts, such as business continuity and disaster recovery plans
• A well-defined plan on how to monitor and analyze potential threats to the environment
• An operation plan that defines how incidents are declared and initial steps for information gathering
• A post-incident process for lessons learned and process improvement

A successful incident response program should align with standards set forth by the National Institute of Standard and Technology (NIST), the International Organization for Standardization (ISO) and the Information Technology Infrastructure Library (ITIL).

Joe Gates, Senior Security & Controls Advisor, The Mako Group LLC

[ISACA Now Blog]