LIFE’S INEVITABLE EVENTS include death and taxes. We should probably add “security incident” to that list of major milestones too, however, because no matter how well you protect your clients, sooner or later something will break down. When that day arrives, an incident response plan (IRP) will come in handy.
“An incident response plan is the coordinated, cooperative, and measured reaction of all essential personnel and stakeholders to a potential incident during the detect-mitigate-remediate-recover-adapt cycle,” says James Scott (pictured), co-founder and senior fellow at the Institute for Critical Infrastructure Technology, based in Washington, D.C.
Having an IRP “prevents knee-jerk reactions; protects digital assets according to their value; ensures the confidentiality, integrity, and availability of data; and preserves operational continuity,” Scott continues. “It also minimizes impacts and reputational harm, and expedites detection, mitigation, remediation, and recovery.”
Fewer than 10 percent of companies have a proper incident response plan, however, according to Jason McNew, CEO and founder of Stronghold Cyber Security, a security services specialist in Gettysburg, Pa. “If you go into Home Depot and ask any employee who the safety officer is, they know,” notes McNew, a CISSP who focused on cybersecurity in the Air Force. “If you ask who the security officer is, they don’t.”
Where to Begin?
According to Scott, a good IRP will include provisions for ensuring independent system redundancy, prioritizing assets according to value and potential impact if compromised, preserving cyberforensic evidence, controlling adversarial movement, contacting necessary law enforcement and governing entities, and publicly disclosing breaches. After the disclosure, organizations need to regain consumer trust, ascertain lessons from the incident, and implement iterative systematic changes based on comprehensive risk analysis, he adds.
The Center for Internet Security, the SANS Institute, and the National Institute of Standards and Technology all have templates you can use as a starting point for an IRP, McNew says, adding that most small businesses will be well covered with eight to 10 pages of IRP boilerplate. “Larger businesses will need something more in-depth with more security team roles defined,” he says. The more complex the business, the more complex the IRP and the larger the security team needs to be.
McNew points out that many compliance frameworks like the EU’s recently enacted General Data Protection Regulation and the federal government’s HIPAA law not only require companies to have an IRP but specify particular requirements as well. In those cases, boilerplate agreements will need amending.
All Hands On Deck
Who should participate in creating an IRP? “Everybody,” says McNew. “Safety policies are mandated by OSHA, and it should be the same for security policies. But it has to come down from the top and flow through the company.”
Scott counsels his clients to include a broad cross-section of people in the drafting process as well. “An information security team should develop the IRP with assistance from managers in each department, relevant C-level executives, and third-party stakeholders,” he says.
Testing that plan is also important. “Personnel should be led in regular drills whose frequency is determined by the value of the sensitive data and systems under their protection,” Scott says. Employees who conclude an actual incident has occurred should get appropriate managers involved immediately, McNew adds, “just like the Home Depot safety officer gets involved if an employee or customer is hurt.”
Of course, customers regularly resist good advice, and implementing an IRP is no exception. MSPs need to force the issue, however. “The biggest problem in preparing incident response plans is to actually make one,” McNew says. “Customers keep kicking this can down the road.”
One method McNew uses to overcome that resistance is to ask clients to sign a “decline of service” document in which they check off recommended security measures that they declined to implement. “If they refuse to let you protect them, at least protect yourself,” McNew says.