In my previous post I wrote about enhancing an IR plan as vital factor to survive today’s cyber-threat. Another key component is the value of human and process elements in an incident response plan.
The human element of the IR plan should not be under-estimated and instead should be viewed as playing a fundamental role. The ‘golden Triad’ of People, Process and Technology is a serious consideration when attempting to accomplish the objectives of an IR plan. When specifying, creating and maintaining the team responsible for IR, it is imperative that suitably skilled and experienced individuals are considered including:
- Individuals trained using the policies and procedures that govern the operational activities of the Computer Incident Response Center (CIRC);
- In-depth expertise and skills in network, system and application security that take also into consideration the types of incident that typically occur within the organization and know the risk exposure and tradeoffs when handling an incident;
- Cross-functional, which includes members drawn from multiple departments in the organization, assembled on a temporary basis to work on specific high severity incidents or short term goals.
Having successfully identified and resourced an IR team, it is critical that the IR plan is supported by documented, robust and repeatable processes.
Furthermore, it is essential that the IR plan itself is well communicated, regularly updated and tested, whilst additional process should include:
- Formalized incident categories based on the risk impact to business functions and systems;
- Procedures and workflows should be implemented for each incident type through the definition of Standard Operating Procedures (SOP) including the prioritization, thresholds notification, and assignment of decision-makers;
- Incidents must be tracked and appropriate employees need to see the status of their resolution. Incidents must be monitored at any point;
- Tailored, meaningful and Specific/Measurable/Attainable/Realistic/Timely (SMART) metrics must be implemented to effectively align business and risk management objectives. Without distinguishing operational and management metrics the organization may fail to measure the effectiveness of the IR plan;
- Procedures shall exist for the involvement of an external specialized team that can supplement the technical skills or even the internal IR team, when new or complex incidents are detected;
- Service Level Agreements (SLAs) should be defined;
- Workflows to integrate post-incident and threat intelligence data in the security IT ecosystem should exist;
- Incident response testing exercises should be conducted across all incident severities and procedures should be consistently followed and non-compliance activities should be tracked.
Finally, it is important to constantly update and test the IR plan, the need for which is based on an important consideration of IR, yet often omitted, ‘lessons learnt’.
In essence, a successful IR function should apply the knowledge gained from past incidents in order to better handle future incidents. While performing this iterative process, commonalities will also be identified which should be automated where possible. For example, the automation of data collection exercises or remediation activities that do not require further investigation should be handled without the need for, or minimal, human interaction. Through the creation of repeatable process and automation, we will reduce the effort needed to address common incidents and provide capability to handle the uncommon.
Protecting an organization and being able to respond to an incident is an ongoing and daily activity that requires a structured and coordinated approach. Do not leave anything to chance.