Steps to effective cyber security incident response
Ozue Esther Ifeoma
When your system is compromised, you generally have one chance to get the response right. Any mistakes made in the early moments of a cybersecurity incident can have a negative, cascading impact that will be difficult to recover from. Initial actions often determine whether the outcome is manageable, or chaotic and destructive. Having a predetermined plan is critical to avoiding those mistakes and mitigating damage.
However, here are steps to effective cybersecurity incident response:
Carefully describe the overarching goals of the plan. Having goals for each section will help those assigned to deliver on the plan understand the context of their assignment, and the reason for their actions.
Determine the people involved:
Be sure those expected to act are not just identified but fully informed and trained on their role in cybersecurity incident response. Describe, by role, which will do what in the event of an information security incident or data breach.
Identify discovery mechanisms:
Be sure to identify systems, activities and events that can be monitored or reviewed on a regular basis. Constant review to identify potential information security incidents quickly is critical.
Determine cybersecurity incident response triggers:
Identify as many common events that will trigger an investigation as you can. You don’t need to cover them all, but being thorough will help others to understand what they should look for and how to respond. Some possible triggers include:
Define breach determination methodology:
Describe the methodology of how you will determine if protected data was compromised based on the type of attack identified and the classification of the potentially breached data.
Activate the breach response team:
This will include members of the CSIRT but also any additional staff needed to respond in a breach’s aftermath. These staff members can be both internal and external, and could include technical staff, vendor representatives, legal and compliance officers, public relations and marketing.
Outline notification actions:
Notification requirements vary by federal statute, state law and data class. It is important to know the requirements for each class of data and their associated laws. Because there are so many different requirements, it is important to examine each carefully. It is strongly recommended that the basic process and contents be drafted well in advance.
Detail remediation efforts:
After an incident, there will often be remediation work required to return your organization to normal operations. This could involve reinstalling applications, rebuilding databases or host machines, changing network configurations and adding new monitoring services. Remediation should start as soon as possible to help prevent additional incidents triggered by the vulnerability, policy or procedure that allowed the incident to occur in the first place.
Develop reporting and documentation:
It is critical that you produce accurate and complete documentation of the events, actions and results that occur during a security incident. Be sure to spend time to accurately record exactly how the incident occurred and the company’s response. Keep copies of all communications and notifications, and document any and all activity related to the breach.
Review policy and procedures:
A significant security incident or breach is a great opportunity to improve data protection policies and procedures. Take the opportunity to consider what happened to allow the breach and how the company responded. Then consider and document ways to improve both.
Training and staff update:
Once you have created your cybersecurity incident response plan, you should train your staff consistently on their role in bringing it to fruition. If staff members are either unaware of or not familiar with the plan, you might as well not have one. A lack of training can lead to inaction, delays and mistakes that are avoidable and incredibly costly. Empower your employees to be confident and ready to act when the inevitable occurs.