A security crisis cannot be attributed to just one cause. Incidents may be the product of a complicated plan acted upon by malicious hackers or a simple employee mistake. Whatever the cause, results are detrimental and the ramifications of breach may effect enterprise operations, reputation, and trust. BakerHostetler states in their 2016 Data Security Incident Response Report, “incidents do not discriminate—they affect all industries.” Hence why every organization must prepare for crisis: the consequences are severe and can possibly end a business altogether.
Developing an incident-response (IR) plan is among the first steps towards breach protection in enterprise security. While company executives have the ultimate authority for quick and final decisions in the case of a breach, the initial step towards developing an IR plan is assembling a primary IR team to do so.
Most companies have an IR plan, but the specifics of the plan falls short in varied protocol; for some, it’s a lack of specificity that make these plans ineffective. Shortfalls include things like an outdated plan or the leaving the majority of the work for one or two people (usually part of the IR team)—people who thoroughly know the response steps planned for that company during crisis. But, as experts at McKinsey point out, “an effective IR plan [is] based on a framework for risk identification, decision making, and escalation paths across the whole business.” This framework begins with a strong IR team.
IR plans must be developed, documented, and practiced in all organizations for stronger enterprise security. With the help of SANS Institute and the ISACA, we have compiled a few guidelines to help establish a strong IR plan.
Preparation: Preparations towards incident response begins with determining who is responsible for composing the plan. Once a primary IR team is established, they may construct a plan conducive to how their individual company will respond to breach. This team will then educate and delegate subsequent responsibilities about their company’s plan to users and IT staff within the company. Coordinating the responsibilities of IR teams ahead of time ensures that no one questions their role in recovery. Every team player should know their role and have confidence in their ability to respond quickly and efficiently. Identification: Identification determines if an event is actually a security incident and to what extent. To determine the severity of an incident, response teams may ask questions like, “Who does this event directly impact?” “What business operations does this event impact?” and “What are potential widespread impacts of this event?” Crises may vary in degree, and different levels of crisis require different amounts of attention. Thus, IR plan developers need to specify these levels in their company’s plan of action to avoid confusion among IR teams. Any event that may disrupt the progression of business operations and result in damage to a company’s name and/or its customers requires attention from IR teams. Containment and Eradication: Limit incident damage and inhibit the spread of threat to other systems by isolating affected targets and removing them from production environments. If affected systems can be recovered, they may be returned to the workplace after undergoing a “clean-up” process to ensure no further threat to enterprise data and confidentiality. Moving Forward: Incident documentation allows for organizations to perform thorough analysis in a security crisis. IR planners should observe and communicate the successes and failures of their recent IR plan in action to make potential improvements and preparations for future incident response efforts.The benefits of IR Plans include better response times and resilience during a breach, increasing enterprise credibility, and further enhancing the confidence of their customers. Even when all precautionary measures are taken to protect against breaches, attack is unavoidable and a strong IR plan must be available to reduce the escalation of crisis severity.