Incident Response Plan Guidelines

http://t1.gstatic.com/images?q=tbn:ANd9GcRj8vcRkSAsSUAZ65e1ff0i8dmJH1cOsR8D43IfWZxcW7dnvtD7Effective communications and collaboration are vital to reducing the mitigation timeline associated with incident response (IR) efforts. Sure, communications during normal day-to-day operations may be nailed down in your organization, but there is a clear difference between those organizations who proactively prepare communication procedures for incident response and those who simply wait and try to address things on the fly. The difference is often easy to spot when evaluating how effectively information is passed between incident response teams, vendors and third-party support during an incident.

With this in mind, I present a few questions you should be asking yourself and your organization, as well as any other parties supporting your organization, from an incident response perspective.

(FYI: If you answer no or I don’t know to any of these questions, you probably have some work to do.)

The top 10 questions you need to answer before a security incident occurs:

  1. Who are my organization’s primary incident response team members?
  2. Who are my secondary IR team members? (in the event the primary responders are out sick, on vacation, etc.)
  3. Who is my escalation point at my ISP in the event of a DDoS attack? (Not the 1-800 number for first tier support, but the people you need to speak with to implement blocking and other ISP capabilities.)
  4. Who is my direct contact at my Managed Security Service Provider and what capabilities do they have to support my efforts?
  5. Does every member of the incident response team have this information (team members, communication lines and escalation contacts) so that any member can act in times of crisis?
  6. What are my extended communication plans with hardware and software providers (border router, firewall, load balancers, web application firewall, DDoS mitigation)?
  7. Do I have a plan to stand up and invite all of these teams to an incident response conference bridge if I experience an incident?
  8. Do I have an alternate communication plan if the attack is focused on crippling regular means of communication (email, phone, conference bridge availability)?
  9. Does my organization have internal communication channels established for instant messenger type functionality?
  10. Who is the incident manager during an incident? This question can become complicated when you have multiple third parties in the mix! And what is the expectation for receiving and sending updates to and from them?

Hopefully, you are able to answer these questions with confidence. I suspect; however, that many readers will have a challenge answering them with authority.

Remember, even if you can answer the questions with a certain level of comfort, it does not mean the process will work. One way to test the plan is to wait for an incident and determine how effective your communication plan was. But, that isn’t a particularly proactive approach. Alternatively, you may elect to stage tests of the plan by simulating real attacks. Solutionary currently offers clients and prospects walk-throughs of personalized attack scenarios. In either case, reviewing the performance of the plan will let you know how much work you need to do to cover the gaps.

A little bit of planning goes a long way but a lot of planning goes even further. When it comes to effectively mitigating security incidents, identify your gaps through a lot of planning…then close them before they result in an incident.

via Incident Response Plan Guidelines | Solutionary.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: