When’s the last time you looked at your incident response plan?

Security is broad. That is evident in, for example, the Security Rule within the Health Insurance Portability and Accountability Act, a central compliance concern for any organization handling the health data of U.S. citizens. That rule specifies the need for three types of protections, which it calls technical, administrative, and physical safeguards.

Related to data best practices, that tripartite line of defense applies to all organizations, not just ones that are in highly regulated industries – so you need a privacy-concerned administrative processes, real technical protection for data environments, and legitimate physical protections of all systems that handle data and any paper records. Core to administrative protections for an organization is the incident response plan since that is your way to be prepared for anything that may arise with a step-by-step procedure to be followed.

Upgrading your IR plan for 2019 and beyond

You probably already have an incident response plan. You can certainly benefit from optimizing it if you have not done so lately. Here is some advice on getting started with an IR plan and improving its contents to account for an increasingly threatening digital landscape. After all, on Tuesday, January 22, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the US Department of Homeland Security (DHS) released Emergency Directive 19-01, "Mitigate DNS Infrastructure Tampering." Various executive branch agencies had reported to the DHS that they had been targeted with DNS hijacking attacks.

That is just one situation; compromises occur too often, and the correct first actions are not always taken. In such a hostile data security climate, it can be a strong move to make improvements to your incident response plan. Six key steps to improving your IR posture follow, in no particular order.

Step 1. Actually write a plan.

The first step to improving your plan is making sure it is not just in your head but on paper, and in sufficient detail to avoid confusion if an emergency does occur. However, you actually do want to be careful with overdoing detail – since it can become difficult to respond to a specific situation with a set of cookie-cutter steps that may not completely apply. By testing, you can improve your IR plan over time so that you get granular enough without handcuffing the people trying to respond once the plan is active. Make sure that your plan defines incidents, gives escalation information related to more extreme scenarios, lists the chief stakeholders in the response, and states specific people who are ultimately the accountable people for incident response. These procedures and information are provided as high-level response actions for each of various common situations (such as email phishing).

Step 2. List your key systems.

List your mission-critical data and systems. You want to know where the baby is, in a way, when an incident occurs. Knowing where your most critical and "precious" data is immediately is achieved by constructing a list of mission-critical data systems with locations. You can build your defenses around those systems and know they are your first points of action. It is very important that this list is regularly updated alongside the IR plan, as indicated by a Notre Dame professor of IT, operations and analytics, Mike Chapple, MCDBA, CISA, CISSP. "Security pros should take the time to validate this asset list and determine whether the organization’s current business environment warrants adding or removing items from the inventory," said Prof. Chapple.

Step 3. Figure out how you will do damage control.

Prevention is about avoiding security events entirely. When an incident occurs, you are concerned with 100% mitigation but also with containment. Be reasonable and contain if necessary while you work at full expulsion and, eventually, recovery. Think in terms of what you can do right away to keep the problem from worsening. Containment means keeping the number of impacted systems and users as low as possible.

Step 4. Expand the way that you test your IR plan.

You can reveal what is weak in your plan by testing it rigorously and seeing where your strategy is insufficient (which could be as simple as delayed communication). Testing should be robust and multi-faceted. There are different ways to test, and improving your approach means going beyond the out-of-the-box approach: simple penetration and red team testing. Make your strategy more sophisticated by widening it to go beyond the emphasis on technology and process to your people by including social engineering. Additionally, widen the umbrella of systems by encompassing your branches, web apps, mobile devices, and Wi-Fi networks. You can even improve your IR testing by having the red teamers compromise the weaknesses they discover instead of simply finding and reporting them (although obviously within strictly defined parameters).

Step 5. Work with management.

As indicated by Joan Goodchild in Security Boulevard, the legal department and your C-level management should be part of the IR plan and also clued in on test results. It is simply not worth it to have poor practices that you are failing to fix, even if it is awkward to talk about it when things go wrong. Keep the top leadership aware of everything you discover so they can adjust as necessary.

Step 6. Set up incident response on retainer.

One decision that most organizations make is to involve, at some level, outside organizations to help them implement their IR plan or be prepared to help launch it in the event of an attack. Having IR expertise on retainer may sound excessive; however, Prof. Chapple noted that it can be a good idea so everything is in place. You may be large enough that you want someone internal who is in charge of incident response; however, that person typically needs help. "Responding to a security incident requires skill and expertise in the discipline of incident response as well as in the specific technical domains impacted by the incident," noted Prof. Chapple.

Help shouldering the burden of IR

While all the above steps are important, you may find the last one is the first step, since it will give you further guidance to work with an expert. Do you have an incident response firm on retainer? When you are attacked or when a system fails, time is of the essence. Partner for ongoing protection.

Nathan Little, VP of Digital Forensics and Incident Response, Gillware Data Recovery

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.