Summertime is all about BBQs, travel, annual system upgrades and documentation review. Consider including incident response planning as part of the rhythm of summer. Utilizing the updated National Institute for Standards and Technology (NIST) incident response lifecycle, consider how your organization will prepare for future incidents. Do you have defined procedures for detection and analysis of potential incidents? What process is followed to contain a cyber incident, to keep it from getting worse? In the case of compromise, how will the threat be detected and what criteria show that systems and services can be recovered to restore operation? And finally, how can the organization learn and improve from incidents? Create or review your organization’s cyber incident response now, to help the organization navigate cyber incidents successfully.
This first of two-part articles includes tips for the Preparation aspects of incident response. Next week’s blog will explore the Respond, Detect and Recovery aspects of an incident plan as well Lessons Learned.
Preparation
Govern
The revised NIST guide to incident response stresses that incident response is most effective if the organization has policies and procedures in place. Cybersecurity and technology policies and procedures define expectations and processes for keeping the organization’s information safe. Governance practices can help prevent or reduce the scope of incidents. For example: if an organization has a password policy which designates that all passwords must be unique/not re-used across systems, users can then be trained and expected to avoid password reuse. One system compromise has potentially less impact than compromise of multiple systems.
To get started on or fine-tune cybersecurity policies consider policy templates (included in Resources, below).
Identify
It has been said by many: You can only protect what you know about. The identify concept includes asset and data inventory. Cut out chaos in an incident response by having a readily accessible and complete list of:
- Hardware
- Virtual systems
- Software (on premisis AND cloud)
- Sensitive and critical data
- Updated network diagram(s)
Done with all of this? The Identify element of cybersecurity also can include defining risk and business impact analysis.
Protect
In addition to documented policies and procedures, safeguards help enforce policies and prevent or minimize incidents. Safeguards examples include access control, system backups, user training, baseline configurations and system patching. Safeguard libraries such as NIST CSF 2.0 or CIS Controls provide specifics.
Preparation Elements of the Incident Response Plan
Before an incident occurs, is the organization planning for incident response? Consider these aspects to include in the Incident Response Plan to better prepare for incidents:
- Organization’s definition of “cybersecuirty event” vs “cybersecurity incident”.
- Incident response roles and specific duties for each role, including at a minumum:
- Incident Leader
- Technical Expert(s)
- Communication Leader
- List of all the organization’s cyber incident response team members, including names, roles, contact information (cell phone numbers may be helpful).
- List of third party contacts for critical services and systems. (Tip: include general or department contact information for vendor organizations rather than only specific customer representative contact information.)
- Contact information for external organizations who can assist with incident including:
- Cyber insurance
- Law enforcement (examples: regional law enforcement Fusion Center cyber division or state Homeland Security, FBI, etc.)
- Incident documentation expectations and a documentation template.
- Expected frequency of tabletops to test the plan and dates of previous tabletop exercises.
- Version control notes for dates and changes made to the Incident Response Plan.
See next week’s MOREnet Cybersecurity blog article for tips related to the Respond, Detect, Recover, and Lessons Learned aspects of incident response.
Resources
- National Institute for Standards in Technology (NIST) Glossary (for example definitions of “cybersecurity incident” and “cybersecurity event”)
- NIST 800-61 Rev. 3 Incident Response diagram
- Center for Internet Security (CIS) Critical Security Controls
- CIS Controls Policy Templates
- SANS Cybersecurty/Information Secuirty Policies and Standards
- NIST CSF 2.0 Resources
