Five Key Components of an Incident Readiness Strategy
“Be prepared,” is not only the motto of the Boy Scouts of America, but a key theme for incident readiness activities. Incidents are inevitable in any organization. An effective incident readiness strategy can be the difference between a materially impacting incident and one that is considered a minor business interruption. There are many aspects and components of an effective incident readiness strategy that may be considered, but the following 5 are essential to successful incident preparation and navigation:
1. Communication plans—The first 72 hours of any incident are often the most crucial, most challenging and most ridden with mistakes. If the incident is obvious or material in nature, both internal and external audiences will be extremely interested in information and updates. During these critical hours, it is important that communication is consistent to all audiences and that only factual, required information and updates are communicated. For this reason, communication plans should be scripted in advance and templates should be produced with the ability to be quickly populated with pertinent information.
Initial communications, also known as “zero-hour” communications, should be developed and approved in advance to be immediately released upon the incident response leader’s authorization. This initial set of communications should acknowledge that the organization is actively investigating an event that has occurred and will provide an update at a defined and scheduled time, place and location. Zero-hour communications allow the organization time to investigate the event and to understand the scope and details involved. It also allows for identification of pertinent information to communicate and to keep confidential as the investigation continues. Beyond initial communication planning, it is important to develop strategies to address different audience types and media. There may be contractual obligations in place for partners and customers of an organization regarding incident communications (i.e., detailed updates within defined periods of time). Additionally, if the incident involves the health and safety of facilities or personnel, it may be important to consider whether communications should be presented in person by an organizational leadership spokesperson or through written communication.
2. External support—It is important to establish relationships with external support services, individuals and entities in advance of any incident. Pertinent entities may include outside legal counsel, public relations firms with crisis management expertise, incident response consulting support, insurance carriers, technical forensic organizations, physical security support and law enforcement personnel. Establishing these relationships in advance can save an organization time and money. Attempting to identify external support resources and implement agreements to work with them during an incident can be both time consuming and expensive.
It is recommended that organizations establish retainer relationships with these firms and have regular interactions with them to ensure they understand the organization’s business operations, culture, risk tolerances, and key business activities and relationships. It is also recommended that these groups (other than law enforcement) be involved in incident readiness scenario based tests that should be conducted annually, at a minimum, and biannually or quarterly if possible.
3. Incident response playbooks—Incident response playbooks should include simple and highly prescriptive guidance to address broad-spectrum incident response concerns and issues for at least the first 72 hours after an incident has occurred. This time period is often considered the “shock and awe” period, and many times, individuals at the organization and leading the response will be stressed. Often, critical mistakes are made and oversight is lacking in the shock and awe period due to the high-stress conditions. Following this 72-hour period, playbooks should also outline checklists, frameworks and materials that can be used to provide operational guidance, minimize business disruption and ensure a comprehensive, effective response.
Incident response playbooks should be developed for specific incident scenarios that an organization has identified through threat and vulnerability analysis activities. They should reflect incidents that have both a high likelihood of occurrence and material business impact. These detailed playbooks should include step-by-step actions and checklists for response activities associated with threat scenarios that can be practiced and polished in advance of an actual incident occurrence. Incident response playbooks can be developed for the following example scenarios: data breach, insider attack, denial of service, active shooter and ransomware.
4. Alternative communications—A common oversight in incident readiness plans is the availability of alternative communications platforms and capabilities for private and secure communications during an incident response. These platforms and capabilities should be separate and distinct from an organization’s standard messaging platforms so the attack does not affect them. Their availability is especially important in incidents where insiders may be involved. An insider may have access to the organization’s traditional messaging infrastructure and the ability to covertly monitor ongoing incident response communications, but an attacker should not have access to private and secure alternative communications.
An easy and cost-efficient way to enable alternative communications platforms and capabilities is to register a separate Internet domain name for use in emergency communications (i.e., organization name.io). This domain’s mail exchanger record (MX) record may then be associated with a cloud provider’s email service, such as Microsoft Exchange Online or Google Gmail for business. Email-, chat- and video conferencing-enabled user accounts for this platform can then be provisioned for members of the incident response team and key business leaders and stakeholders.
The administration of these services should be performed by an outside group separate and distinct from the organization’s own IT personnel to ensure its integrity. Applications such as the “Signal” secure messaging application by Whisper Systems can be used for point-to-point secure and private voice and text communications on mobile devices to ensure secure telephony and text.
5. Incident response leadership structure and working groups—Incident response activities can be very chaotic and stressful if not thoughtfully organized and orchestrated in advance. It is important to develop leadership models and responsibility hierarchies that include incident response leadership, working group leaders and members, subject matter experts, and supporting personnel (both internal and external). These models and their organizational hierarchy should be situational and incident-type based instead of focused on existing organizational charts. For instance, in the case of a cyberattack it is likely that the chief information security officer (CISO) will take on an incident leadership role compared to a data breach or ransom-based attack where the chief legal counsel (CLC) is more likely to become the incident response leader, supported by the chief security officer (CSO) and other key personnel and stakeholders.
Working groups should also be defined for identified threat scenarios as part of incident readiness planning. Working groups’ scope, responsibilities, communication plans, competency requirements and staff identification (both internal and external) should be defined in advance to ensure appropriate coverage is available to efficiently respond to different incident types. Working groups should be tasked by the incident response leadership to focus on specific areas of incident response simultaneously to allow for efficient and effective response activities. Examples of working groups can include, but are not limited to: technical and forensic investigation, communications, human resources, legal and compliance, and customer relations.
As you can see, being prepared involves many components in incident response. Communication plans, external support, incident response playbooks, alternative communications, incident response leadership structure and working groups all need to be coordinated before an incident occurs. While incidents may be inevitable, an effective, predetermined incident readiness strategy can be the difference between a materially impacting incident and a minor business interruption.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.
Using GRC Applications in Governance Framework Implementation Webinar
Governance, risk management and compliance (GRC) applications automate many governance functions and serve as document management systems. Implementing a governance framework with risk prevention measures is the first step to proper IT governance. Once you have a solution in place, you can begin to automate these processes. ISACA and Lockpath present the “Designing and Using Governance—Part II” webinar to demonstrate how enterprises can use a GRC application for managing their governance framework. This webinar takes place on 7 November at Noon CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.
Peter Tessin, CISA, CGEIT, CRISC, MSA, PMP(Ret), and Chris Swift, GRCP, will present the webinar. Tessin, senior manager for business technology, risk and compliance at Discover Financial Services, will use his experience with the COBIT 5 framework to show how GRC applications can help you manage your IT governance framework. Swift, product manager at Lockpath, will use his experience integrating platforms in an integrated risk management context to help demonstrate how GRC applications will aid you in your governance implementation.
To learn more about this webinar or to register for it, visit the Designing and Using Governance—Part II page of the ISACA website.
Webinar on What to Test Before Buying Your Next-Generation Firewall
How do you ensure that the next-generation firewall solution you invest in today meets your organization’s networking, performance and security needs? Test it before you buy it. Your next-generation firewall should enable more than just application and user based security policies. To help you prepare for your next-generation firewall purchase, ISACA and Palo Alto Networks present the “10 Things to Test Before Buying Your Next-Generation Firewall” webinar to share the 10 capabilities to test before you buy your next-generation firewall and the top mistakes to avoid. This webinar takes place on 17 October at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.
Navneet Singh product marketing director at Palo Alto Networks, will lead the webinar. Singh will use his experience helping customers transition from legacy to next-generation security technology to help you find the best firewall solution for your enterprise needs now and in the future.
To learn more about this webinar or to register for it, visit the 10 Things to Test Before Buying Your Next-Generation Firewall page of the ISACA website.
Learn to Use the COBIT 5 DMM Practices Pathway Tool in This Webinar
ISACA and the CMMI Institute just released the COBIT 5/DMM Practices Pathway Tool. The tool provides IT data practitioners with guidance on how to deliver additional value to stakeholders by strengthening process designs. Users will be able to utilize organizational resources more effectively, measure performance more accurately and lower costs through stronger governance. The COBIT 5/DMM Practices Pathway Tool is bidirectional, allowing practitioners to connect individual practices or sets of practices from either COBIT 5 or DMM and harmonize them with relevant practices from the other. You can search content by domain, process area or practice.
To guide your understanding of the structure of the tool, how the tool was built and what purpose it serves, ISACA presents the “Leveraging COBIT 5 and DMM” webinar. This webinar takes place on 26 October at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.
Peter Tessin, CISA, CGEIT, CRISC, MSA, PMP(Ret), senior manager for business technology, risk and compliance at Discover Financial Services, will present the webinar. Tessin will use his comprehensive COBIT 5 background to provide practical examples of using the tool and open the discussion to better address your enterprise’s needs.
To learn more about this webinar or to register for it, visit the Leveraging COBIT 5 and DMM page of the ISACA website.
Listen In: Security in a Multi-Modal Era Podcast Now Available
Source: Don Farrall
The monthly ISACA Podcast features industry leaders sharing their insights on IS audit, governance and security. ISACA’s most recent podcast, “Information Security Matters: Information Security in the Multi-Modal Era” is an interview with ISACA and Steven J. Ross, CISA, CISSP, MBCP, information security matters columnist for the ISACA Journal. In this podcast, Ross explains the information security challenges associated with the movement of enterprise data from business-owned data centers to third-party centers and the cloud.
In addition to interviews with ISACA’s information security matters columnists, the ISACA Podcast also features guests who have written ISACA Journal articles and contributed to ISACA white papers. The podcast covers a range of subjects, from social media risk to sustainable IT to auditing Agile. To ensure you never miss an episode, subscribe to the ISACA Podcast on iTunes, Google Play or SoundCloud to be automatically notified when a new episode is available.
To learn more about the podcasts or to subscribe to them, visit the ISACA Podcast page of the ISACA website.
Discover Cyber Security Training at Half the Price
Expand your cyber security skills with hands-on training whenever and wherever you want using real-world scenarios in a live network environment. Cybersecurity Nexus (CSX) Practitioner courses allow you to do this online while building deep technical abilities essential for the role of professional cyber security first responder. These courses align with the globally recognized US National Institute of Standards and Technology (NIST) Cybersecurity Framework domains and include:
From now until 30 November, when you sign up for a CSX Practitioner virtual, self-paced training course, you will save 50% off the standard price. If you sign up for 2 CSX Practitioner virtual, self-paced courses, you will receive the third for free. If you are interested in learning more or have already mastered courses 1, 2 and 3, consider taking the CSX Accelerated Cybersecurity Skills Training Course. It will enable you to grow and develop your CSX practitioner skills even further.