Find out some of the essentials to include in your incident response plan.
|By: David Ellis|
Director of Forensic Investigations
CISSP, QSA, PFI
- Identify and prioritize your assets
- Identify your potential risks
- Establish procedures
- Assemble a response team
- Sell your plan to the company decision-makers
When it comes to creating an incident response plan, it can seem a little overwhelming. Breaking it down into smaller components can help relieve some of your stress by making the project more manageable. Every business is different and will require different types of training, documents, policies, etc. that are tailored to your company’s specific needs. But there are a few things most businesses should include in their incident response plans.
A helpful way to organize your incident response plan is to have a series of itemized response lists. These are basically a series of “to-do” lists that provide needed information and tasks to perform during a data breach.
SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe
Here are 5 itemized response lists you’ll want in your incident response plan.
1. Emergency contact/communications listThis list includes those that should be contacted in the event of a data breach. Those notifications could include:
- Response team
- Executive team
- Legal team
- Forensics company
- Public Relations
- Affected individuals
2. System backup and recovery processes listThis list will help you deal with the technical side of a data breach. Here are some things that should be included:
- Process for disconnecting from the Internet (Your processes need to state who is responsible to decide whether you disconnect or wait and see)
- System configuration diagrams that include device descriptions, IP addresses, OS, etc.
- Process for switching to redundant systems and preserving evidence
- Steps to test the system backup and verify it hasn’t been compromised, and that it will not be affected by the suspected compromised systems
3. Forensics analysis listThis list is for businesses that have in-house forensic investigations resources. Your team will need to know the areas where to look for strange behavior and have access to system security and event logs. Some of the tools your team will need may include:
- Data acquisition tools
- Clean/wiped USB hard drives
- Cabling for all connections they could experience in your environment
- Forensic analysis tools such as, EnCase, FTK, X-Ways, etc
SEE ALSO: What Does a Cyber Forensic Investigation Do and How Much Does It Cost?
4. Jumpbag listThis is a list for grab-and-go responses. When responding to a breach quickly, have a list of overall actions your employees need to take right away. It keeps the plan organized and prevents mistakes caused by panic. Some things to include in this list are:
- Incident handler’s journal to document the incident
- Incident response team contact list
- USB hard drives and write-blockers
- USB multi-hub
- Flashlight, pens, notebooks
- All of the lists mentioned in this article
- USB and/or DVD-ROM containing bootable versions of your OS
- Computer tool kit
- Forensic tools and software (if your company has the expertise to perform its own forensic investigations—if not, this is best left to professionals)
5. Security policy review listThis list deals with the aftermath of the breach and the response to it. It essentially helps your organization analyze the breach and what you can learn from it. This list should include documentation of the following things:
- When the breach was detected, by whom and what method
- Scope of the incident/affected systems
- Data that was put at-risk
- How the breach was contained and eradicated
- Work performed or changes made to systems during recovery
- Areas where the response plan was effective
- Areas that need improvement
Be preparedYou don’t want to have the mentality that you’re protected because you believe that a data breach won’t happen to you. Experiencing any data breach is harsh. If you aren’t prepared in advance, the damaging affects of the breach will be more severe. When you have an incident response plan (and rehearse it), should the worst happen, your employees and your business will be able to handle it.
Talk to us about getting a forensic examination!
David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.