In the previous post, we discussed why incident response is an essential component of IT security, and why it plays such an important role in minimizing the damage of the inevitable security breach. Despite the value of incident response, a small percentage of enterprises are fully satisfied with and confident in their incident response capabilities. However, any delay in incident response means more lost data, higher costs and further erosion of trust among business partners and customers.
Even organizations that do have an incident response plan may find that it’s useless in the wake of a security breach. That’s why it’s critical to go through the necessary steps to determine if it will actually work when an incident occurs.
The first step is to conduct an incident response readiness assessment. Make sure “incident” is clearly and specifically defined so your incident response team doesn’t waste time investigating events that shouldn’t involve them. In addition to reviewing your incident response plan, review documentation related to security operations, baselines and escalation plans.
Your readiness assessment should also include a review of corporate policies for protecting sensitive corporate data, such as intellectual property, trade secrets and trademarks, as well as policies for safeguarding customer and business partner information. Another key component is regulatory compliance. You need to ensure that your incident response strategy meets regulatory requirements, which can improve incident response effectiveness.
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires companies that process credit card payments to meet specific requirements to protect cardholder data. While PCI DSS doesn’t provide guidelines for managing an incident, ineffective responses to incidents often expose an organization that hasn’t met compliance requirements. Even though PCI DSS doesn’t have incident response planning guidelines, various payment card companies have their own procedures that merchants are expected to follow. Failure to meet those requirements can result in heavy fines and the loss of authorization to process credit card payments.
A comprehensive review of network security is an important part of an incident response readiness assessment. This should include an evaluation of not only security software, but security personnel and processes. Assess the current state of network and data visibility, perimeter defenses, network segmentation, access controls, reporting, alerts, employee training and responsibilities, and other components of your security strategy.
Once you’ve assessed your incident response readiness, you have to practice executing your plan. One option is to present your incident response team with a hypothetical incident and go through the process of responding. A more valuable but more time-consuming exercise is to place harmless malware onto a network system. This will test your technology, people and processes, providing you with a more accurate picture of your incident response plan’s effectiveness.
High profile security breaches have shown us that no organization is immune to attack. Incident response planning needs to become a higher priority, and not just in IT departments, so organizations can reduce risk and keep damage to a minimum.