How to create and scope out an Incident Response Plan?
An incident is an occurrence or act of violating/potentially jeopardizing without legal authority the confidentiality, integrity, and availability of an explicit or implied security policy. An incident response plan is a collection of instructions or procedures to detect, respond, and restrict the effects of a malicious cyber attack against an organization's information systems.
An incidence response lifecycle includes 5 phases:
Phase 1 → Preparation: It is essential to make systems resilient to attack by hardening systems, writing policies & procedures, and setting up confidential lines of communication. Preparing for Incidence Response involves documenting processes & putting resources as well as guidelines in place and conducting training.
Phase 2 → Detection & Analysis: Determine an incident has a residence, triage it & notify relevant stakeholders.
Phase 3 → Containment: Limit the scope & magnitude of the incident by securing the data & limiting the impact on business operations and customers.
Phase 4 → Eradication & Recovery: Eradicate the cause of the incident and get the system back to a secure [baseline] state.
Phase 5 → Post-Incident Activity (Lessons Learned): Analyze the incident & responses to identify how the organization could improve the procedures or systems.
What should an incident response report entail?
Incident form
Records of details about reporting & assign cases
Date, Time, and Location of the incident
Reporter & incident handler/names
How the incident was detected
Type of incident
Exfiltration
Insider Threat
Theft
Accidental breach
CIA breach [Corruption/Destruction of Data]
Scope of Incident
Incident Description & Event Logging
An incident involves the breach of private and confidential data. It is important to prioritize an incident based on data criticality. Private/confidential data can be categorized by:
Personally Identifiable Information (PII): Data used to identify, contact or impersonate an individual.
Sensitive Personal Information (SPI): Data on an individual's opinions, beliefs & nature that has protected status by privacy legislation. The GDPR definition of SPI includes religious beliefs, political opinions, trade union memberships, gender, sexual orientation, racial or ethnic origin, genetic data & health information.
Personal Health Information (PHI): Data that identifies an individual's medical records, insurance records, hospital records, and laboratory test results.
Financial Information: Data stored in bank accounts, investment accounts, payroll, tax returns, credit card data, etc. (PCI-DSS) defines the safe handling & storage of payment card data.
Intellectual Property: Data created by an organization, the products/services it produces or provides. (Copyrights, Patents, Trademarks, Trade Secret)
Corporate Information: Confidential data owned by a company like the product, sales, marketing, legal & contact info. Corporate info about profit, cash flow, salaries, market shares & critical customers, or company competitors.
High-Value Assets: Systems that process data critical to a mission-essential function. Maintaining the CIA as a high asset is vital to the organization's success.
Primary & responsible stakeholders should be notified in case of a data breach as legislation or regulation requires. GDPR requires users to be notified within 72 hrs on the eve of a violation/breach of data.
Who are the concerned stakeholders?
Senior Leadership: Executives and Managers
Regulatory bodies: Governmental Organizations that oversee compliance
Legal: The business & organization's legal counsel is responsible for mitigating Civil lawsuits
Law Enforcement: for prepping legal action against attackers in the future
Human Resources (HR): Ensuring employee contracts
Public Relations (PR): Manage negative publicity
Training and testing are significant parts of an incident response plan. All employees and staff should focus on continuous education and be trained to understand the processes, procedures, and priorities. It is vital to conduct test simulations & practical exercises in complex incident events and table-top activities. The IR plan should prioritize building relationships between the incident responders, executive teams, and end users.
