Security professionals are responsible for preparing their organizations for this eventuality by building a security incident response program. In this video, learn how to develop a solid foundation for an organization's information security incident response program.
- [Instructor] Unfortunately no matter how well we prepare, security incidents can and do occur. Security professionals are responsible for preparing their organizations for this eventuality by building a security incident response program. The National Institute for Standards and Technology, or NIST, is the authoritative source for information on security incident response. As you develop your incident response plan, you may wish to refer to their Computer Security Incident Handling Guide, which is NIST Special Publication 800-61.
You can download it for free from the web. We'll cover some of the highlights of this NIST guide in this course. As you build your incident response program, you should ensure that it includes five key components. First, it should include some documentation, your incident response policy and plan. Second, it should include procedures for incident handling and reporting, and it should also provide guidelines for communicating with outside parties during an incident. The plan should outline your team structure and staffing model and it should also describe the relationships between the incident response team and other groups that both internal to your organization, such as your attorneys and public relations staff and external, such as law enforcement, and regulatory agencies.
Let's take a look at each one of these components. The incident response policy is the cornerstone of your incident response plan. The policy and related documents should include the critical details of your organization's approach to incident response. The incident response policy should include the foundational authority for your program and describe the operating authority delegated by management to the incident response team. This is critically important. If the incident response team is to be effective, they must be able to act quickly and decisively.
This often includes taking actions that are unpopular with line managers, such as disconnecting equipment to protect the organization during a security incident. The team must have the clear authority to take these unpopular actions when necessary. The policy should also define what types of incident fall under the scope of the incident response program, and include a system for prioritizing incidents based upon their severity. The incident response policy is by its nature very general and shouldn't change all that often.
Incident response procedures on the other hand, are where you'll find the details of your incident response practices, and tactical guidance to incident responders. Procedures should be written very clearly, and provide actionable advice to troops on the ground. Some of the procedures found in a robust incident response program include an incident notification procedure, escalation procedures, reporting procedures, system isolation procedures, forensic analysis procedures, and procedures covering evidence handling.
The next important element of an incident response program is formalizing the way that you communicate with units outside the core incident response team. You'll need to provide clear guidance on when and how to involve groups such as senior executives, legal counsel, public relations, regulatory agencies, and law enforcement. That last one can be a little tricky. In most cases, you aren't under a legal obligation to report security incidents to law enforcement and the decision to do so is complex.
Once you file a report with law enforcement, it's likely that the details of the incident will become public, which may be undesirable. Also, law enforcement officers are held to much higher standards in gathering and processing evidence. Of course, you should always contact law enforcement if you think there is a threat to safety, or you have a legal obligation to report a specific kind of incident. One of the most important tasks you'll undertake in your incident response program, is building and staffing your incident response team.
This team will likely need to be available on a 24/7 basis and you should have primary and back up personnel assigned to cover vacations, as well as extended periods of team operation. Incident handling is a wonderful professional development opportunity and helps teams keep their technical skills sharp. Some of the groups that should be represented in your incident response team, include management, information security staff, technical subject matter experts, such as database administrators, developers, system engineers, and virtualization experts, legal counsel, public affairs, human resources, and physical security staff.
Including the right team members is critical to building the relationships that you'll need during an incident. You won't necessarily need to activate all team members for any given incident, but each of these groups should have representatives trained and ready to participate before an incident starts.
- Building an incident response program
- Escalation and notification
- eDiscovery process
- Conducting investigations
- System and file forensics
- Reporting and documenting incidents
- Business continuity planning
- Validating backups
- Testing BC/DR plans