Security professionals are responsible for preparing their organizations for this eventuality by building a security incident response program. In this video, learn how to develop a solid foundation for an organization's information security incident resp
- [Instructor] While we strive to protect our systems and information against a wide variety of threats, the grim reality is that no matter how many controls we put in place, there's still a possibility that we'll fall victim to a security incident. As we explore the incident response process in this course, we'll focus on using a standard set of practices endorsed by the National Institute for Standards and Technology, NIST. If you'd like more information on this process, you can find a complete reference in the NIST Computer Security Incident Handling Guide.
It's published online as NIST special publication 800-61, and this guide is widely used as a standard reference throughout the cyber security field. Every organization should develop a cyber-security incident response plan that outlines the policies, procedures, and guidelines that the organization will follow when an incident takes place. This process is extremely important because it provides structure and organization in the heat of a crisis.
I've been involved in many security incidents over the course of my career. And when I think back and evaluate them in hindsight it's clear to me that all of the organizations that handled incidents well had one thing in common. They had clearly thought through their incident response process, and documented it in advance of the incident. On the other hand, when I think about the incidents that didn't go very well, they typically occurred in organizations that didn't conduct prior planning. In those organizations, I commonly heard the sentiment well, we're good at crisis management and a security incident isn't very likely.
We'll figure out the details if it happens. That seat of the pants approach to cyber security incident handling is a recipe for failure. The reality is that people make bad decisions in the heat of a crisis. Developing an incident response plan in advance of an incident taking place allows you to make decisions in the calm environment of the planning phase. And those decisions then help you exercise good judgment in the heat of a security incident. A formalized incident response plan should include several common elements.
First, it should begin with a statement of purpose. What are the reasons that the organization is creating an incident response plan, and what is the scope of that plan? What type of incidents does the plan cover? For example, is the plan restricted to only cyber security incidents, or will it cover any loss of sensitive information? Second, the plan should describe clear strategies and goals for the incident response effort. What are the highest priorities for first responders, and those handling an incident at a more strategic level? If responders should prioritize containment over evidence preservation, make sure that's clear in the plan.
The plan should also describe the nature of the organization's approach to incident response. Who bears responsibility for incident handling? And what authority do they have? Your incident response plan should also cover communication within the team, with other groups within the organization and with third parties. We'll talk more about the incident communication process later in this course. And finally, the plan should include the approval of senior management. You might need that authority when taking unpopular actions during incident response.
If you can point to the plan, and show an irate administrator that the policy requiring disconnection of a system was signed by the CEO, that goes a long way. As you develop your plan, you should consult NIST SP 800-61 to help guide your decisions. You also might find it helpful to look at some plans developed by other organizations. For example, this plan developed by Carnegie-Mellon University, provides a detailed look at how incident response works within their organization.
And this incident response plan template for the State of Oregon shows how you might adapt a template to the specific needs of an individual agency. Of course, you won't be able to simply take someone else's plan and apply it to your organization. But it's always helpful to have a starting point. Many cyber security professionals have put countless hours in developing strong incident response plans, and there's no need to reinvent the wheel.
- Creating an incident response team
- Classifying incidents
- Building an incident response program
- Identifying symptoms of incidents
- Conducting forensic investigations
- Logging and monitoring