Incident Response

Without an incident response plan, you may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.

References:

Key requirements for an Incident Response Plan


Responsibilities

Identify key individuals and ensure they have the authority to make hard decisions and act timely in an incident.

  • Who coordinates incident response
  • Who informs Unit Management and Information Security Officer / Lead Campus Authority
  • Who manages internal workflow

Inventory

You can't protect what you don't know exists. If a computer is compromised, you should be able to easily know and identify if it has restricted data.

Implementation

Ensure the actual incident response steps are clearly documented, understood, and tested.

Recovery

A critical step in incident response is getting a system back online. Example: What happens if a system is compromised and must be removed for a forensics investigation?

  • How do you get back online after an incident (both small and large)
  • Tie to Disaster Recovery / Business Continuity Plans

Training

Ensure all individuals understand how to detect and report an incident.

  • How to determine an infection / incident and when to report
  • Who receives the reports

Testing

Regularly test the plan to make sure it works and everyone understand their role

  • Define when and how to test (at least annually)
  • Document the test and lessons learned