Without an incident response plan, you may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.
- UCI Information Security Control 18
- UC Privacy and Data Security Incident Response Plan (pdf)
- UCI Policiy 800-17: UCI Implementation Guidelines for Notification in Instances of Security Breaches Involving Personal Information Data
Key requirements for an Incident Response Plan
Identify key individuals and ensure they have the authority to make hard decisions and act timely in an incident.
- Who coordinates incident response
- Who informs Unit Management and Information Security Officer / Lead Campus Authority
- Who manages internal workflow
You can't protect what you don't know exists. If a computer is compromised, you should be able to easily know and identify if it has restricted data.
- What and where are critical assets
- Who works with sensitive and restricted data
Ensure the actual incident response steps are clearly documented, understood, and tested.
- Defined and documented workflow for handling incidents
- See: Sample Managed Workstation Incident Response Workflow (pdf)
A critical step in incident response is getting a system back online. Example: What happens if a system is compromised and must be removed for a forensics investigation?
- How do you get back online after an incident (both small and large)
- Tie to Disaster Recovery / Business Continuity Plans
Ensure all individuals understand how to detect and report an incident.
- How to determine an infection / incident and when to report
- Who receives the reports
Regularly test the plan to make sure it works and everyone understand their role
- Define when and how to test (at least annually)
- Document the test and lessons learned