Developing the Incident Response Plan-Capability Assessment

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:01
>> Like I mentioned before,
00:01
there are multiple organizations that have input on
00:01
response and management and various strategies.
00:01
Now we're going to look at the document from
00:01
the University of California
00:01
called responding to computer security incidents.
00:01
This is also referenced in the CISM study guide,
00:01
so it's certainly worth looking at here.
00:01
The big point is they're not going to say
00:01
what's the second step of
00:01
the University of California's framework and
00:01
you have to look at that
00:01
versus Software Engineering Institute,
00:01
but what you're going to need to understand is
00:01
the flow of the processes,
00:01
regardless of which framework I'll show you,
00:01
the flow should always make sense.
00:01
With this particular plan,
00:01
we do start off before we develop the plan,
00:01
I guess a predecessor to that,
00:01
is to assess our current incident response capability.
00:01
Where are we now?
00:01
You're not ever going to walk into an organization,
00:01
and they have no plan or
00:01
strategy whatsoever for responding to incidents.
00:01
What you want to know is,
00:01
are we where we want to be?
00:01
We go back to that idea of
00:01
current state versus desired state.
00:01
We can survey our employees.
00:01
We can do self-assessment.
00:01
We can hire a third party to
00:01
come in and give us external information,
00:01
but ultimately, the question we want to answer is,
00:01
are we where we want to be?
00:01
Chances are good if you're coming into a new role,
00:01
you may find that there are recommendations you would
00:01
make for closing the gap
00:01
between current state and desired state.
00:01
We have to make sure that we have methods and plan.
00:01
Remember that a computer incident
00:01
is not just a technical event.
00:01
We can have man-made or natural disasters that would
00:01
impact our capabilities for operations.
00:01
I know we talked a little bit about
00:01
technology in domain 3,
00:01
but we have to look at our technology controls and
00:01
the inherent vulnerabilities that just
00:01
having technology in our environment.
00:01
People, our weakest link.
00:01
Are they well-trained?
00:01
Are they knowledgeable?
00:01
Do they understand the processes?
00:01
Do they understand how to report incidents?
00:01
Always our weakest link,
00:01
we've got to evaluate our people.
00:01
What processes are in place?
00:01
Security controls.
00:01
Controls can bring in
00:01
an entire set of risks all on their own,
00:01
so we evaluate those controls.
00:01
We also are going to look at incident response history.
00:01
We're going to look at lessons
00:01
learned or postmortem reviews.
00:01
Ultimately, to figure out,
00:01
are we where we need to be?
Up Next