so move on to the elements of an incident response policy. So one of the first topics is that the policy governing incident response is going to be highly individualized to each organization. So no organization is going to have the same incident response policy. Because each organ
organization is one to have
different threats that they face. They're going to have different levels of risk and different priorities. But nevertheless, most policies will include some of the same pl.
And the first element that we want to talk about is the statement of Management Committee.
Anyone who's been any type of organization for laundry day, nose to the management doesn't really have priority on certain task certain
elements within the organization, then they just kind of fall by the wayside. So if it's not important to management, why should it be important to the employees? So statement of management commitment is very important to see that managers years within an organization care about incident response
in the next part of the policy is you need to have a purpose and objective of the policy.
What do you hope to accomplish with your incident response policy? What do you hope to accomplish by doing forensics.
The next portion of your policy is going to be the scope of the policy. Who does it apply to under what circumstances?
And then you want to define essentially your computer security incidents related terms, because again, every organization is going to have different terminology, different types of incidents. You may have also other individuals coming into the organization with different backgrounds and experiences.
So essentially, you want to codify,
what types of incidents that you have in the terminology that you're going to use when referring to these incidents,
the next element of the policies you're going to want to have some type of organizational structure you're gonna want to find the roles and responsibilities in the level of authority because that's the authorities is always very important than an organization S O. Before you start doing certain task
performing certain roll, if you want to understand what authorities do, you have what
legally can you or can not do what is allowed by your organization's policy? One's not
so. Essentially, the authority shouldn't should include what the incident response team could confiscate. What they can disconnect, how they monitor suspicious activity on the requirements for reporting certain types of incidents
the requirements and guides for external communication and information sharing. So
what can be shared? With whom? When can it be shared over what channels? Sometimes you're gonna have to get approval to share certain types of information because it may essentially damage the reputation of the company are it may have proprietary information that you don't want to necessarily get out.
So, uh, the policy will essentially need to cover those types of them information. And then, if you have to hand off the incident escalated. That needs to be stated in the policy as well.
And then the prioritizing of the incidents in the severity and the ratings
that will help the Incident Response team and those who reporting or triaging incident
be able to identify which incidents should be essentially put a higher priority or investigated. First remediated first,
uh, the next element that we want to talk about his performance measures. What does success look like?
Uh, how? How should incidents be
taken care of in a certain time frame, where two incidents need to go, So being able to measure some type of performance and knowing that the incident response team is performing as they should are, if they might need a course, Correction is very important and then, lastly, is your
reporting in contact?
Because organizations are large, Incident response team's may be spread out over the United States that could be spread out globally
on. Not everyone within an organization may be familiar with every other person, so it's important to have contact forms for individuals across Syria.
We're gonna talk about Maur elements of the incident Response plan. This organization should also have a formal, focused, coordinated approach to responding to incidents, including an incident response plan that provides the roadmap for implementing the incident response capability.
So each organization needs a plan that makes the unique requirements which relates to the organization's miss admission size structured functions.
So again, not every organization is going to have the same methodology when responding to certain incidents. Some organizations may have in House incident Response team, Other organizations External Incident Response Team's You may have a combination of the above,
so it's important to
kind of list that s o. Each individual on the Incident Response team knows exactly how they should go about managing and handling these incidents.
So again, we're gonna just summarize incident response plan should include the following elements. So it's gonna have your mission, your statement and goals, your senior management approval.
Organizational approach. Incident response.
How the Incident Response Team will communicate with the rest of the organization and with other organizations.
Metrics for measuring the incident response capability and its overall effectiveness
road map for maturing the incident response capability and how the program fits into the overall organization. So if you include these these elements within your incident response plan and you're able to answer these questions,
it's likely that you will have a very successful incident response team.
Another thing that I want to talk about is essentially
the way that the 21st century works in the 24 hour news cycle, especially for large organizations, when you have an incident such, maybe is the target data breach with Sony Hack,
it's important that if you're going to talk to the media that you have a defined meeting policy, because if you do not have that policy and end up making you or the organization look bad on you, could suffer additional loss on top of the incident that you're having to respond to.
So when looking at the policy,
the incident handling team should have ah established media communications procedures that will comply with the organization's policies on media interaction and information disclosure,
and then for discussing the incidents with media organizations might find it beneficial to designate a single point of contact or at least one backup. That's important on many aspects because one it assures a string line.
Focus on the media. You don't have two or three individuals saying two or three different things to reporters on. Then you're going to have someone who has the experience of interacting with reporters on a daily basis. So it's not catching that person off guard
per se who just got a sign that robot task
and then the bottling actions are recommended for preparing these designated contacts and should also be considered for preparing Others who may be communicating with medium so conduct training sessions on interacting with the media regarding incidents which should include the importance of not revealing
sensitive information, such as technical details of countermeasures
that could assist other Attackers and the positive aspects of communicating important information to the public fully and effectively.
So if you've never dealt with the media before, it could be quite daunting. Task s so it's important to just have someone who has training and doing that. Who knows what they look like in front of the camera to be able to represent themselves in the organization of the best possible light.
Next, you're gonna want to establish procedures to brief media contacts on the issues and since sensitivities regarding a particular incident before discussing it with the media,
the person that you're gonna have dealing with the media, they may be great at interacting. That may be great on camera, but they may not be the most technically savvy person that's out there. So it's important to pre brief that person before they actually speak to the media
eso. They'll be aware of certain questions that may be opposed
by the media. Regarding an incident support example. Organization may want members of its public affairs office and legal department
to participate in all incident discussions,
and you want to maintain the statement of the current status of the incident so communications with the media are consistent and up to date.
You want to remind all staff of the general procedures for handling media enquiries,
and then you want to hold mock interviews and press conferences during the incident. Handling procedures are response, so that should identify examples of questions that might be asked by the media. Who attacked you? Why would you attack? When did it happen? How did it happen? Did this happen because you have
for security practices?
How widespread is incident? What steps are you taking to determine what happened and how to prevent a future occurrence?
What is the impact of the incident?
Was any personally identifiable or P I exposed? Then what is the estimated cost of the incident? So those are just examples of questions that reporters might ask in your media contact would essentially want to be able to answer during that incident.