Part 2 - The Elements of an Incident Response Policy
Video Activity
This lesson discusses the elements of an incident response policy. This varies by organization but most policies include some of the following key elements: · Statement of management commitment · The purpose and objective of the policy · Scope of policy · Who has what role · Prioritization and severity of incidents · Performance measures · Reportin...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson discusses the elements of an incident response policy. This varies by organization but most policies include some of the following key elements: · Statement of management commitment · The purpose and objective of the policy · Scope of policy · Who has what role · Prioritization and severity of incidents · Performance measures · Reporting and Contact forms In the wake of an incident, a formal and focuses plan is crucial to getting an organization back up and running again as well as minimizing damage and making sure it doesn't happen again. In addition to a strong incident response plan, an organization needs to have policies in place regarding communication with the media after an incident and educate their staff so they're aware of such procedures.
Video Transcription
00:03
>> We move on to the elements
00:03
of an incident response policy.
00:03
One of the first topics is that
00:03
the policy governing incident response
00:03
is going to be highly
00:03
individualized to each organization.
00:03
No organization is going to have
00:03
the same incident response policy
00:03
because each organization is going to
00:03
have different threats that they face.
00:03
They're going to the different levels
00:03
of risk and different priorities.
00:03
But nevertheless, most policies
00:03
will include some of the same key elements.
00:03
The first element that we want to talk
00:03
about is the statement of management commitment.
00:03
Anyone who's been in any type of organization
00:03
for longer than a day knows that if
00:03
management doesn't really have priority on
00:03
certain task and
00:03
certain elements within the organization,
00:03
then they just fall by the wayside.
00:03
If it's not important to management,
00:03
why should it be important to the employees?
00:03
The statement of management commitment
00:03
is very important to see
00:03
that managers and leaders within
00:03
an organization care about incident response.
00:03
Then the next part of the policy is that
00:03
you need to have a purpose and objective of the policy.
00:03
What do you hope to
00:03
accomplish with your incident response policy?
00:03
What do you hope to accomplish by doing forensics?
00:03
The next portion of your policy is going
00:03
to be the scope of the policy.
00:03
Who does it apply to and under what circumstances?
00:03
Then you want to define essentially
00:03
your computer security incidents
00:03
related terms, because again,
00:03
every organization is going
00:03
to have different terminology,
00:03
different types of incidents.
00:03
You may have also other individuals coming into
00:03
the organization with
00:03
different backgrounds and experiences.
00:03
Essentially, you want to codify what types of incidents
00:03
that you have and the terminology that you're going to
00:03
use when referring to these incidents.
00:03
The next element of the policy,
00:03
is you're going to want to have
00:03
some type of organizational structure.
00:03
You're going to want to define the roles and
00:03
responsibilities and the level of authority
00:03
because the authority is
00:03
always very important in an organization.
00:03
Before you start doing
00:03
certain tasks and performing certain roles,
00:03
you want to understand what authorities do you have,
00:03
what legally can you or cannot do,
00:03
what is allowed by your
00:03
organization's policy and what is not.
00:03
Essentially the authority should
00:03
include what the incident response team can confiscate,
00:03
what they can disconnect,
00:03
how they monitor suspicious activity,
00:03
the requirements for reporting
00:03
certain types of incidents,
00:03
the requirements and guides for
00:03
external communication and information sharing.
00:03
What can be shared with whom?
00:03
When can it be shared over what channels?
00:03
Sometimes you're going to have to get
00:03
approval to share certain types of
00:03
information because it may
00:03
essentially damage the reputation of the company,
00:03
or it may have
00:03
proprietary information that you
00:03
don't want to necessarily get out.
00:03
The policy will essentially need
00:03
to cover those types of information.
00:03
Then if you have to hand off the
00:03
>> incident or escalate it,
00:03
>> that needs to be stated in the policy as well.
00:03
Then the prioritizing of the incidence and
00:03
the severity and the ratings that will help
00:03
the incident response team and those who are
00:03
reporting or triaging an incident
00:03
be able to identify which incidents should be,
00:03
essentially put at a higher priority or
00:03
investigated first or remediated first.
00:03
The next element that we want to
00:03
talk about is performance measures.
00:03
What does success look like?
00:03
How should incidents be
00:03
taken care of in a certain time-frame?
00:03
Where do incidents need to go?
00:03
Being able to measure some type of
00:03
performance and meaning that the incident response team
00:03
is performing as they should or if
00:03
they might need a course correction is very important.
00:03
Then lastly, as you're reporting and contact forms.
00:03
Because organizations are large,
00:03
incident response teams may be spread
00:03
out over the United States,
00:03
they could be spread out globally,
00:03
and not everyone within an organization
00:03
may be familiar with every other person,
00:03
so it's important to have
00:03
contact forms for individuals across the enterprise.
00:03
We're going to talk about more elements
00:03
of the incidents response plans.
00:03
Organization should also have
00:03
a formal focused and coordinated approach
00:03
to responding to incidents,
00:03
including an incident response plan that provides
00:03
the road map for implementing
00:03
the incident response capability.
00:03
Each organization needs a plan that makes
00:03
it unique requirements which
00:03
relates to the organization's mission,
00:03
size, structure, and functions.
00:03
Again, not every organization is going to have
00:03
the same methodology when
00:03
responding to certain incidents.
00:03
Some organizations may have
00:03
in-house incident response team,
00:03
other organizations may have
00:03
external incident response teams,
00:03
you may have a combination of the above.
00:03
It's important to list that so each individual on
00:03
the incident response team
00:03
knows exactly how they should go
00:03
about managing and handling these incidents.
00:03
Again, we are going to just summarize.
00:03
The incident response plan
00:03
should include the following elements,
00:03
so it's going to have your mission,
00:03
your statement and goals,
00:03
your senior management approval,
00:03
organizational approach to incident response,
00:03
how the incident response team will communicate with
00:03
the rest of the organization
00:03
and with other organizations,
00:03
metrics for measuring the incident response capability
00:03
and its overall effectiveness,
00:03
road map for maturing the incident response capability,
00:03
and how the program fits into the overall organization.
00:03
If you include these elements within
00:03
your incident response plan
00:03
and you're able to answer these questions,
00:03
it's likely that you will have
00:03
a very successful incident response team.
00:03
Another thing that I want to talk about
00:03
is essentially media policy.
00:03
Because the way that
00:03
the 21st century works in the 24 hour news cycle,
00:03
especially for large organizations,
00:03
when you have an incident such maybe as
00:03
the target data breach or the Sony hack,
00:03
it's important that if you're going
00:03
to talk to the media that you have
00:03
a defined media policy
00:03
because if you do not have that policy,
00:03
you can end up making you or
00:03
the organization look bad and you could
00:03
suffer additional loss on
00:03
top of the incident that you're having to respond to.
00:03
When looking at the policy,
00:03
the incident handling team should have
00:03
an established media communications
00:03
procedures that will comply with
00:03
the organization's policies on
00:03
media interaction and information disclosure.
00:03
Then for discussing the incidents with the media,
00:03
organizations might find it beneficial to
00:03
designate a single point of
00:03
contact or at least one backup,
00:03
and that's important on many aspects
00:03
>> because one is that
00:03
>> it assures a string lined focus on the media.
00:03
You don't have two or three individuals
00:03
saying two or three different things to reporters.
00:03
Then you're going to have someone who has
00:03
the experience of interacting
00:03
with reporters on a daily basis,
00:03
so it's not catching that person off guard,
00:03
so say who just got assigned that noble task.
00:03
Then the following actions are recommended for
00:03
preparing these designated contacts and
00:03
should also be considered for preparing
00:03
others who may be communicating with the media.
00:03
Conduct training sessions on
00:03
interacting with the media regarding incidents,
00:03
which should include the importance of
00:03
not revealing sensitive information,
00:03
such as technical details of
00:03
countermeasures that could assist other attackers,
00:03
and the positive aspects of communicating
00:03
important information to
00:03
the public fully and effectively.
00:03
If you've never dealt with the media before,
00:03
it can be quite daunting task.
00:03
It's important to just have
00:03
someone who has training in doing that,
00:03
who knows what they look like in front of the camera to
00:03
be able to represent themselves and
00:03
the organization in the best possible way.
00:03
Next, you're going to want to establish
00:03
procedures to brief media contacts on
00:03
issues and sensitivities regarding
00:03
a particular incident before
00:03
discussing it with the media.
00:03
The person that you're going to have
00:03
dealing with the media,
00:03
they may be great interacting,
00:03
they may be great on camera,
00:03
but they may not be the most technically savvy person
00:03
that's out there.
00:03
It's important to pre-brief
00:03
that person before they actually speak to the media,
00:03
so they'll be aware of certain questions that may be
00:03
paused by the media regarding an incident.
00:03
For example, an organization may want
00:03
members of its public affairs office and
00:03
legal department to participate
00:03
in all incident discussions with the media.
00:03
You want to maintain a statement of
00:03
the current status of the incident,
00:03
so communications with the media
00:03
are consistent and up-to-date.
00:03
You want to remind all staff of
00:03
the general procedures for handling media inquiries,
00:03
and then you want to hold mock interviews
00:03
and press conferences
00:03
during the incident handling procedures
00:03
>> of your response.
00:03
>> That should identify examples
00:03
of questions that might be asked by the media,
00:03
who attacked who, why would you attack,
00:03
when did it happen, how did it happen,
00:03
did this happen because you
00:03
have poor security practices,
00:03
how widespread is the incident,
00:03
what steps are you taking to determine what
00:03
happened and how to prevent a future occurrence,
00:03
what is the impact of the incident,
00:03
was any personally identifiable or PI exposed,
00:03
and what is the estimated cost of the incident?
00:03
Those are just examples of
00:03
questions that reporters might ask and
00:03
your media contact with essentially want to be
00:03
able to answer during that incident.
Up Next
Similar Content
