Cyber Incident Response Plans

Cyber Incident Response Plan:
An effective cyber incident response policy identifies internal and legal authority
reporting requirements and clearly defines roles and responsibilities for all individuals
involved in the process. Executive managers need to be briefed on the process before
they get presented with an incident and are blindsided by the methodology, techniques,
impact, requirements, etc. Any unauthorized activity that has infiltrated the security
defenses and affect the confidentiality, integrity, or availability of corporate IT resources
can be considered an incident and should be researched, tracked, and rectified. The
policy should begin with a definition of what constitutes an incident (e.g., will suspicious
activity be included), what the various categories are (scanning results, audit findings,
log reviews, etc.), and include threat and consequences of exploitation.
The sensitive nature of the incident response function and confidentiality requirements
must be stressed. Timeframes and conditions for reporting should be outlined. Incident
response procedures include identification of detection mechanisms, acknowledgement
of the occurrence, and internal notification procedures (when to notify/involve
management chain, Human Resources, and legal authorities of suspicion/confirmation
of incident). Documentation requirements should be defined for recording the
assessment of how infiltration or infraction occurred, historical requirements for
research, the factors for determining the impact of exploitation, quarantine and recovery
activities, and how lessons learned should be incorporated into hardening environment
to avoid recurrence. Proactive monitoring procedures will help to reduce the amount
and severity of incidents and invocation of incident response procedures.
Tiger teams ready to investigate, quarantine if necessary, resolve and document
incidents should be compiled, trained and funded. Tools of the trade include well
stocked “jump bags” containing: boot disks, CDs or diskettes with application software,
IDS software, ghosted images of standard software loads, a variety of cables, phone
and email contact lists, ISSP freebie diskettes and spare blank CDs and diskettes.


Leave Comment

Your email address will not be published. Required fields are marked *