We know that there are several processes and procedures that can be used for your organization's security incident response plan. We also know that this topic is not always something that arouses a lot of interest across other departments in the company, making it challenging for the IT / Cybersecurity departments to transmit its real importance and impact to everyone else.
Nowadays, thinking about information system security has become essential for organizations, regardless of their size, industry, or market. It is a vital component for all companies and one that should be taken seriously by everyone.
Given this context, this article aims to summarize and simplify some important assumptions about the development of a security incident response process plan.
So, what is an incident response process?
Specifically, an incident response process is a set of procedures designed to identify, investigate, and respond to potential security incidents in a way that minimizes impact and supports rapid recovery. At the end of the day, it is a business process, as it allows your organization to maintain, as much as possible and with the least possible impact, its usual activities.
What is the difference between incident response “process” and “procedure”?
Although these terms are often used interchangeably, they have different meanings. An incident response process is the life cycle of an incident investigation, while the incident response procedure is the specific tactic that the team will be involved in during an incident response process.
Assumptions and Preparation - What should we consider before starting the plan?
Before thinking about specific incident response procedures, your organization needs to prepare, we suggest that you consider, among others, the following premises:
List assets and impact: It is important to think about which servers, applications, users, networks, and systems are essential for maintaining daily work, that is, which assets could generate some type of damage/impact on the business if they suffer an attack or go offline for a certain time. In addition to the resources, the same analysis must be made, for the type of data available in these tools and what is the potential impact of this information is obtained by unauthorized third parties.
Quantify asset values as accurately as possible, as this will help justify the Security and IT budget.
Capture traffic patterns and baselines to create an accurate picture of what is considered "normal". Your team will need this base to detect anomalies that may indicate a possible incident.
3.CONNECT, COMMUNICATE, AND COLLABORATE
Meet with the executive leadership, share your analysis of the organization's current security posture, review industry trends, the main areas of concern, and your recommendations. Set expectations about what the team will do, along with what other organizations are doing, as well as what to expect in terms of communications, metrics, and contributions. Discover the best way to work with the legal, human, and commercial resources teams to accelerate requests during essential incident response procedures.
In the coming months, we will continue with a series of articles on Communicating, Responding, and Preventing in the context of security of information systems and cybersecurity. Stay tuned to our main communication channels to learn more about trends and best practices in this segment.