January 30, 2020

Do You have a Plan for That? – WST

Emergency room staff have procedures for responding to mass trauma situations.  Firemen have procedures for responding to hazmat fires.  Pilots have procedures for dealing with engine problems.  Clearly, they must be prepared for those emergencies (and more).  You can be sure there are regulations that dictate how frequent and involved those procedures and exercises must be for responding to significant incidents.

The financial industry has similar guidance that requires having Incident Response plans or procedures. The goal of Incident Response is to minimize the damage to the institution and its customers.  For those tasked with creating those procedures and testing them, it can seem like a “check the box” activity until some extraordinary major event actually occurs.

Regulations have put a focus on Incident Response (see FFIEC Information Security Handbook), with an emphasis on cyber-related aspects. Meaning, your Incident Response procedure should include steps to be taken for the most likely cyber events that could occur at your institution.  Generally, the most likely cyber incidents that you might include in your Incident Response procedure would be malware, ransomware, breach, DDoS attack, and lost or stolen computer device (e.g., laptop, smartphone, portable storage, etc.).  A common solution is to add appendices to your existing Incident Response procedure for each of these cyber incidents, providing a quick-access reference (also known as “playbooks”).

A simple way to determine if your Incident Response procedure is adequate is to pick any of the possible cyber-related incidents and ask yourself “What are the first 5 actions we would need to perform if this type of incident were to occur?”  If your Incident Response plan doesn’t provide that level of guidance, you probably have some updating to do, and a great way to develop incident playbooks and update the plan is to perform periodic tabletop exercises.  (Remember, when conducting exercises, the goal is not to result in success, but to identify and fix areas in need of improvement.)

Regardless of the type of incident, a complete Incident Response Plan should contain sections for:

  • Containment – Steps to stop the situation from getting worse.
  • Eradication – How to remove the problem or repair your systems.
  • Communications – Make sure you notify ALL audiences that need to be made aware.
  • Preservation – Protect the institution’s data and retain any evidence.
  • Recovery – Include steps to ensure the incident doesn’t happen again.
  • Lessons Learned – Document what occurred so you can show all audiences, internal and external as appropriate, how you turned the incident into a positive.
  • Testing and Updates – Ensure the Plan doesn’t get dusty!

You expect your fire department, hospital staff, and airline pilots to stay current and proficient in responding to unexpected events.  Your customers expect your institution to have a similar level of preparedness for responding to cybersecurity incidents.

Past Weekly Security Tips – WST