By: Mitchell H.Levine.CISA
Audit Serve, Inc.
This Incident Response Plan is comprised of a set of procedures on how to detect, respond and recover from a significant security event. An Incident Response Team is established to carry out the major components of the respond and recover incident management life cycle phases.
There are two different approaches typically used to establish an Incident Response Plan (IRP). One approach is to establish procedures for monitoring all security incidents from various sources (e.g., firewall logs, IDS logs/notifications) which in most cases overlaps an organization’s security monitoring procedures. When using this approach, incidents are assigned risk levels in which various types of reporting and escalation are required based on the assigned risk level. The weakness of this IRP approach is that employees in the company are not provided the awareness of escalating specific types of security incidents in which they are at the targets of these security incidents.
The other approach to establishing an IRP is to define a specific list of security incident types that require escalation to the Incident Response Team (IRT). Examples of a specific incident types are (1) when a USB containing unencrypted PII or sensitive corporate is lost or stolen, (2) employees that were subject to specific types of social engineering attack such as phone pretexting attack in which the attacker tried to have the employee divulge their password.
When using this type of Incident Response Plan approach, the Help Desk needs to be trained in order to properly triage the incidents to identify those specific incident types which need to be escalated to the IRT. The other component of this type of IRP is the method in which these incidents will be escalated to the IRT. If an organization has deployed an Incident Management System then there would be incident categories established for the routing of incidents to the IRT. The key component of this IRP approach is ensuring that all employees and contractors of the organization are made aware of the specific types of security incidents they should be escalating to the Help Desk.
Once incidents are escalated to the Incident Response Team there needs to be a formal process to responding to these incidents to mitigate the damage and to eventually recover from the incident. The Incident Response Team itself may not have the expertise to handle all of the escalated security incidents and will need to procure external resources. The Incident Response Team should perform as evaluation of their skill level as it relates to all possible categories of incidents and then establish relationships and in many cases pre-establish a contract with these external resources (i.e., which may require a retainer) which will supplement the resource needed to respond and recover from all security incident types.
Testing the Incident Response Plan is critical to ensure that a proper IRP has been established. Testing needs to go beyond a “tabletop” exercise in which the Help Desk and Incident Response Team conduct a meeting to walkthrough the IRP. The testing of the IRP should include the testing of actual security incident types to determine whether the incident is properly triaged by the Help Desk and escalated to the Incident response Team in the required timeframes. For example, if a security incident requiring escalation includes that a lost USB containing PII data needs to be escalated to the Incident Response Team the test script would be comprised having a user call the Help Desk to report a lost USB containing PII data and determining whether the incident was routed to the Incident Response Team within the required timeframes.
The review of Incident Response Plan could be covered as part of an IT Governance, IT General Controls, Help Desk or in a Disaster Recovery audit.