Cybersecurity Incident Response Plan - Preparation

A Cybersecurity Incident Response Plan (CIRP) is a required tool in the organization’s Cybersecurity arsenal.  What I have seen during my assessments is the document exists; but, a major portion of Incident Response is missing.  That would be Preparation.

For the CIRP to be successful, Preparation is key, yet we do not provide enough dedicated time and/or resources to this aspect of the CIRP.

Your CIRP must be based on a current asset inventory.  If you are not aware of the assets that need to be protected, you cannot protect from and/or properly respond to an incident. 

Current and accurate inventory is a subjective status.  For the purposes of this subject, current is when the asset list reflects the actual list of assets.  Maintaining current inventories requires an effective change management program.

Change management must enforce current asset inventory list, therefore, any time there is an add, change, or deletion of assets, change management must require the asset list be updated to reflect that change or again, CIRP activities can be negatively impacted.

Patch management is also required as an element of CIRT preparation.  If we do not maintain the currency of operating systems or other software components, we are not maintaining the hardening of the asset.

Vulnerability scanning (internally and externally) on a monthly basis ensures we are at least protected from known security faults. 

Penetration tests (internal and external) on a six-month basis is prudent since we are hardening our environment from hostile forces.

We must also harden the asset by removing unnecessary services, access capabilities, as well as change default account information, wherever possible.

User access must be reviewed on a consistent basis to ensure the creation, modification, and deletion of access is performed as expected and ensure timely removal of access is performed consistently.

Users must be trained and made aware of how they are the strongest barrier as well as the weakest link when it comes to cybersecurity.  They must know how to recognize and respond to an event and how to report it to the proper personnel.

Log management is another aspect of CIRP preparation.  If logs are not setup and operational prior to an event, we will not be able to perform appropriate forensic activities.

Who is our forensic expert(s)?  The Legal department should contract with outside counsel to pre-retain forensic expert(s) whereby their activities can be protected by client attorney privilege to the extent that is provide by law.

This is an aspect of the communications plan.  Who are you going to call (internal and external) to determine if an event is an incident and then activate the CIRP and CIRT.

All members of the CIRT should be aware of their specific roles.  Current email, phone number and their alternates must be a part of the CIRP that is reviewed on at least a monthly basis.

The answers to when does an event become an incident?  What are the appropriate responses? 

Table-top testing helps answer the above as you determine applicable scenarios based upon the asset base, formulate appropriate responses and test them.  There is no such thing as a failed test.

What is the response to a successful ransomware incident?  Do you pay or not?  Are immutable backups available in order to say you will not pay?  Has a rebuild of the environment been envisioned and tested?

Do you have appropriate cybersecurity insurance?  When will your insurance company provide you with funds?  Do you have enough funds to keep your business afloat until then?  How much money do you need to have to stay afloat for 30 business days?

Has someone been appointed the public relations liaison and have all employees been informed who that person is and the fact that employees are not authorized to talk about ANY aspect of the situation? 

CIRP preparation is essential and the items above are not an exhaustive list.  Get started preparing and determine what is missing from the above list.  Oh, and let me know so I can amend this list.  Thank you.