Incident response: What needs to be in a good policy

It's almost certain that your organization -- no matter its size or industry -- will at some point experience a cyberattack. As such, it's imperative that every company create and routinely test incident response policies to keep systems operating and reputations intact.

"Whenever there's a breach or an incident, the way that the organization responds is going to be judged critically by their customers, their peers, and their board," said Josh Zelonis, a senior analyst serving security and risk professionals at Forrester Research.

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read now

In many cases, "organizations are caught flat-footed, and the consequence is that it moves very quickly from an impact on an IT system to a more meaningful impact to the organization, including reputational damage," said Matt Stamper, research director of risk and security management programs at Gartner, pointing to the Equifax breach.

Organizations need an incident response policy, and -- perhaps most importantly -- a number of playbooks that allow them to think through a variety of different incident scenarios, Stamper said.

Download now: Incident response policy (Tech Pro Research)

When employees work through an attack scenario, they realize that cybersecurity is not an issue that only impacts IT, but also human resources, vendor management, and lines of business, Stamper said.

"We do need to be engaged in the process," Stamper said. "Planning for it is better than reacting to it."

The most fundamental part of the policy is an organizational document that outlines what the plan will be, how it's going to be created and maintained, and who the key stakeholders are, Zelonis said. Incident response plans are often very high level, he added: Some of the best he's seen are only a couple of pages long. "It's almost a statement of how we're approaching this process," Zelonis said.

The document and language used should be simple to read under pressure, and focus on managing the consequences, rather than the causes, of an incident, according to a Gartner report.

Playbooks, on the other hand, are more granular, and describe in detail how to respond to specific threats like ransomware. "You usually have multiple playbooks and one overall incident response policy that governs how you will go, building the team and maintaining this body of work," Zelonis said.

A good incident response policy should include the following, according to Stamper:

• The lines of business in scope.
• Who is authorized to remove or contain a compromised system, and how doing so might impact the availability of a higher-level function.
• The response priorities in an organization. For example, an COO's goal may be to return a system to operational availability as soon as possible, while a legal counsel's goal may be to investigate and gain evidence. "Having those types of scenarios evaluated and fleshed out in a policy, or more appropriately in the documents that are related to that, your playbooks and your plan is really critical," Stamper said.
• The level of risk tolerance that is appropriate to the organization.

The policy should also detail at what point an organization engages its legal counsel, its cyber insurance provider, and its public relations (PR) team to handle messaging, Zelonis said.

"As we've seen, particularly in the last year with Equifax, the C-level drops when you have bad PR around a breach," Zelonis said. "It escalates a bad situation out of control, and people will have to lose their jobs."

These plans are often created by a CISO or chief risk officer, Zelonis said. But legal counsel should also be involved in the creation of the policy, especially with GDPR and other regulations looming, he added.

"As soon as you realize that an incident needs to be escalated, the people who should be running things are actually attorneys," Zelonis said. "Whatever region or country that you're in, you need to have specific legal expertise in that area."

SEE: Security awareness and training policy (Tech Pro Research)

While most organizations have an incident response plan, those plans are often never tested, Stamper said. He recommends doing tabletop exercises to have employees work through the process, and evaluate its strengths and weaknesses.

"When you're dealing with a security incident, there's this inherent asymmetry: I don't know what the attacker is after, I don't know how much my environment has necessarily been compromised yet. I'm in this kind of very acute, highly reactive environment. I don't know if I'm authorized to make this decision, or the impacts of all of the sudden the news reporting the fact that a critical business unit has been compromised and we're not prepared for it," Stamper said. "You want to get as much of that muscle memory in learning accomplished in a safer exercise, like a tabletop, sooner rather than later."

Running real-world drills beyond tabletop is also a good way to test your incident response plan, according to Bruce Beam, director of infrastructure and security at the nonprofit (ISC)². This way, you implement your crisis action team and go through the full process of an attack, he said.

One way to do this is by hiring a third-party vendor to oversee running the drill, to avoid internal bias and create a report that can be used for later assessment. "You work with them to come up with a realistic scenario that's actually something that you've seen in the news or something that would have a real true impact," Beam said. "Then you take this scenario up to upper management, ensure that they're okay with looking at critical times to exercise this."

For example, this might involve injecting the system with a containable, known malware, and include prompts to ensure that HR, PR, and legal teams are all involved in the process so they can see it from beginning to end. Ultimately, you want to critique and realign your processes and policies to correct any deficiencies, Beam said.

Ideally, an organization's plan should be tested on a quarterly basis, Stamper said, even in an informal tabletop exercise within a small group or department.

While many companies do have a policy, they often don't have top-level buy-in, or it is not used appropriately, Beam said. To fix this, companies need to invest in their security personnel, to make sure they are able to brief executives and board members on risks and responses.

"It's very important that a company has someone in that position that can articulate from the senior level down to the security team and ensure that everything's being captured in the proper way and reported back up and down as necessary," Beam said.

Also see

• 27 ways to reduce insider security threats (free PDF) (TechRepublic)
• Cybersecurity report card: Why too many companies are graded 'could do better' (ZDNet)
• Ransomware: A cheat sheet for professionals (TechRepublic)
• Video: How IBM's new Watson cybersecurity solution can drastically speed up incident response (ZDNet)
• 88% of employees have no clue about their organization's IT security policies (TechRepublic)