A plan to respond to a cyber security incident.
Understanding the need for a plan
How to create a plan
How to document it
How to implement the plan and put it in place.
How to test it
Should be methodical and documented.
If not, evidence can be missed, lost or destroyed.
Many different resources from which to draw, so you must determine which best suits your company/business.
|CSC 19: Incident Response and Management|
|Application||19.1||Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling.||Y|
|Application||19.2||Assign job titles and duties for handling computer and network incidents to specific individuals.||Y|
|Application||19.3||Define management personnel who will support hte incident handling process by acting in key decision-making roles||Y|
|Application||19.4||Devise organisation-wide standards for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included int he incident notification. This reporting should also include notifying the appropriate Community Emergency Response Team in accordance with all legal or regulatory requirements for involving that organisation in computer incidents.||Y|
|Application||19.5||Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an email address of email@example.com or have a web page https://organisation.com/security).||Y|
|Application||19.6||Publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.||Y|
|Application||19.7||Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team.||Y|
In depth preparation
Detection and Analysis:
- Identify attack vectors
- Identify Signs of attack
In order to be able to respond to them
Containment, Eradication & Recovery:
- Develop strategy
- Identify types of threats/attacks
- Craft a good recovery plan
Post Incident Activity
Considered by many to be the most important step, but often times overlooked.
Requires the following items:
Includes the following:
This step can be extremely long or very short.
Much depends on the preparation and type of incident.
It's usually handled by an on-site team but can be external consultants assisting.
Containment provides control of the problem
Containment encompasses evidence collection
Containment ensures intruder is either expelled from the environment or restrained
Think "Stop the bleeding!"
This, too, is often an overlooked or neglected step.
It involves learning from the incident
Improving the overall security posture of your organisation
Improving the response effort for future incidents
Based on the information provided, we believe that your personal information may have been impacted by this incident.
Click the button below to continue your enrollment in TrustedID Premier.
For more information visit the FAQ page.