The incident response plan you never knew you had
Instead of reinventing the wheel why not leverage the existing business continuity plan (BCP) to build the computer incident response plan (CIRP) The business continuity plan in all likelihood is in place and may have some measure of review and exercise already. By leveraging important elements of the existing BCP and resources, the security team can jump start the CIRP and obtain a faster and more responsive organization.
[ ALSO ON CSO: Business continuity and disaster recovery planning: The basics ]
Here are five strategies to give you a head start in putting together your incident response plan by using built-in and existing components of the BCP.
1. Use the existing business recovery structure and organization
The existing BCP usually has a well laid out management and reporting structure that is to be activated during an outage. Rather than create a separate reporting and management structure for the CIRP, try and use the existing BCP structure where possible. In smaller to midsize organizations where leadership wears many hats it is quite possible that you will find 75 percent or greater overlap between the management response team for the CIRP and that of the BCP.
The leadership team that is usually pulled in for a business continuity incident will most likely consist of the same senior management that would be required to weigh in on a computer-related incident. I would combine the leadership team from both plans into a single leadership team that is common to both the business continuity and computer incident response plans. For example, in the event of a computer incident, the internal audit team will need to be in the loop but in a business continuity incident that may not be the case. On the other hand in a business continuity incident, the physical security team will definitely need to be in the loop but not necessarily on the audit team. However a common leadership team can include leaders from both the audit and physical security teams, who can be brought in as needed for the incident response.
2. Combine roles and responsibilities
The business recovery coordinator is the central figure around who rotates the response to a business outage. The incident response manager plays a similar role in the CIRP plan. In addition and oftentimes, the business continuity manager will be reporting into the information security team. Instead of having a separate coordinator for business continuity and another coordinator/manager for computer incident response, consider using the same role and business continuity person for both.
3. Reuse processes
The methods for triggering the response and the communication to the leadership team will also have much in common with each other. For example the role and process of the incident response manager, to triage and determine initial incident severity and escalate, can be similar in both the BCP and the CIRP.
4. Common contact information
The BCP usually has well defined call trees and organization hierarchies with contact information already identified. In many case this information is kept up-to-date. Leverage this information and reference this BCP contact information in the CIRP, rather than trying to maintain a separate and parallel system
5. Combining exercises
The BCP program usually has an annual exercise wherein either a table top simulation or an actual exercise is attempted. The usual scenarios are fire, power outages, earthquakes etc. Consider combining the annual BCP exercise with a CIRP exercise. This exercise can use a data breach related incident or a crypto-locker takedown as the exercise scenario. Using a computer-related incident sheds light to upper management on the importance of the computer related outage or breach and builds awareness that the scale of a computer-related incident can rival and surpass that of the traditional physical security outages.
The extent of the overlap between the business continuity plan and the computer incident response plan can vary widely. For some organizations it may be good business sense to combine the two entirely and have a single incident response plan. For others depending on regulatory environments, it might be better to still keep the two plans separate but combine elements where possible.
[ ALSO ON CSO: 10 tips to make sure you are ready when a disaster strikes ]
At the end of the day, the business continuity plan and the computer incident response plan both require that a manager be defined, a process for leadership decision making and communication be established and appropriate teams and resources be brought in for remediation and recovery. The onus in both cases is on speed of decision making and fast response. Having a single team that is trained and aware of their roles is far more efficient than multiple teams and documents which require additional overhead.