Best Practices for an Effective Incident Response Strategy

 

We’ve answered to the most frequently asked questions to help organizations develop an effective incident response strategy that reflects best practices, is aligned with their overall cybersecurity strategy and helps them deal with security incidents effectively.

 

7 Frequently Asked Questions about Incident Response:

1. Why is it important to have an incident response function in place?
2. What do I need to consider when developing an incident response plan?
3. Which roles and responsibilities should my incident response team include?
4. How can I convince my boss to invest in an incident response strategy?
5. Who do I have to notify in case of a data breach?
6. What are the lessons learned sessions and why are they important?
7. Which questions do I need to address in a lessons learned session?

 

 

1. Why is it important to have an incident response function in place?

Related Post: The 5 Benefits of an Incident Response Plan

 

In today’s digitalized business environment, it comes as no surprise that cyberthreats are frequently cited as the single biggest threat to businesses. For a business strategy to be effective, it should include a comprehensive cybersecurity and incident response strategy to help businesses:

• know how to handle cybersecurity incidents,
• minimize the incidents’ impact when they occur, and
• strengthen their defenses against future incidents.

For one, an incident response function can help organization be better prepared to face security incidents with confidence and a clear action place (instead of operating in a messy state of panic). It can provide answers to who should take care of what, guidelines for communication with internal and external stakeholders, and concrete steps that need to be taken to stop the bleeding.

In addition, an incident response function can help mitigate the extent of the damage that a security incident may incur. A clearly-articulated incident response plan with concrete mitigation and remediation steps can help organizations deal with detrimental consequences such as operational downtime, financial losses, reputational damage, customer churn etc.

 

2. What do I need to consider when developing an incident response plan?

Related Post: Best Practices for Building an Incident Response Plan

Although incident response planning may seem like a daunting task, there are a couple of key considerations you should keep in mind to facilitate drafting (or updating) your incident response plan.

• Document your incident response strategy in writing. Talking about what to do in case of an incident is a great starting point but won’t be of much use in the heat of the moment. Make sure to spell out the entire incident handling process, document it and share it with all relevant stakeholders.
• Test your incident response plan. The only way to develop a foolproof incident response plan is to test it with a simulated exercise, which can help validate your process, uncover shortcomings and identify possibilities for improvement.
• Review your incident response plan regularly. Remember that your plan is not set in stone and is meant to adapt to your business context, threat landscape and risk appetite. Include at least annual reviews in your overall cybersecurity strategy to maintain an incident response plan that withstands the test of time.
• Set up an incident response team. An incident response practice can only be successful if the appropriate team is in place to handle the incident with distinct roles and responsibilities. The setup of your team will vary depending on the size, risk exposure and data assets of your organization.

 

3. Which roles and responsibilities should my incident response team include?

A well-functioning incident response team should include at least three distinct functions:

1. A Computer Security Incident Response Team (CSIRT), which in itself should include several team members:
   • A Manager, who is responsible for the overall coordination of the team, reports to management and reviews and validates incident response-related documentation. The Manager should have excellent communication and people management skills, know the overall business and IT processes and show resilience to stress-intensive situations.
   • A Technical Lead, who is responsible for overseeing and assigning the overall technical work in relation to cyberthreats and incident response procedures. The Technical Lead should have excellent technical expertise, people management skills as well as the ability to keep calm in hectic situations.
   • A variety of additional team members, who are responsible for performing incident response activities, detecting intrusions, issuing recommendations about the latest vulnerabilities and threats and taking care of any technical work that is required after an incident occurs. These team members should have excellent technical skills, should be specialized in specific areas such as network intrusion detection, malware analysis or forensics, and posses problem-solving abilities with a high stress tolerance.
2. A Legal Expert, who consults the organization’s decisionmakers about legal requirements, preferred practices and possible consequences in terms of data breach notification, incident response and law enforcement. The Legal Expert will have a deep understanding of the organization’s legal standing and related regulatory frameworks to minimize the legal impact of a security incident as much as possible.
3. A Public Relations/ Communications Expert, who will act as a main point of contact between the organization and the media, the general public, shareholders and employees. The PR/Communications Expert should enforce timely and impactful communications and deal with any media enquiries to protect the organization’s reputation following an incident.

Each of these three functions will help contribute to an incident response team that is effective, efficient and addresses security incidents strategically.

 

4. How can I convince my boss to invest in an incident response strategy?

Regardless of your organizational hierarchy and decision-making structure, you will most probably need to convince your boss of your incident response strategy and get budgetary approval for your projects.

To get the buy-in you need to implement your incident response strategy, make sure to:

• get to know your stakeholders,
• bring concrete examples of how your cybersecurity strategy can make a real impact and bring demonstratable ROI,
• drop the technical lingo and
• align your cybersecurity strategy proposal with the overall business strategy.

If your boss comprehends how exactly your cybersecurity strategy can benefit the business and supports overall priorities at the same time, you will be well on the way to bringing your point across.

 

5. Who do I have to notify in case of a data breach?

It depends. Organizations are subject to different jurisdictions and data breach notification standards, depending on where they operate and how they deal with data processing and behavior monitoring in general.

Here are a couple of data breach notification examples:

1. In Canada, organizations are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Digital Privacy Act. For private Canadian organizations, breach reporting remains voluntary in principle or at least until the new dispositions from the Digital Privacy Act come into effect. Federal agencies, however, must notify individuals according to a set of predefined guidelines.
2. The General Data Protection Regulation (GDPR) applies to organizations within the European Union (EU) as well as to organizations outside of the EU who process data from EU residents. GDPR requires data breach notification to the responsible national supervisory authorities without undue delay, that is not later than 72 hours after awareness of the incident.
3. In the United States, there are currently 47 different data breach notification statutes that organizations in different States need to adhere to. This may sound confusing (we get it!), but luckily most of these legislations only differ in minor ways such as the terms of data breach notification timing and content.

Of course, there is a variety of other data protection legislation around the world. To facilitate compliance and hefty fines, make sure to identify which data protection laws your organization is subject to and act accordingly. A privacy compliance program can bring clarity and help organizations define and evaluate all their privacy obligations (such as GDPR, PIPEDA, …) under one holistic approach.

 

6. What are the lessons learned sessions and why are they important?

Related Post: Lessons Learned – The Unsung Hero of the Incident Response Planning Process

 

Lessons learned sessions are an extremely important element of an effective incident response practice. The Project Management Institute (PMI) defines them as “the learning gained from the process of performing the project”, and the SANS Institute lists them as one of the 6 critical stages of the overall Incident Response Process.

They are conducted after a security incident and regroup all parties involved in the incident handling process to facilitate the recurrence of what went well and help prevent what didn’t go well.

Lessons learned sessions are meant to help organizations:

• Evaluate their current incident handling capabilities
• Expose potential challenges that occurred
• Improve their incident handling capabilities going forward
• Recognize good performance and praise exemplary behavior
• Retain organizational knowledge for future incidents
• Foster open communication and a sense of collaboration between different team members

7. Which questions do I need to address in a lessons learned session?

Each lessons learned session will be different and depends on the nature of your organization, the scale and scope of the security incident as well as its impact on your operations, customer relations, reputation and financial standing.

At minimum, you should address these questions during your lessons learned session:

• What exactly happened during the security incident? Please describe the exact timeline of events in as much detail as possible.
• What are the documented procedures for incident response, and where are they stored?
• If you have procedures in place, were they followed or not? If not, how can you amend your incident response procedures to avoid any mishaps in the future?
• On a scale from 1 to 10, how well did you handle the incident?
• Were there any hiccups in the incident handling process? If so, what were they and how can this be fixed?
• Did all responsible parties act appropriately? If not, what can be improved?
• Did we communicate the necessary amount of information about the incident to the appropriate channels? Were communications timely? If not, how can this be improved?
• What are we lacking to help us improve our incident response capabilities going forward?

Before organizing a lessons learned session, make sure to develop a clear meeting agenda and identify all necessary stakeholders to retain as much incident response knowledge as possible. Also, concrete action items have to be established, different roles and responsibilities must be defined and concrete dates for follow-ups should be agreed upon.

 

Do you need help building your own incident response practice? We’ve created an incident response strategy checklist to provide you with guidance on what needs to be considered to implement an effective incident response strategy that is aligned with your business context and overall objectives.