• United States



by David Geer

Reviewing incident response plans for data risk preparedness

Mar 08, 20166 mins
Disaster RecoveryDLP SoftwareSecurity

Don’t let holes in your incident response plan review open gaping vulnerabilities in how you act on security events.

Incident response plan reviews are growing in importance with the rapidly increasing numbers and types of information security incidents that enterprises must face. The enterprise must approach these reviews with a view toward effective event response.

Yet more than one-quarter of IR professionals (26 percent) are dissatisfied with their current organization’s IR capabilities, calling them ineffective, according to a SANS Institute survey on the state of IR. After initial plan creation, the review is the opportunity to correct that ineffectiveness.

Where To Look For New Information Risks

The point of reviewing an incident response (IR) plan is to ensure that it still addresses the real risks that an enterprise faces. In order to update an IR plan to include new risks, an organization must have ample resources that provide an awareness of at least the moderate to high risks. These are the risks that are most likely to result in damage.

Some of the best resources are records of recent events involving data breaches, and, according to M. Scott Koller, counsel at BakerHostetler, the use of tabletop exercises. Tabletop exercises can show an enterprise how it is not prepared.

[ MORE IN THIS SERIES: Why you need more than daily practice to be good at incident response | How to review and test backup procedures to ensure data restoration ]

The Baker Hostetler Data Privacy Monitor blog, DataLossDB, the data breach section of the Privacy Rights Clearinghouse, Data Breach Watch, data breach search results on Statista, and the Office of Inadequate Security are all good resources for reports of data breaches. With these the enterprise can begin to approach a broader list of information risks that may affect the organization.

Enterprise IRTs must know the organization’s data types, purposes, and value as well as the data’s current and potential locations and the paths between those in order to know what risks really apply to their enterprise information.

Tabletop exercises, which CSO will cover in another installment in this series, help to identify risks particular to the organization that published breach reports might not uncover.

Maintaining a flexible IR playbook

With so many new and existing risks on the record and so many coming down the pipe, an incident response plan should include instructions that take the response team from one course of action to the next, adapting to any incident that occurs. “It should be a flexible playbook, flexible enough to help guide the incident response team (IRT) through most incidents, including potentially unforeseen events,” says Koller. 

Various government entities publish sample IR plans. Examples include a plan from the California Department of Technology and a plan from the Oregon Enterprise Security Office.  

The density of the details in the step-by-step instructions in an IR plan should fit the expanse and manifold nuances of the organization and data that it defends. A simple organization could best benefit from a simple plan. A larger, more involved enterprise could require new components and instructions in the IR plan for each additional element of concern to the business. Regulations will almost certainly magnify enterprise complexity and the complexity of the IR plan. “Healthcare companies need to include procedures for conducting a breach risk assessment pursuant to HIPAA regulations,” says Koller.

M. Scott Koller, Counsel, BakerHostetler

Response procedures contained or referred to in IR plan instructions should be living organisms that mutate to adapt to new ways in which a company functions. “Procedures need to be updated when they do not provide sufficient guidance to staff on how to handle certain situations,” says Koller. 

No amount of reviewing IR plans or testing potential event scenarios using tabletop exercises can prepare an IRT for every potential information security event. “This is why the IR plan should be flexible in its approach,” says Koller. There will be times when the IRT will have to think and act quickly in ways that mimic or correlate with the logic of an established plan even though the plan does not directly address the current crisis.

Factors affecting the incident response plan

Laws and regulations are important external factors that can reshape components of an IR plan. Each year, state and federal government agencies can publish and enforce new regulations pertaining to data breaches, particularly those that outline how and how soon an enterprise or organization must notify affected parties of data breaches. States can edit laws, adding new types of personally identifiable information (PII). “This past year, several states amended their statutes to include usernames and passwords that would permit access to an online account,” says Koller. Breaches affecting those states can now require notification, even where only usernames and passwords are compromised.

Changes in personnel can rob the IRT of valuable information and necessitate changes to contact information. When even one member of the incident response team moves within or out of the company or even so much as changes their contact data, their absence can become a weak link in the chain of communication and knowledge resources supporting incident response. “Whenever someone leaves or is promoted, they take a lot of institutional knowledge with them. Something as simple as a new cell phone number can throw a monkey wrench into the response time for an organization,” says Koller.

[ ALSO: Business continuity and disaster recovery planning: The basics ]

The contact information should be checked annually, ideally during the annual tabletop exercise. In addition, members of the IRT should be aware of the need to communicate changes to their contact information to the rest of the IRT. The IR team should ensure that contact information for all team members and affected parties is current. “Contact information should include outside resources, such as your Breach Counsel,” says Koller. 

New products, systems, and relationships can enable improved support for the IR plan. “New products and systems provide additional safeguards, means of detection, or ways in which an organization can reduce its risk profile,” says Koller. 

By updating risks that apply to the given business, updating the IR plan and ensuring its flexibility, and testing it with tabletop exercises, an IRT can increase its confidence in the response when the time comes.