Answer at least one of the following questions:
You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.
- How do you garner support for this effort if the organization disagrees with the regulator’s finding?
- What would your project plan look like if you must correct this finding prior to the next annual audit?
Kelly Sharadin says
My project plan for restructuring an incident response program would include addressing the following; people, processes, and tools. First, I would identify and assign team members responsible for responding to cyber incidents. An incident response team is composed of key members from various business units, including security operations, information technology, communications, and legal. An incident response plan(IRP) would formalize procedures and responsibility into a repeatable process. Once incident response roles and duties have been assigned, I would ensure the proper tooling is in place to respond to cyber incidents, such as ensuring logs are forwarded into a centralized location like a SIEM and forensic tools to capture memory for analysis. Once the above has been implemented I would conduct a table top exercise to test the success incident response team and plan in a mock incident.
Mohammed Syed says
Agree, the incident response team should maintain essential items every time. For example, outside agencies and resources information or report to, the outline of roles, responsibilities, PCs information, forensic expert to contact information.
Shubham Patil says
Kelly,
I like the idea of a tabletop exercise, they are very impactful because they require bringing together the DR team in the same room. It can happen at an executive level (e.g., C-suite) or at a team level (e.g., SOC), or anywhere in between. The idea is usually to test out procedures and ensure they actually do what they’re intended to and that everyone knows their role in responding to a disaster
Mitchell Dulaney says
Hi Kelly, I appreciate that you included “people” as one of your three factors to restructuring the incident response program. Oftentimes technology professionals focus on processes and tools when the human element is usually the most critical to success!
Shubham Patil says
To correct the finding, I would start with reviewing procedures documented in runbooks, which are step-by-step scripts developed to deal with incidents that are either common enough or damaging enough to require this level of detailed documentation, Before making changes to the IRP and IMP, I will review the Incident classification criteria which will allow to prioritize IR assets and usually consider the impact and type of the incident, and urgency with which the response must be started. Next step would be to review all the seven phases of Incident management: detection, response, mitigation, reporting, recovery, remediation, and lessons learned. I’ll make sure that stakeholders are informed, Just like any other complex endeavor, I’ll leverage structured approaches to ensure that all required tasks are performed, and that they are done consistently and in the right order before the next annual audit.
Mohammed Syed says
Agree, Also incident management includes proactive and reactive processes because measures need to be put into place so that incidents can be prevented or unsuccessful and detected quickly so that the incidents are dealt with properly
Antonio Cozza says
I had a similar thought process Shubhmam, adding in runbooks is a good idea to use for references. Using a framework for a large overhaul like this definitely adds good structure which always help when trying to take on such a large task with many considerations to make sure are taken into account.
Mohammed Syed says
First, need to understand the organization’s incident response procedure deeply to finalize any decision, clearly study on organization’s business services, security infrastructure, and the critical element of the business then check the existing incident response program, which defines by garner then we will capable to what is right or wrong in that incident response plan, if any possibility of attack will be heavy impact on organization business continuity then need to redefine that point, define possible losses due to that potential threats issues, create new update report on that basis to clarification on the likely impact on organization businesses, financial health, business services, business customers and other elements.
After redefining the incident response program, explain the possible threats with high-level business management, the cause of that possible threats, what can happen in business continuity operation, and how it can damage if we face that type of threat. We are not ready; what will be lost, and how can it protect? After full clarification easy to convince an organization to refine the incident response program.
Shubham Patil says
Mohammed,
Good points! The response strategy should be based on the category of the attack (e.g., internal or external), the assets affected by the incident, and the criticality of those assets. The important thing is to keep the management updated as they are the ones who will be making the big decisions and get the IRP approved.
Antonio Cozza says
I interpreted this question with the same initial approach, I think it might be worthwhile observing what is currently in play and comparing it against leading practices to try to make note of any concerning gaps that need to be filled to achieve compliance with the regulator instead of re-inventing the wheel. At the end, making sure the plan is actionable by testing its efficacy will surely be beneficial and give insight into any previously unidentified gaps which can turn this into a cyclical improvement process.
Kelly Sharadin says
Hi,
Your approach is correct as an IRP serves as both a strategic and tactical guide in the event of a cyber attack. I believe by prioritizing which critical systems are most likely to experience a severe outage, as you have stated, the organization is better equiped to contain, remediate and recover its core business services in a way that is repeatable.
Kelly
Tal Eidenzon says
You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.
-How do you garner support for this effort if the organization disagrees with the regulator’s finding?
Garnering support is often a difficult task, especially when you are a consultant, and even more so when you were brought in due to regulatory reasons. A primary pushback rhetoric could be pointing out that the current system has been working fine, and no breaches have occurred to date.
I would try to frame my presence as way that the security team could, should they cooperate, request to increase their yearly budget as well as add full time positions to their team. This outcome would be a win-win, as policies and compliance would be improved, and the security team would be better equipped and staffed to further improve the organization’s security posture.
Thanks,
Tal
Shubham Patil says
Tal,
Interesting perspective. Requesting to increase the budget is not easy to convince the management, but again its important to have such kind of conversations to improve the security posture and to have a robust IRP.
Antonio Cozza says
This would likely be an uphill battle for the obvious reasons, however it is still worth trying. If accepted, it certainly would offer greater benefit and allow for quicker progress in achieving compliance assuming the organization is able to find adequately skilled personnel in face of the roughly 700k person deficit of cybersecurity professionals.
Tal Eidenzon says
Hi Antonio,
It is a scary statistic that such a deficit exists…
And looking into the future, it looks like the deficit will only grow.
Two sided coin for us.
Thanks,
Tal
Kelly Sharadin says
Hi,
I would echo Shubham here, often its an IR overhaul in and of itself that will gain the security department more budget but rather a risk assessment or worse an incident. However, I have seen some scenarios where a table-top exercise with the right stakeholders (executive and budget makers) can help expose potential weaknesses or obstacles the security team is facing and helps puts those budget increases into context for decision makers.
Kelly
Vraj Patel says
Hello Tal,
That sure was a great recommendation I do agree that the organization would have to increase their budge to improve their incident response program. Also, having more individual within the team would also bring more experience within that team. As such if some of the processes are not working effectively then someone new within the team could identify and assist with updating that process.
Tal Eidenzon says
Hi Vraj,
It is a hard battle to fight to get more funding, but using unfavorable results from an audit as well as regulations can help the fight.
Thanks,
Tal
Mitchell Dulaney says
Hey Tal, everyone likes when their department has a larger budget, so I like your plan to frame your presence as a method of increasing resources for the security team. Great idea!
Antonio Cozza says
To reconstruct the incident response plan, it would be quite an involved process with many various concerns to address. The first thing that should be done is to review the current incident response plan and address key missing items – processes and strategies, that are currently considered to be best practice considerations to be involved in the incident response process. It would likely be more complex to reinvent the entire strategy, unless it is fundamentally flawed or realistically not actionable, and so to be effective, for the time being it might be more effective to identify any major gaps that should be found in an up-to-date incident response plan comprised of leading practices. At a high level, I would ensure that all major steps of the IRP are present, from detection through lessons learned, and ensure that responsible personnel for these tasks in the incident response team have sufficient training, and that the entire plan upon reconstruction is tested to ensure its actionability. Once the plan represents minimum requirements for compliance by the regulator, next steps would be to finetune and optimize the weaker areas of the plan which may be representative of available personnel in the incident response team.
Mohammed Syed says
Yes, and also an audit report should mention all issues which can impact an organization’s business and whole possible ways to protect an organization from potential threats in the upcoming year, and it will be the perfect incident response program for the organization to face all types of critical situation and protest self from any kind of loss.
Kelly Sharadin says
Hi,
I agree with your actions, best to start with the existing IRP to expedite your understanding of the organization as a consultant and schedule interviews from there to help flush out a more robust IRP. This is also help expose potential gaps in a crisis communications call-tree or key members of the incident response plan may have moved onto new roles since the original plan was created.
Kelly
Vraj Patel says
Hello Antonio,
That sure was a great recommendation to improve the plan by providing the trainings and testing the plan. The individuals within the team would stay informed about the processes of the incident response if they are being provided an proper training and testing the plan would ensure if there are any gaps within effectively responding to an actual incident.
Mitchell Dulaney says
Hey Antonio – I agree with your approach to build on the foundation of what the company already has in their incident response plan. It make sense logistically to use what you have rather than start from scratch. I think this approach would also generate less friction with the internal security team, some of whom would have built their incident response plan themselves and probably feel defensive about its quality.
Mitchell Dulaney says
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
I would do my best to separate my efforts improving the incident response program from the fact that the efforts were initiated by the regulators. I would frame the project from the perspective of risk management and focus on the benefits that the organization could reap from revising their risk management process to gain the backing of upper management. I believe this would be possible by focusing on past incident responses, how they were handled, how they might be handled differently, and how those changes might have ultimately impacted the company’s bottom line financially.
While the support of upper management is most critical to the success of any security initiative, including incident response planning, I would also need the support of management further down the company’s reporting structure. Without their involvement, it would be difficult to gather the more granular, business unit-specific information necessary to improve incident response in a way that is beneficial to them. Rather than focusing on the impact to the company’s financial well-being, for those business unit managers, I would describe different incidents that could impact their specific processes, and illustrate how the existing incident response process might not be optimized to ensure the continuity of their processes.
Vraj Patel says
Hello Mitchell,
That was a great idea to perform the risk assessment and review the past incident to adapt an understanding of what control has failed that caused that incident and providing those artifacts to the upper management so they could understand the risk better and support to improve the incident response program.
Anthony Wong says
Mitch,
I agree that if senior management is not supportive in the initiative, it will fail. In this scenario, I think escalating to the stakeholder’s manager is necessary to slowly gain support from the top.
Kyuande Johnson says
As a consultant revising the Incident Response plan, it essential to ensure that the incident response plan includes the six steps preparation, identification, containment, eradication, recovery and lessons learned. The preparation phase should include the underlying security policy that informs the incident response plan. Perform a risk assessment and prioritize security issues, identify which are the most sensitive assets and Idnetify which are the critical security incidents the team should focus on. In the identification stage the consultant should revise the incident response plan to effectively detect deviations from normal operations in organizational systems and identify if those deviations represent actual security incidents. The containment phase should also be evaluated to ensure that when it an incident occurs, the poper steps must be in place to contain the incident and prevent furthur damage from occuring. In the eradication phase. The team must identify the root cause of the attack, remove malware or threats, and prevent similar attacks in the future. In the recovery phase, The team brings affected production systems back online carefully, to ensure another incident doesn’t take place.The last phase of constructing an incident response plan is the lessons learned phase. The lessons learned phase, This phase should be performed no later than two weeks from the end of the incident, to ensure the information is fresh in the team’s mind. The purpose of this phase is to complete documentation that could not be prepared during the response process and investigate the incident further to identify its full scope. When all of these phases are implemented correctly it ensures that the incident response plan is effective.
Vraj Patel says
Hello Kyuande,
The Incident Response Plan is a great place to start the review of the incident response process. It was a great idea to ensure if those 6 steps were included within the plan. Also, it would be great to assess the plan based on those 6 steps to ensure if the processes within those 6 steps are working effectively.
Vraj Patel says
The project plan that I would suggest would be in multiple phases to redefine the Incident Responses Program. The first phase would include gathering the information of the currently program, including the policies and procedures currently being followed. The next step would be adapted an understating of the business and its process. Which would assist in next step to identify the appropriate regulatory requirements. Then performing a gap analysis to identify the gaps within current processes and subsequently updating the program to be more effective in responding to any incidents.
Tal Eidenzon says
Hi Vraj,
I agree with your choice to put gathering information first. It would be risky to take the prior results. It is important to understand how a business operates before starting to implement changes.
Thanks,
Tal
Anthony Wong says
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
The most important first step is to gather all the stakeholders together to have a kickoff call. This meeting should be held to explain the need to work with the regulator and delay in resolving the finding can result in financial penalty. Upper management needs to support the resolution on the finding or else disagreement will continue. Proper escalations up the chain of command might be necessary to gather support.
Mitchell Dulaney says
Anthony, you’re right that the very first step should be to loop in all stakeholders and confirm that everyone is on the same page as far as your scope of work and the goals of the project. If some stakeholders are left out, politics might get in the way of your real work, and without good goal-setting, it will be difficult to hold onto the reins through to project delivery.