The second blog post in the series of Prevention, Detection, and Recovery from Cyberattacks.
The global survey conducted by Ponemon Institute and sponsored by IBM Security surveyed 3400 IT and IT security practitioners about their organizations’ approach to becoming resilient to security threats.
The fifth annual Cyber Resilient Organization Report noted that the vast majority of organizations surveyed (74%) are still reporting that their plans are either ad-hoc, applied inconsistently, or that they have no plans at all. Additionally, more than half (52%) of those with security response plans said they have never reviewed or have no set time period for reviewing or testing those plans
With business operations changing rapidly due to an increasingly remote workforce, and new attack techniques constantly being introduced, this data suggests that surveyed businesses may be relying on outdated response plans which do not reflect the current threat and business landscape.
We have noted below relevant points (checklist) that will assist your organization to perform a quick review of the incident response plans.
Can you please post how your organization performs the periodic reviews of incident response plans? What do you feel is the best approach?
Review if plans are comprehensive
The comprehensive plan needs to address the six stages listed below:
| 1. Preparation | 4. Eradication |
| 2. Identification | 5. Recovery |
| 3. Containment | 6. Lessons Learned |
The listed below are a few question auditors can ask to conclude if the plans are comprehensive:
- Team – Is the team ready to handle any kind of threat, have they trained adequately, and do they perform simulation exercises like Tabletop simulation or war games?
- Identification – Is the process in place to detect and identify the type and criticality of an incident, analyze the impact and associated risks?
- Containment – Is the process in place to contain and limit the damage, mitigate the risk, resolve the attack, and resume business?
- Eradication – Does the organization have a problem resolution team or third-party support to identify and eradicate the root cause?
- Recovery and lesson learned – Does the organization have a process in place to analyze and modify the plan post-attack to prevent future ones?
- Communication – Communication is the key when an attack is underway, so ensure that you establish a good communication flow as part of your response plan?
Standards
Auditing and reviews allow an organization to validate its compliance effectiveness with the incident management standards they have set for themselves and to measure the risk appetite. Below are some standards for your ready reference:
| Standards | Incident Management Control Reference |
| NIST Cybersecurity Framework | PR.IP-9, PR.IP-10, DE.AE-4, DE.AE-5, DE.DP-4, RS.RP-1, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4, RS.CO-5, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.MI-1, RS.MI-2, RS.MI-3, RS.IM-1, RS.IM-2, RC.RP-1, RC.IM-1, RC.IM-2, RC.CO-1, RC.CO-2, RC.CO-3 |
| FIPS Publications | All current FIPS Publications especially FIPS 140-2 |
| NIST 800-53 (rev4) | IR-1 to IR-8 |
| NIST 800 Series | NIST SP 800-61, NIST SP 800-86 |
| HIPAA / HITECH | HIPAA 164.308(a)(6) |
| NERC CIP (v5) | CIP-008-5 |
| ISO 27000: 2013 | Section A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A16.1.6 |
| COBIT 5 | DSS02 |
| CIS Critical Controls (v6.1) | CIS Control 19 |
| PCI DSS | Section 12.10.2, 12.10.3, 12.10.4, 12.10.5, and 12.10.6 |
RELATED POST: Prevention, Detection, and Recovery from Cyberattacks Part I