You know your organization needs an Incident Response Plan.  Where do you begin?

 National Institute of Standards and Technology (NIST’s) Computer Security Incident Handling Guide provides a framework:

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

Let's discuss this further.

Preparation: Preparing and protecting support your incident response capability.  Preparation involves being aware of your cybersecurity defenses and weaknesses, and becoming as secure as possible before anything goes wrong. Preparation also involves figuring out what to do when something does go bad. These processes involve putting staff, technologies, policies and procedures in place. If we had a map, there'd be a red X on it, saying "You are here".

Identification, Containment, and Recovery: these are sequential, and come into play as soon as a threat is detected.

Your plan needs to set out:

• WHO is responsible for each of these steps?
• HOW things should to be handled? (i.e. in the case of ransomware, do you pay it or not?)
• WHO needs to be notified, when, and how often? (Customers? The FBI? Local Police? What legal obligations do you have?)
• WHAT do you do to keep operations going in the meantime?

As far as the actual business of identifying the threat, containing the damage, neutralizing the threat, and beginning recovery, the WHO you have previously designated as responsible should be responsive, competent, and knowledgeable about how to accomplish those tasks.

Lessons Learned: If there can be anything gained from a cybersecurity incident, is that it shines a light on where the cracks in the armor are.  Use what was learned to be better prepared, to make better choices in your policies and processes, and to patch those cracks so it doesn't happen again. 

Hey, my name is Tariq Azmi!

Listening to the challenges companies are facing challenges me to find solutions that fit their environment.

I am passionate about data security and compliance.

Let's chat! I'd love to hear from you.