When assisting our customers, we often discover many are unsure about the policies and processes their organisations need to have in place for an effective cybersecurity incident response (IR) programme.
Having the right framework is fundamental for providing the tools and guidelines the organisation and its incident response team need to react to incidents fast and to reduce damage. There are three building blocks we believe all organisations should have in their programs, a well-defined incident response policy, an incident response plan, and well-documented incident response playbooks.
Why do we need an Incident Response Policy?
To start with, creating an incident response policy holds the organisation accountable for making incident response a priority. Like any policy, the document sets the rules and governance around incident response for the organization. The policy should outline the core incident response aspects for the organisation, including:
- The purpose of incident response and why it is required
- The reasons why the policy was created
- The scope of the policy (whom and what does the policy apply to)
- Who within the organisation is responsible for enforcing the policy
- Definitions for incident response, and other key terms such as event and incident
- The requirements that must be met by the incident response team and larger organization
- A mandate on the creation of the incident response plan
What is the Incident Response Plan?
The incident response plan provides guidance on how to respond to various incident types. It should cover how to detect, analyse, contain, eradicate, and recover from an incident. The incident response plan should define and cover all phases of the incident response lifecycle, including both before and after the incident. There are several widely used incident response frameworks that could be used as a reference, like the ones from National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and SANS Institute. Although no one-size-fits-all incident response template exists, we suggest plan contains the following:
- A mission statement
- Goals and objectives
- Roles and responsibilities, including primary and out-of-band contact information for the incident response team members
- Communication procedures for both internal and external communications
- Incident severity levels
- Incident types
- Incident definitions (incident, event, data breach)
- Incident response procedures in alignment with organizations’ chosen incident response lifecycle
What is the purpose of an Incident Response Playbook?
Incident response playbooks standardise the response to a specific type of incident with procedures that include specific action steps that the organization must take to prepare for, respond to, and recover from specific incident types. Using the NIST incident response framework as an example, an incident response playbook provides detailed guidance on each phase of incident response: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. The playbook should define what specific actions need to be taken during the phase of incident response and the team or individual responsible for performing the action. Common types of playbooks include:
- Ransomware playbook
- Data breach or data loss playbook
- Malware playbook
- Denial of service playbook
- Insider threat playbook
- Social engineering playbook
- Website compromise playbook
- Zero-day vulnerability playbook
Ensure incident response documents are updated and comprehensive
Developing incident response documentation, including playbooks is no small endeavor. However, it can and should be done to help reduce the impact of an incident and guide responders on what needs to be done.
Incident response plans and playbooks should clearly define all the individuals and teams that have a stake in the incident response process, even if they are only performing one or two items. By defining roles and responsibilities and having these individuals become familiar with the documentation through read-throughs and tabletop exercises, team members across the organisation know what they need to do and when.
Fortinet recommends a bi-annual review of these documents, and a review after each major incident. This timing ensures that any lessons learned from an incident are incorporated and that changes to the organisation are considered and implemented into the plan. The good news is that organisations are not alone in this; there are risk assessment services, cybersecurity consulting, and incident readiness and response services to navigate this path with the help of experts.
Martín Pueblas, VP for Consulting Systems Engineering at Fortinet LATAM and Canada