Plan Ahead to Prevent Chaos During Emergencies
Incident response plans are often first created to “check a box.” It’s not unusual for agencies to rush to quickly document their plan right before a Federal Information Security Modernization Act audit or other external review.
Whatever the impetus, technology leaders often pull together the first version of an incident response plan in a hurry to meet a deadline and then put it back on the shelf to gather physical or virtual dust.
That approach doesn’t do anyone any good. It might fulfill the immediate requirement, but the plan certainly isn’t a useful tool to help guide cybersecurity incident response efforts.
A well-designed incident response plan serves a much more important purpose. Such plans, when crafted properly, bring the calm, collected environment of the planning room into the chaos of a security incident. Let’s talk about five things that you can look for as you seek to revitalize your agency’s incident response plan.
1. Identify Your Agency’s Critical Systems and Information
One of the most important components of an incident response plan is a list of the systems and information critical to business operations. This asset list serves as an important tool to prioritize incident response efforts, strengthening protections around those systems and restoring them first in the event of a service disruption.
Business circumstances change over time, and it’s unreasonable to assume that the critical asset inventory that you developed when you first wrote your response plan is still valid today.
As you update your incident response plan, take the time to validate this list and determine whether your current business environment warrants adding or removing items from the inventory.
2. Update Responses to Specific Threats
External changes also influence the effectiveness of your incident response plan. Just as your business evolves over time, so does the threat landscape.
Researchers discover new vulnerabilities, attackers develop new tactics, and security controls mitigate risks in different ways. As you review your incident response plan, think about how changes in the external threat environment might impact your plan. What types of incidents are occurring at other government agencies and private sector organizations? Would your plan cover those incidents well?
For example, ransomware attacks have increased dramatically over the past year. While you might treat this threat as similar to other malware threats from a prevention standpoint, ransomware raises new questions from an incident response perspective.
Specifically, if you suffer a crippling ransomware attack, will you consider paying the ransom? If so, under what circumstances? Your incident response plan is an opportunity to guide those future decisions.