7 Must-Have Elements of your Agency’s Incident Response Plan

DLT partner, Symantec, has put together a list of seven items you must add to any incident response plan. Here’s how it translates to government agencies.

1. Have a Workable Plan

An incident response plan is your roadmap for responding to a cybersecurity attack. In this NextGov interview with Symantec’s Robert Myles and DLT’s Don Maclean, Myles explains what a workable plan might look like:

It really does come down to preparedness. When agencies prepare for the possibility of a cyber incident, they should develop a breach response plan, know how to exercise it and have identified who the key stakeholders are. The incident response team should include personnel from IT, legal, HR and public affairs, as well as anyone responsible for policies or procedures tied to cybersecurity. Agencies should also be using a retainer service to help in the event of a breach. When you have the key stakeholders in place, you’ll see incident response times speed-up, and the organization will recover quicker. Ultimately, what you want to do is mitigate the damage, recover, then get back to business.”

2. Define an Incident

What constitutes an incident?

The federal government defines a computer incident according to NIST guidelines (SP 800-61) as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.”

Definitions of incidents are highly individualized to the organization, as part of your response plan you need to define and categorize incident types. What is the severity and type of incident that you are looking at? Having definition helps you determine the appropriate level of response.

3. Keep the Plan Current

An incident response plan is a living breathing document. People move on, phone numbers change, etc. To avoid confusion and chaos, those details need to be accurate the moment you refer to your plan.

4. Test It

Sounds obvious, right? Yet, testing often gets overlooked. According to Symantec, over a third of organizations that have an incident response plan don’t do anything with it, “…it’s basically done as a ‘check-the-box’ exercise to meet a requirement.”

Don’t wait until you have a breach to test your plan.

5. Involve the Right People in the Test

Involve your core information security team members in your test. But don’t ignore your senior leadership, the office of communications and public liaison, attorneys, office of the inspector general, as well as any contractors who are involved in breach response.

6. Test Often

Symantec recommends running a drill at least once a year, more often in large organizations. You can make this less painful by running a test over two consecutive days of tabletop exercises, and in four-hour blocks each day, says Symantec. Blocking out this time makes is easier to get on everyone’s calendar and prevent burn out.

7. Have a Post-Incident Action Plan

Always set-aside time for lessons learned and incorporate that into your plan for next time.  Make sure this takes place soon after recovery has taken place.

Read the full article here.