Another data breach case caught up in the daily news. Uber has made a name for itself with its loss of 57 million user (including driver) records. Not surprising. This is a vicious cycle. Users demand faster and easier access to more online services on the move. Providers have to catch up to deliver and push for more of their brick-and-mortar service into online service to meet the demand. That makes them susceptible to cyber attack when no proper security measures are put in place.
Face the Hard Truth
That said, we have to accept the reality and face it.
There is a need for a systematic incident handling framework to contain and reduce the impact and eventually restore normalcy from the damage loss with effective controls in place. More importantly, get yourself familiarized with the incident management lifecycle -- it is self explanatory.
Do the First Thing Right
Coming up with an incident framework is no easy feat and effort to develop this "bible" will be non-trivial if there is no starting template or guidelines for the organizations to reference when trying to implement the right incident management process for their environment.
ITIL has a good incident management framework worthy of consideration, especially for those who like to have a preview of what needs to be done to be ready when an incident happens. This wiki site has a good run-through and checklist templates that will come in handy.
Even with the right framework in place as a governance, you still need to make sure an execution plan is in place. You will need to follow the plan diligently in the event of an incident, as it covers the key incident response procedures. Here is the suggested baseline for your plan:
Build the plan details with the actual procedure that will be executed by your staff and peers. In the annex, you can find a high-level sample "plan skeleton" that covers a compilation of the scope to be covered under each section. As mentioned earlier, try to leverage the template in the wiki site.
How to Bring This Forward
Start to impress your management board and stakeholders on the work you are doing to build the organization incident framework and plan. Also include the governance process that you should introduce. It is not a once-off planning session. For example, with any update to the framework or plan, the approval process will kick in to maintain the required management oversight. A regular update session regime and change process need to be in place. With a proper set of procedures in place, you can assure the stakeholders that if the business gets hacked one day, the efforts in developing these sets of procedures will pay off.
Lastly, as organizations expand and people's roles change, it's essential that documentation related to who is involved in incident response activities is updated to reflect these changes. You also need to set aside time to recommend and build the incident response team. Without a dedicated team, all the discussed strategy will just be "paper talk". If there is no capability for an in-house team, get external incident response support from other providers.
Good luck in the planning!
Annex - Sample format of incident Response plan
This section should be short stating the plans requirement to align all incident handling procedures within the organization for timely response and containment. In addition, the plan also serves to inform the audience of the reporting and escalation requirement based on the severity of the incident.
Role & Responsibility
This section covers mainly the External and Internal parties
Define their responsibilities in terms of the areas they are in charge of and what to act on during the incident, like CISO will oversee and update senior management on the organization incident reported, supported by the incident manager's update. Keep it concise.
This section covers the following escalation levels and SLA for response, based on severity
Playbook (handling of various cases)
This section covers the steps through the incident's onset, containment, and remediation phases as well as the eventual recovery stage to return to original state before the incident. Below are common cyber incidents which the plan should cover at a minimum.
This section will cover the necessary public statement to be prepared by the corporate comms team in the organization.
After Action Review
This section mandates the necessary activities to identify the learning points and review the plan to improve the handling procedures. It is important that the effectiveness of the response procedure is regularly reviewed from each incident closure reporting.
This contains an Incident Report Template with the following fields:
And also contains Situation Report Templates: