A regulatory amendment proposed in March by the Securities and Exchange Commission would require investment companies and other covered entities to develop formal plans for responding to cybersecurity incidents. It is part of a growing effort by regulators and insurers to impose security guardrails for sensitive customer information.
The Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) are among the numerous data privacy standards that require organizations to have an incident response plan. Additionally, cyber insurance underwriters now commonly require organizations to have an IRP in order to qualify for coverage.
In truth, every company ought to have an IRP, regardless of regulatory requirements — it’s just a good, common-sense business practice. When cyberattacks occur, you must be able to act quickly to limit the damage. A formal, documented IRP takes the guesswork out of what steps will be taken to detect, mitigate and recover from attacks against information systems. Without one, you’ll just be improvising.
Fortunately, there are established standards and guidelines for creating an IRP. Here’s a brief summary of one five-step plan:
Preparation
The first step is identifying and documenting all your critical information assets and the potential threats and vulnerabilities they face. A risk assessment will then help you identify the types of incidents likely to have the greatest impact and how they can be mitigated. Armed with a deeper understanding of your potential vulnerabilities, you can develop procedures to address them. Policies should define roles and responsibilities, establish communication protocols, and identify specific tools and technologies that will be used to respond.
Detection and Analysis
This step should describe how you will identify attacks and determine their scope and severity. This will require monitoring systems and applications for any unusual activity that may indicate an attack is in progress. Once an incident is confirmed, you’ll need to conduct forensic analysis to gather evidence, identify the root cause and determine the appropriate response.
Containment and Mitigation
This part of the plan describes how you will prevent the incident from spreading and reduce its impact. This may include isolating the systems or network segments that are under attack, shutting down applications or services, and implementing temporary fixes to prevent further damage.
Eradication and Recovery
This step could include removing malicious software from affected systems, removing accounts or backdoors left by attackers, and installing security patches. In some instances, you may need to completely reimage hard drives to ensure that malicious content is removed. Once that is completed, you can bring affected production systems back online carefully. It’s important to test, verify and monitor affected systems to ensure they are fully restored to their pre-incident state.
Post-Incident Analysis
You should prepare a retrospective assessment of the incident and your response to identify areas for improvement. This will help you learn from the incident and ensure that your organization is better prepared for future incidents. You may need to update your policies and procedures, conduct additional training, or implement new tools or technologies to prevent similar incidents from occurring in the future.
How Technologent Can Help
An IRP requires the coordination of myriad people, processes, tools and technologies, and organizations often lack the in-house expertise to effectively develop and execute a plan. Technologent offers incident response planning as part of our portfolio of managed cybersecurity services. We can work with key stakeholders in your organization to create an IRP tailored to your unique environment. Contact us to set up a complimentary consultation.
Comments