Build an incident response program

- [Instructor] While we strive to protect our systems and information against a wide variety of threats, the grim reality is that no matter how many controls we put in place, there's still a possibility that we'll fall victim to a cybersecurity incident. As we explore the incident response process in this course, we'll focus on using a standard incident response process endorsed by the National Institute of Standards and Technology, NIST. If you'd like more information on this process, you can find a complete reference in the NIST Computer Security Incident Handling Guide. It's published online as NIST Special Publication 800-61 and it's widely used as a standard reference throughout the cybersecurity field. Every organization should develop a cybersecurity incident response plan that outlines the policies, procedures, and guidelines that the organization will follow when an incident takes place. This preparation process is extremely important because it provides structure and organization in the heat of a crisis. I've been involved in many cybersecurity incidents over the course of my career and when I think back and evaluate them in hindsight, it's clear to me that all of the organizations that handled incidents well, had one thing in common. They had clearly thought through their incident response process and documented it in advance of the incident. On the other, when I think about the incidents that didn't go very well, they typically occurred in organizations that didn't conduct prior planning. In those organizations, I commonly heard the sentiment, "Well, we're good at crisis management and a security incident isn't that likely. We'll figure out the details when it happens". That seat of the pants approach to cybersecurity incident handling is a recipe for failure. The reality is that people make bad decisions in the heat of a crisis. Developing an incident response plan in advance of an incident taking place allows you to make decisions in the calm environment of a planning phase that then help you exercise good judgment in the heat of an incident. A formalized incident response plan should include several cases elements. First, it should begin with a statement of purpose. What are the reasons that the organization is creating an incident response plan and what is the plan scope? What types of incidents does the plan cover? For example, is it restricted to only cybersecurity incidents or does it cover any loss of sensitive information? Second, it should describe clear strategies and goals for the incident response effort. What are the highest priorities for first responders and for those handling an incident at a more strategic level? If responders should prioritize containment over evidence preservation, make sure that's clear in the plan. The plan should also describe the nature of the organization's approach to incident response, who's responsible for incident handling and what authority do they have? Your incident response plan should also cover communication within team with other groups within the organization and with third parties. We'll talk more about the incident communication process later in the course. And finally, the plan should include the approval of senior management. You might need that authority when you're taking unpopular actions during incident response. If you can point to the plan and show an irate system administrator that the policy requiring disconnection of a system was signed by the CEO that goes a long way. As you develop your plan, you should consult NIST SP 800-61 to help guide your decisions. You also might find it helpful to look at some plans developed by other organizations. For example, this plan developed by Carnegie Mellon University provides a detailed look at how incident response works within their organization. Well, this incident response plan template for the state of Oregon shows how you might adapt a template to the specific needs of an individual agency. Now, of course, you won't be able to simply take someone else's plan and apply it to your organization, but it's always helpful to have a starting point. Many cybersecurity professionals have put countless hours into developing strong incident response plans and there's no need to reinvent the wheel.