alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can a security incident response plan be most effective?

A security incident response plan is key to preparing for a data breach, but to be effective, the plan needs to be well tested. Expert Mike O. Villegas explains how to do that.

A recent survey from the Ponemon Institute found that the majority enterprise executives and compliance/security managers say they now have a security incident response plan in place in their organization. However, only 34% believe their plans to be effective. What do you attribute that lack of confidence to? And what are a few of the most important things that should be included in a security incident response plan that boosts confidence?

Security incident response plans are required by numerous regulations and certification bodies, such as PCI DSS. Preparing for what seems to be the inevitable data breach is also a good idea. In order to be effective, security incident response plans should have certain attributes. They should:

  • Be based on an industry accepted methodology, such as NIST 800-61 Rev 2;
  • Include real-world incident scenarios;
  • Be risk-based to ensure the highest risk scenarios are tested annually;
  • Be comprehensive and include every possible affected enterprise group, such as executive management, information security, public relations, information technology, legal and other key business units;
  • Know when or when not to call on local, county, state or federal law enforcement agencies;
  • Have test results reported to executive management for awareness, remediation and support;
  • Be maintained by a dedicated group -- the incident response team -- to prevent complacency and underestimation of breach impact to the business and its operations; and
  • Include executive management support to stress the seriousness of the security incident response plan testing exercises.

Testing is critical. The enterprise should not wait to find out if the security incident response plan works during an actual incident. The 2015 Verizon Data Breach Investigations Report stated that in 60% of cases, attackers are able to compromise an organization within minutes, 40% of which are focused on credentials. Below are four incident test scenarios that could undergo across-the-table testing of the security incident response plan with all management and support staff available.

Incident Type 1: Theft by employee - Theft of confidential information by person(s) abusing their trust and authority. This relates to staff misusing their positions to steal data for financial or material gain either directly or indirectly.

Incident Type 2: Customer credit card data stolen without staff involvement - Theft of credit card data by outside sources breaching the enterprise's security barriers and exporting said data to a site or sites unknown.

Incident Type 3: DDoS attacks - Distributed Denial of Service attacks by outside sources that cause major outages affecting online access to customer base.

Incident Type 4: User ID/password compromise - Theft of user IDs/passwords by the use of Trojan Horses.

The more you test and refine the security incident response plan, the more management will have confidence that when a major incident does occur, the enterprise is ready -- greatly mitigating the risk of affecting its viability. These security incident response plan tests may be costly and time-consuming, but it could also be said the enterprise cannot afford not to do them.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out this e-book on security incident responses

Learn the four steps to better security incident handling according to NIST

Discover why expert Marcus Ranum encourages tabletop exercises for better incident response

This was last published in June 2016

Dig Deeper on Information Security Incident Response-Information