All organizations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.

All organizations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.

Security incidents will inevitably happen and they will vary in their level of impact. All incidents need to be managed effectively, particularly those serious enough to warrant invoking the organization’s business continuity or disaster recovery plans. Some incidents can, on further analysis, be indicative of more severe underlying problems.

If businesses fail to implement an incident management capability to detect, manage and analyze security incidents the following risks could be realized:

• Managing business harm: Failure to realize that an incident is happening or has occurred limits your ability to manage it effectively. This may lead to a much greater overall business impact, such as significant system outage, serious financial loss or erosion of customer confidence.

• Continual disruption: An organization that fails to address the root cause of incidents (such as poor technology or weaknesses in the corporate security approach) could be exposed to repeated or continual compromise or disruption.

• Failure to comply with legal and regulatory reporting requirements: An incident resulting in the compromise of sensitive information covered by mandatory reporting requirements could lead to legal or regulatory penalties.

The organization’s business profile or role will determine the type and nature of incidents that could occur and the impact they might have, so a risk-based approach should be used to shape incident management plans.

• Establish an incident response capability: Identify the funding and resources to develop, deliver and maintain an organization-wide incident management capability. Resources could be in house or you might pre-establish a relationship with an specialist incident management company. This should address the full range of incidents that could occur and set out appropriate responses. The supporting policy, processes and plans should be risk based and cover any legal or regulatory reporting requirements.

• Provide specialist training: The incident response team may need specialist knowledge and expertise across a number of technical (including forensic investigation) and non-technical areas. You should identify recognized sources (internal or external) of specialist incident management training and maintain the organization’s skill base.

• Define the required roles and responsibilities: Appoint and empower specific individuals (or suppliers) to handle incidents and provide them with clear terms of reference to make decisions and manage any incident that may occur. Ensure that the contact details of key personnel are readily available to use in the event of an incident.

• Establish a data recovery capability: Data losses can occur and so a systematic approach to the backup of essential data should be implemented. Where physical backup media is used this should be held in a physically secure location, ideally offsite. The ability to recover archived data for operational use should be regularly tested.

• Test the incident management plans: All plans supporting security incident management (including business continuity and disaster recover plans) should be regularly tested. The outcome of the tests should be used to inform the future development of the incident management plans.

• Decide what information will be shared and with whom: For services or information bound by specific legal or regulatory reporting requirements you may have to report incidents. All internal and external reporting requirements should be clearly identified in the incident management plan.

• Collect and analyze post-incident evidence: The preservation and analysis of the sequence of events that led up to the incident is critical to identify and remedy the root cause. The collected evidence could also potentially support any follow on disciplinary or legal action and the incident management policy should set out clear guidelines to follow.

• Conduct a lessons learned review: Log the actions taken during an incident and review the performance of the incident management process post incident (or following a test) to see what aspects worked well and what could be improved. Review the organizational response and update any relevant policies or user training that could have prevented the incident from occurring.

• User awareness: Users should be aware of their responsibilities and how they can report and respond to incidents. Users should be encouraged to report any security weaknesses or incident as soon as possible, without fear of recrimination.

• Report criminal incidents to law enforcement: It is important that potential or actual cyber crime is reported to Action Fraud or other relevant law enforcement agency.

Effective incident management lessens the impact of a cyber incident

A practiced plan will help you make good decisions under the pressure of a real incident

A well-managed response, with clear communication throughout, builds trust with shareholders and customers

Learning from incidents identifies gaps and issues with your response capability

• Ensure the right people are involved when drawing up your incident response plans. This is likely to include your IT security team, but will also include legal, HR and Public Relations staff, as well as suppliers and vendors. Senior management will need to support critical decisions and elements such as media handling for serious incidents.

• Ensure your incident response plan is linked to disaster recovery, business continuity and crisis management plans, and supported with the relevant capabilities. These come into play when an incident is serious enough to cause major disruption and/or damage to your business.

• Ensure everyone’s roles and responsibilities are defined and understood and provide appropriate training. Appoint and empower specific individuals (or an incident response supplier) to handle incidents, and provide them with clear terms of reference to make decisions and manage any incident that may occur. Ensure that the contact details of key personnel are readily available to use in the event of an incident. An example set of incident response team roles is given in the BCSF’s guidance on Creating your Cyber Security Incident Response Team.

• Consider how you will detect incidents. Your response plans should align with all your methods of detection including logging and monitoring and reporting from staff, or suppliers and partners. Other third parties (such as organizations carrying out incident investigations or threat research) and occasionally government may also report incidents to you. All alerts should be sent to the team responsible for managing them, for assessment and triage.

• Establish your criteria for escalation to senior management and what needs to happen for you to scale up your response. Consider what is most important to your specific organization to determine the severity of an incident, and how you should prioritize it.

• Ensure staff are aware of any playbooks you may have prepared for specific types of incident, and be ready to share these with any third parties which may need to be involved. It is vital that staff who can authorize critical decisions (such as taking a customer database or website offline) can be contacted. Consider identifying deputies should the primary contact not be available. The technical staff (i.e. those who will carry out such actions) must be aware of who can provide authorisation, and how and when to contact them. This applies to suppliers as well as in-house staff.

• Identify specific situations where the technical team can act autonomously, based on the highest business risks and where taking early containment action is likely to reduce the impact of particular incidents.

• Ensure your plan includes basic guidance on legal or regulatory reporting requirements based on the types and volumes of data your organization holds, and an outline of your processes covering a full incident lifecycle. An example plan is shown below.

• Practicing response plans ensures staff know how to respond in during an incident, and can also highlight any problem areas in your planned response . The BCSF’s Exercise in a Box is a free online tool which helps organizations test and practice their response to different types of cyber attack, including everything you need for setting up, planning, delivery, and post-exercise activity.

• Practice restoring files from backups. After an incident ensure only clean data is copied back onto clean systems and networks.

• Don’t be drawn into over-reacting during the containment phase of an incident; you might need to gather more information before deciding on a suitable course of action. Over-reacting can cause more damage than the incident itself - in the case of targeted attacks, the attacker could react or bury themselves more deeply in your network. Consider the repercussions of any actions you may take, and discuss with colleagues.

• Communicate with your stakeholders and customers throughout an incident. Clear communication will help minimize the short term impact of an incident and will help build trust with your customers, reducing the long term impact of an incident.

• Keep a careful record of the incident response, decisions made, actions taken, data captured (or missing), as this will be incredibly useful for post-exercise reviews. This is especially true if you need to present evidence of your response to a regulatory body.

• Update your response plans after every incident. Use the incident to reflect on the security of your enterprise - understand how the incident happened and what could have prevented it. Post incident reviews should feedback both into your response plans and wider organization.

• Particularly consider if there was any information which would have significantly helped your response but which was difficult or impossible to obtain. Make a plan to gather this data ahead of any future attacks and add to your logging and monitoring strategy.

• Do not constrain yourself to only looking for what went wrong. Also consider which aspects of your response worked well, and why. This can give insights into how to improve future plans.