Protect Your Bits

The initial item I would look for would be the Incident Response Plan (IRP).  This policy document would provide the insight to determine if the organization is adequately prepared to handle all facets of an incident.  The elements within the IRP I would look for include:

1. Senior Management’s commitment – Any plan, especially related to organizational information security must have senior leadership’s public support and commitment.  Without a strong tone-at-the-top the organizational body will not put weight into the IRP, resulting in false metrics and poorly handled incidents.
2. Priority or severity ratings for incidents – Different incidents require a different level of effort and a different window of resolution to address.  While not every incident can be predicted, categories can be developed and thought can be given ahead of time to address the severity and impact an incident would have on an organization.  As new, uncategorized incidents take place the IRP can be updated accordingly.  These categories will give the incident response team (IRT) the ability to triage incidents in the event of multiple incidents.
3. Defined communication plan – Communication is critical to successfully execute an incident response.  The IRP should clearly define who is involved in responding to an incident, who should contact who for actionable items, when certain parties should be contacted (i.e. legal, PR, law enforcement) and how to contact each individual and entity potentially involved.  The communication plan should be a living document that is updated as human resources and business relationships change.  Multiple contact vectors for critical individuals should be made available and 3^rd party vendors should be brought into the fold on what individuals have the authority to represent the organization.
4. Defined reporting and forms – Incidents are often swift and require immediate action to return to normal operating conditions, but reporting and standardized forms should be leveraged in order to provide a consistent and repeatable approach to incident handling and more importantly a means to track metrics.  Bringing personnel up-to-speed on the IRT is accelerated with a defined approach on how the work is captured and reported.  Additionally, by providing a standardized look and feel to how incidents are documented, senior management is enabled to make better decisions in shorter time.
5. Roles and responsibilities – This is critical to an effective IRP.  The roles and responsibilities of the incident response team and tangential stakeholders are important to define prior to being “in the heat of the moment”.  By logically assessing and determining what the roles and responsibilities are for the team members, a level head can be maintained during an incident response.  This component ensures that responsibilities are not overlooked and missed and that multiple people are redundantly performing the same role.
6. Third-party consideration – Clearly depicted in the iPremier academic exercise this semester, it is important to ensure that any third party vendors an organization deals with and relies upon is aware of the key stakeholders from the IRT.  Any non-disclosure agreements or access requirements should be vetted and approved long in advance to eliminate any administrative obstacles during an incident.  Additionally it would add value to an organization’s IRP to work with their third parties to understand how incident response is handled at their organization and identify any overlap that could be leveraged to benefit both organizations.
7. External entity relations (Meida/Law enforcement) – Some incidents will require additional action outside of the initial incident response.  The IRP should identity the communication strategy and individual with authority to contact external entities and bring them into scope of the incident.  Without clearly defining an approach, external entities may be brought in unnecessarily or the incident may be presented inaccurately.  This could lead to negative public relations, loss of reputation or lack of confidence in the market.
8. Team model and members – Outlined above by the communication plan and the roles and responsibilities, the team model and actual members of the team must be identified in the IRP.  These individuals are empowered by the organization to act with authority to professionally and appropriately respond to an incident in a methodical and controlled manner.  It is critical that the IRP be maintained as a living document and updated as frequently as required.  The document is worthless if the data contained within it is out-dated and irrelevant.

Additionally I would request to see previous incident reports and any metrics the organization may have related to incident response.  This historical data can assist me in determining if the organization is following their IRP and how well the organization is performing in handling incidents.  I would also like to research whether recurring incidents are being brought to management’s attention for consideration and policy/procedure refinement.