The Five 'P's

It is widely acknowledged that these days, it is not a question of 'if', but 'when' an organisation will need to handle a security incident, and as every project manager knows, Proper Planning Prevents Poor Performance.

When you are reviewing your security controls, planning for a security incident in advance is incredibly important. 

Ensuring management support for incident response processes is crucial.  When an incident does occur, your response team needs to be empowered to act as necessary; without high-level management buy-in to your incident response plan, you may find your teams are effectively paralysed, waiting for authority to act, or waiting for budgetary approval for activities which are essential.  You should have pre-agreed and documented powers for your teams, and pre-approved discretionary spending where necessary.

As we have mentioned in a previous post, if you want to be able to detect any kind of security incident internally, you first need to understand what it is that you are trying to protect.  You also need to understand why you might be a target.

  • What data assets do you have, and to whom would they be of value?
  • Which of your systems are critical, and how do you define this?
  • Do you have connections into other businesses, which might themselves be targets of attack?
  • Are you aware of any specific threats you, or other businesses in your sector, have been subject to?

Once you have identified your critical systems and data assets you should make sure the owners are documented.  Once you have a list of these, your response teams will know who to contact should an incident be thought to affect one of your systems or data.

Business Impact Analysis is sometimes overlooked as a preparation activity.  Once you have a register of your assets, you need to understand what the possible impact to your business would be of a compromise to the confidentiality, integrity or availability of those assets.  For example:

  • If your website goes offline, how much money would your business lose?  How long could you tolerate this?
  • If you found that personal details from your customer database had been exposed, what impact would that have on your customers, and your long term income?  What liabilities might you incur?
  • If your database were corrupted, how much would it cost you to put the damage right, and how would your operations be affected in the mean time?

Such a BIA will enable you to understand exactly which potential events might be most damaging to your business, and in turn your incident response teams will need to use this information to inform their objectives when they respond.

You need to create a comprehensive incident response plan, that you can test regularly.  This won't be a trivial exercise.  You need to understand much about your business, and include business continuity planning and disaster recovery planning as an integral part of your response plans.  You need to document escalation paths during an incident, and look at the capabilities of those within your business who will be tasked with incident response when it occurs.  You need to know what data sources you have, and how these can be accessed. 

A comprehensive IR plan will have wide coverage, and likely take a long time to put together properly.  Examples of the types of questions you will want to answer include:

  • What information sources do we have available about our systems and data, and how can these be accessed?
  • Do we have the requisite skills internally to mount an effective response?
  • What capabilities do we have to respond in diverse locations?  Do we have presence onsite?
  • If remote managed locations are in use, how do we gain access to these, and who would be responsible for requesting this?
  • What technical controls do we have at our disposal that might aid containment or recovery efforts?

An IR plan should be a living document.  It needs regular testing to make sure it works for your business and your teams; an IR plan which is never tested may fall at the first hurdle, right at the time when you need it most.

You might find that you don't have all the requisite skills and capabilities to deliver all the elements of your incident response plan yourselves.  If this is true, you might need to invest in training and development for your staff, or look at identifying partners who would be able to help you when you need it.

With the right assessment of the possible implications, and a good plan in place, you will be well-positioned to manage an incident and limit the damage you take in any assault.

Monday: The Five P's

Tuesday: Identifying The Incident

Wednesday: Defining Your Objectives

Thursday: Enacting Your Response

Friday: After The Storm