The Importance of Context in an Incident Response Plan

Mar 17, 2016 | by RSA

Effective incident response is essential to minimizing the impact of a security incident and allowing the organization to return to normal operations as soon as possible. To this end, an incident response plan will ensure actions can be taken in a coordinated, controlled manner.

However, a one-size-fits-all incident response plan is unlikely to be effective. When developing a plan, organizations should take into account contextual factors related to their particular business. For instance, a company that deals with massive amounts of personal customer information may place its highest priority on protecting that data, whereas another organization that relies on its Web presence may prioritize recoverability to ensure essential services remain up and running.

The Importance of Context

The National Institute of Standards and Technology offers regularly updated guidance on incident response. The latest iteration includes changes to incident response prioritization criteria. Previously, the guidance divided incidents into five categories: denial-of-service (DoS), malicious code, unauthorized access, inappropriate usage, and multiple component. However, this has proved to be difficult to apply in practice, since almost every incident ended up being classified as multiple component because most incidents crossed across multiple categories.

In the latest version of its manual, the concept of categories was replaced with the threat vectors deployed by attackers. The following are the threat vectors identified:

  • External or removable media
  • Attrition in the form of DoS and brute-force attacks
  • Web
  • Email
  • Impersonation
  • Improper usage
  • Loss or theft of equipment
  • Other threat vector

The latest guidance also introduces the following three impact-based criteria that will help organizations assess the context surrounding an incident to decide how incident response should be prioritized:

  1. Functional Impact: Identify how business systems are affected, such as when a critical system is unavailable
  2. Information Impact: Consider the sensitivity of data involved in a breach, looking at the privacy impact, whether the integrity of data is lost through modification, or whether confidential data such as intellectual property was involved
  3. Recoverability Impact: Consider which resources are required to recover from an incident

These three criteria can be weighed relative to each other and applied flexibly according to the business circumstances of the organization.

Recent Government Guidance

In October, the White House issued its Cybersecurity Strategy and Implementation Plan, which directs federal agencies on how to better identify and address cybersecurity threats. It offers lessons that are applicable to any organization, not just government agencies.

The plan lays out a series of objectives, the first of which is to prioritize the identification and protection of high-value information and assets. This means organizations should look at the context of their business operations to understand what is most valuable, allowing them to prioritize where action should be taken first. Organizations should consider where and how the greatest impact will be felt and develop an incident response plan that reflects this. This strategy ensures the most effective actions are taken to keep the business running.

By determining where to prioritize response, organizations will be better able to spend their security budgets in the most effective way possible. If an organization does not have sufficient capabilities to do this itself, there are services available that can help the company put together a tailored, effective incident response plan. However, regardless of whether a third-party partner is involved, the response plan must cater to the specific needs of the organization and ensure the right processes and tools are in place to accelerate response and sustain resilience in today's complex and targeted threat landscape.

Author: RSA

Category: RSA Fundamentals, Blog Post

Keywords: Cybersecurity Strategy, Incident Response, Incident Response Plan