If You Fail to Plan …

Incident Response Starts With a Comprehensive – and Tested – Plan of Action

See Also: Gartner Market Guide for DFIR Retainer Services

It’s 3 a.m., and your cell phone is buzzing off the bedroom dresser. Your boss is calling to tell you that the network servers that support your institution’s online banking site have been offline for the last two hours, and it is suspected that the region’s severe weather overnight may have knocked out the Internet connection. The network is being tested and reset as your boss is explaining this, but you’re still needed at the institution’s recovery site to help assess next steps in getting the connection back up and running. When the IT hits the fan, you don’t want to be without a plan of action. What can you do to prepare for the unexpected? It’s not just enough to say you have an incident response plan and a list of employees to contact in the event of an emergency. A plan is more than a piece of paper in a three-ring binder. It takes an all-encompassing approach to traditional disaster recovery by implementing or formalizing your existing incident response plan. If you have an “official” incident response, plan you will be better prepared to identify and respond faster and more successfully to any incident, including the non-traditional disasters like a denial of service attack on your online banking site. Incident response is top of mind with the Federal Financial Institution’s Examination Council (FFIEC), which says, “Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.” Adherence to this guidance along with individual agency guidance, according to William Henley, Director of IT and Risk Management for the Office of Thrift Supervision, is key to maintaining consumer confidence. “Thrifts have followed our guidance as contained in CEO Letter 214 that outlines the basic components of an incident response program,” Henley says. “That we have good relationships between the thrifts and the primary level contacts at the regional offices, and when necessary in the event of some of the more serious breaches, the Washington office has been brought into the picture. But overall their response to such breaches has been strong and effective.” When developing or formalizing an incident response plan, consider how your institution will perform the following:

  • Identify/Detect/Analyze an incident
  • Contain or eradicate a problem and prevent re-infection/recurrence
  • Log events; list operational steps for preservation of evidence
  • Educate users to raise security awareness and promote security policies
  • Build a centralized incident reporting system
  • Set up escalation procedures that lay out actions the institution will take if an attack or outage becomes protracted or especially damaging
  • Update service-level agreements to include provisions for security compliance, and spell out reporting requirements and maintenance of systems (including contingency plans) in the event of an incident
  • Decide in advance when to call in law enforcement
  • Plan how and when staff, customers, and vendors/ business partners will be informed of the problem
  • Establish communication procedures should this become a media event

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.