If You Fail to Plan …
Incident Response Starts With a Comprehensive – and Tested – Plan of Action
See Also: Gartner Market Guide for DFIR Retainer Services
It’s 3 a.m., and your cell phone is buzzing off the bedroom dresser. Your boss is calling to tell you that the network servers that support your institution’s online banking site have been offline for the last two hours, and it is suspected that the region’s severe weather overnight may have knocked out the Internet connection. The network is being tested and reset as your boss is explaining this, but you’re still needed at the institution’s recovery site to help assess next steps in getting the connection back up and running. When the IT hits the fan, you don’t want to be without a plan of action. What can you do to prepare for the unexpected? It’s not just enough to say you have an incident response plan and a list of employees to contact in the event of an emergency. A plan is more than a piece of paper in a three-ring binder. It takes an all-encompassing approach to traditional disaster recovery by implementing or formalizing your existing incident response plan. If you have an “official†incident response, plan you will be better prepared to identify and respond faster and more successfully to any incident, including the non-traditional disasters like a denial of service attack on your online banking site. Incident response is top of mind with the Federal Financial Institution’s Examination Council (FFIEC), which says, “Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.†Adherence to this guidance along with individual agency guidance, according to William Henley, Director of IT and Risk Management for the Office of Thrift Supervision, is key to maintaining consumer confidence. “Thrifts have followed our guidance as contained in CEO Letter 214 that outlines the basic components of an incident response program,†Henley says. “That we have good relationships between the thrifts and the primary level contacts at the regional offices, and when necessary in the event of some of the more serious breaches, the Washington office has been brought into the picture. But overall their response to such breaches has been strong and effective.†When developing or formalizing an incident response plan, consider how your institution will perform the following:- Identify/Detect/Analyze an incident
- Contain or eradicate a problem and prevent re-infection/recurrence
- Log events; list operational steps for preservation of evidence
- Educate users to raise security awareness and promote security policies
- Build a centralized incident reporting system
- Set up escalation procedures that lay out actions the institution will take if an attack or outage becomes protracted or especially damaging
- Update service-level agreements to include provisions for security compliance, and spell out reporting requirements and maintenance of systems (including contingency plans) in the event of an incident
- Decide in advance when to call in law enforcement
- Plan how and when staff, customers, and vendors/ business partners will be informed of the problem
- Establish communication procedures should this become a media event