Fail to plan, plan to fail… incident response preparation

March 25, 2010 by · Leave a Comment

Consider this:  A review of an application or database that processes and stores customer information, including personally identifiable information, has been compromised.  What are you going to do?

Many organizations fail to plan for a compromise and unfortunately, often exacerbate the damage while attempting an “on the fly” response to an incident.  The absolute worst time to figure out what you should be doing is in the middle of an incident.  Having a plan and preparation is key.

Plans often fail to include:

  • Explicit authority for the primary incident handler to take decisive action to “stop the bleeding” and prevent further escalation of the incident.   Decision-by-committee with endless debate often leads to delayed action that increases financial and reputation damage.
  • A backup (or more) for the primary incident handler in case they are not available.  The backup should fully understand the role and be capable of making decisions in critical situations.
  • The inclusion of more than technical resources for the incident response team.  HR, Legal, and the PIO are often left out but essential.
  • Templates for press releases and notifications.  Writing your first draft during an incident is a mistake.
  • A communication plan for the team.  If your e-mail system is compromised, sending e-mail to your team about your response may not be the best option.
  • Checklists to help keep a response on track when the heat is on.

When developing the plan, consider the potential scenarios you may face and plan for them.  Different scenarios may require different responses so it’s best to have thought some of these through before they happen.  Malware outbreak; denial of service; illegal material on an employee PC; lost or stolen laptop; compromised system; or accidental disclosure to name a few.

Last, the first time you try out the plan shouldn’t be during an actual incident.  Practice builds confidence for the incident response team and shines a light on gaps in your plan that may need to be addressed.  A calm response to an incident is more likely when you can say “yeah, we’ve practiced this… let’s get to work” versus “oh man… what do we do now”.

Prior Proper Planning Prevents Piss Poor Performance.

Be prepared and hope you never need to use your plan.

Filed Under: Business and Security · Tagged With: , ,

Speak Your Mind

*