10. Incident Response Planning

Incident Response Planning

ND545 C3 L4 A06 Incedent Response Strategies And Plan Part 1 V3

Overview

Prepare to plan or plan to fail. Creating a straight forward incident response plan that stakeholders can follow is critical. The goal of the plan is to equip the company with the information and resources needed to detect and respond to limit consequences of malicious, unintentional, or circumstantial cyber attacks.

Common elements of a incident response planning process include:

  • Establishing roles and contact information

  • Outlining notification steps

  • Creating an incident procedure checklist

  • Determining how to categorize and prioritize incidents

  • Providing guidance on business continuity and disaster recovery triggers and steps

  • Provisions for continuous improvement process

How do you know when you need to use the incident response plan?

The incident response plan usually gets activated when there is a credible indicator of compromise or confirmed incident. Here are key terms to know:

  • Event: Any observable occurrence in an information system.

  • Indicators of compromise (IoC): A known signal that suggests a potential event is indeed an incident.

  • Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Plan Activation

Incident response plans are typically activated when there is a credible indicator of compromise or a known incident occurring within the organization. When determining activation triggers, it's important to distinguish events from incidents, as well as define what incident types and severities warrant plan activation.

ND545 C3 L4 A06 Incedent Response Strategies And Plan Part 2

Key Takeaway Events are every day activities that are monitored for any signs that suggest something suspicious is happening. Those suspicious signs are called indicator of compromise (IoC). When an IoC is confirmed, it typically get's labelled an incident. It's important to then understand which incidents, usually based on impact or severity level, require activation of the incident response plan.

Next Concept