2. Incident Response

Incident Terminology

Breach: Loss of control, compromise, disclosure, acquisition, occurrence

  • Unauth user accesses PII; for other purpose NIST SP 800-53 Rev. 5

Event: An observable occurrence in a network/sys NIST SP 800-61 Rev 2

Intrusion: Intruder gains access without auth IETF RFC 4949 Ver 2

Threat: Any event with potential to impact op NIST SP 800-30 Rev 1

Goal of Incident Response

Reducing impact of incidents so orgs can resume operations as soon as possible Components of an Incident Response Plan

ID critical data, systems, points of failure, approved by mgmt

  1. Train staff and implement IR team

  2. Practice First Response: Incident ID and ID roles/responsibilities

  3. Plan coordination of communication between stakeholders

  4. Consider primary method of contact may not be available

Incident Response Team

Security Operations Center

A typical IR team is a cross-functional:

  • Representative(s) of senior management

  • Infosec professionals

  • Legal representatives

  • Public affairs

  • Engineering

  • CIRT: Computer IR Teams: CSIRTs (Security)

Business Continuity & Data Recovery

Intent: Sustain operations while recovering from disruption Continuity Plan: Procedures to restore business after disaster

Common business continuity plans:

  • Immediate response procedures/checklists (sec/safety, fire, ER, etc.)

  • Notification systems/call trees for alerting personnel

  • Guidance for mgmt, designation of authority for specific managers

  • How/when to enact plans

  • Contact numbers for supply chain (vendors, customers, emergency)

  • BIA: Business Impact Analysis

Last updated