Incident Response Plan Essentials

Questions and Answers

What is a common approach to cybersecurity incident handling that is considered a recipe for failure?

Practicing crisis management skills during an incident

Figuring out the details when an incident happens (correct)

Conducting regular cybersecurity drills

Developing an incident response plan before an incident occurs

What is a key benefit of developing an incident response plan?

It allows for quick decision-making during an incident

It helps ensure good judgment in the heat of an incident (correct)

It reduces the likelihood of an incident occurring

It eliminates the need for regular cybersecurity drills

What is typically included in a statement of purpose in an incident response plan?

The nature of the organization's approach to incident response

The authority of responders during an incident

Detailed strategies for incident response

The scope of the plan and the reasons for creating it (correct)

What should be clear in an incident response plan?

The priority of containing the incident over preserving evidence

Who is typically responsible for incident handling in an incident response plan?

Specifically designated responders with authority

What type of incidents might an incident response plan cover?

Both cybersecurity incidents and loss of sensitive information

Why is it important to have clear strategies and goals in an incident response plan?

To ensure responders make good decisions in the heat of an incident

What is the benefit of describing the nature of the organization's approach to incident response in a plan?

It clarifies the authority of responders during an incident

What is a crucial aspect of communication in an incident response plan?

Communicating within the team, with other groups and with third parties

What is the primary purpose of obtaining senior management approval in an incident response plan?

To demonstrate authority during incident response

Which of the following is a recommended resource for guiding incident response plan development?

NIST SP 800-61

Why is it important to consult other organizations' incident response plans?

To learn from their experiences and apply them to your organization

What is the primary role of an incident response team?

To respond to incidents and manage the response process

What is a key consideration when staffing an incident response team?

Having primary and backup personnel assigned to cover vacations and extended periods

Why is it important to have an incident response team available on a 24/7 basis?

To respond quickly to incidents that can occur at any time

What is a benefit of using a template for incident response planning?

It provides a starting point for developing a plan

What may happen if you file a report with law enforcement?

The details of the incident may become public

When should you contact law enforcement?

When you think there's a threat to safety or you have a legal obligation to report a specific kind of incident

Who should provide guidance on laws and regulations that apply to your organization?

Your legal team

What type of laws may require notification in the event of an incident?

Privacy laws

What should your communications plan describe?

Who you will communicate with and how you will communicate during an incident

Why should you have secure communication channels in place?

To prevent the release of information to the public or your adversary

What is the next step after having an incident response plan in place and a team prepared?

Incident response process enters a state of perpetual monitoring

What is the purpose of perpetual monitoring?

To watch for signs that an incident is occurring or has already taken place

Study Notes

Incident Response Plan

• The incident response plan should cover communication within the team, with other groups within the organization, and with third parties.
• The plan should include the approval of senior management to provide authority when taking unpopular actions during incident response.

Developing the Plan

• Consult NIST SP 800-61 to guide decisions when developing the plan.
• Look at existing plans developed by other organizations, such as Carnegie Mellon University's plan, to get a starting point.
• The plan should include a statement of purpose, strategies and goals for incident response, and a description of the organization's approach to incident response.

Incident Response Team

• Create an incident response team that is available 24/7 and has primary and backup personnel assigned to cover vacations and extended periods of operation.

Incident Response Process

• The incident response process involves perpetual monitoring to watch for signs that an incident is occurring or has already taken place.
• Incident response should prioritize containment over evidence preservation, if necessary.
• The plan should describe clear strategies and goals for first responders and those handling incidents at a more strategic level.

Legal Considerations

• Involve the legal team in incident response planning efforts to get guidance on laws and regulations that apply to the organization.
• Consider notification requirements for incidents, such as reporting to law enforcement or government agencies, and timely notification of individuals in case of a personal information breach.
• Ensure secure communication channels are in place before an incident occurs to share information with trusted employees and third parties.

Description

Learn about the key components of an effective incident response plan, including communication and senior management approval.