Security Incident Response Plans
October 08, 2019
For years, companies have instituted disaster recovery and business continuity plans, focused on large-scale business disruptions such as earthquakes, fires, tornadoes, terrorism, and other catastrophic events, as well as the recovery and continuation of business operations. A new trend for companies of all sizes has been the addition of Security Incident Response Plans (SIRPs). This article will address the differences in the two plans and how they are related.
Disaster recovery plans identify the types of disasters likely to occur and the key activities needed to be able to recover in the event one of these types of incidents does occur. The plans typically gather information about the business, including a business impact analysis, key and critical dependencies and functions, and key personnel that need to be involved and/or contacted in the event of an incident.
SIRPs, on the other hand, include an analysis of the types and classification of an incident, which are often dependent on the data impacted by an incident. They require an understanding of how data moves through an organization, how it is stored, and what the recovery capabilities of the organization are. SIRPs also identify key personnel and their roles including handling the security incident and handling communications (both internal and external) to the organization and partners, response teams, and recovery teams. Additionally, SIRPs typically identify the tools deployed to be used for identifying the incident.
As you may have noticed, there is a lot of overlap in these plans, yet they address distinctly different business issues. A disaster recovery plan is directly related to business continuity. However, while a security incident can incorporate recovery and business continuity, it also requires a much more detailed approach to identifying the root cause, collecting evidence from the incident, documenting the information and response procedures, and performing all of this swiftly, to limit the damage caused by the incident.
A SIRP is extremely important in today’s business climate because it allows for a clear recognition of what data needs to be protected. It also provides a guideline for responding to different types of incidents. Finally, it offers a roadmap for ensuring lessons learned are incorporated into future incident response plans and procedures.
Where incident response truly meets disaster recovery is when a security incident impacts a company’s access to its data, either through data loss or ransomware.
- 86% of companies surveyed in the Kroll Annual Global Fraud & Risk Report experienced at least one cyber incident.
- 50% of cybersecurity professionals in the health care industry reported in 2018 that their organization is not prepared to respond to a ransomware attack. (Pwnie Survey)
- $36,295 was the average cost of a ransomware incident in Q2, 2019. (Coveware report)
- $8.19 million - The U.S. is the most expensive country in the world for total average cost per data breach according to IBM Security Cost of Data Breach Report
If you haven’t discovered the theme of these statistics, here it is: Responding to a security incident is not limited to getting the business up and running, but often requires the ability to recover data. Many security professionals do not feel their organizations are ready and many organizations simply do not understand the costs associated with not being prepared. Security professionals that have properly incorporated a SIRP into their overall Disaster Recovery procedures will be better equipped to ensure that the right individuals are involved in the event of a “data disaster” incident. Working off the same lists of key personnel and knowing that the business impacts and critical dependencies have been properly identified will make a significant difference in an organization’s ability to isolate and contain an incident and then recover the data impacted. This is why it is important to compare procedures and key personnel identified in both the SIRP and the disaster recovery plans.
With the proper processes in place to backup data regularly and make it easily recoverable, a business can reduce its financial exposure to the cost of responding to and recovering from an incident. Marrying a disaster recovery plan to a SIRP strengthens the company’s security position, while also incorporating the distinct differences of these documents to create a comprehensive response plan. It is also critical to reach out to strong subject matter experts to help ensure documented plans align with a business’s strategic goals and objectives.
PRTS Intelligence Newsletter - Q3 2019