(9) Incident Response Building Flashcards
When building an incident response program, what does the policy need to look like?
The incident response policy is the base of the incident response program. It should be written in such a way to be timeless and provide authority for proper response.
It should assign responsibility to the CSIRT and describe the role of individual users and state authorities.
What should the incident response policy NOT include?
The incident response plan should NOT include specific technologies, procedures, or evidence gathering techniques. It is because these details will change and should be included in documents that are more easily changed.
Summarize the key elements that NIST says should be in the infosec policy
It should have a statement of management commitment including purpose and objectives of the policy, scope, definition of terms, org structure, prioritization assignments and reporting apparatus
What do incident response procedures outline and what should they include/look like?
Procedures provide specific information that CSIRT members need when responding to an incident. It has collective wisdom of other experts that has been collected during peaceful times to use during an incident.
A playbook or playbooks may be developed with specific processes that are to follow if/when an incident is deemed to have happened
What is an example of a rare instance when a playbook shouldn’t be followed during an incident response process?
A rare instance where a playbook can be deviated from would be based on the responders own professional judgement
When the CSIRT is developing the incident response plan, what should they pay attention to?
The CSIRT should pay particular attention to creating tools that may be useful during an incident response. These tools should provide guidance to response teams that can be read quickly and interpreted during a crisis.
What types of people should be on the CSIRT?
The people who should be on the team involve cybersecurity professionals with specific skill sets but in larger companies this can also include security experts who step out of their normal duties to help a company after an incident has happened.
In addition to the regular team members, who else could/should be included in the CISRT?
The CSIRT may include subject matter experts, IT support staff, Legal counsel, Human Resources staff (to investigate internal threats) and public relations staff
Describe the concept of an incident response provider
Incident response providers are useful if the org doesn’t have the necessary expertise in house to handle a particular incident or set of incidents. This is very expensive and should be considered carefully. The org needs to understand the providers delivery time frame on how fast the response will happen and when the provider would take over full control of the investigation if needed
Who should run the CSIRT?
The CSIRT should be run by a designated leader with clear authority to direct response efforts and serve as a middle man to management.
The leader should be a skilled incident responder who is assigned to lead the CSIRT or serves in a cybersecurity leadership position
Describe what the CSIRT scope of control should be?
The CSIRT has to have a defined scope of control. It needs to be decided as to what triggers the CSIRT, who is authorized to kick it into gear, if it is authorized to communicate with law enforcement, or other external parties, and if it has internal communicated or escalation responsibilities,
