Are you ready for an Information Security Incident?
Prevailing wisdom has become that information security breaches are inevitable. We have all seen the headlines and watched as major targeted attacks played out in government and in the media but as business leaders and security practitioners—what can we do to protect our organizations? The founder of the Boy Scouts, Robert Baden-Powell, said everything we really need to know when he established their motto: “Be Prepared”. In his book “Scouting for Boys” (1908), Baden-Powell expanded:
“Be Prepared … by having thought out beforehand any accident or situation that might occur, so that you know the right thing to do at the right moment, and are willing to do it.”
That’s pretty good advice. In our practice of information security, it should be our goal to not only prevent security breaches, but to prepare for them, and to manage them to the least possible impact to our organization. While we can’t surrender to the inevitability, it’s vitally important to be realistic about the environment and to acknowledge that our organizations take risks (to achieve). Security isn’t perfect but we can all be better and need to take the necessary steps to “Be Prepared”.
The Ten Point Plan:
- Don’t wait for a breach to get ready.
- Understand your business, and what is critical, important, and meaningful. Document where those important things are stored, how they’re protected, and what the cost and impact is if they’re lost or stolen. Invest in protection to prevent unacceptable losses to the extent the business tolerates.
- Elevate the priority placed on Security Awareness internally and ensure that employees across all levels of your organization understand that it is their job to help support the company’s security posture (this will involve communication, training etc).
- Create policies, procedures and guidelines for handling information security incidents. Create practices for communication, involving your legal departments, staff, law enforcement and customers. Develop and document escalation and authority structures.
- Ensure you have visibility into the critical activity and behavior in your environment. Review how you are receiving and digesting this information, as well as which stakeholders within your organization receive, provide input on, or action the data.
- Make incident detection and analysis a core competency for your information security program. Find a balance for your program goals and spending between preventative, detective and corrective actions. Visibility into the data and events occurring on the network and within the data repositories is critical. Preventative controls can and will fail.
- Develop and understand your capacity for response. Hire, contract or allocate resources that are trained, and have the necessary tools and experience in incident response. Most organizations will be able to develop the capacity to handle and recover from minor incidents. Develop a plan and process to understand and react to extended incidents, or major incidents that exceed the skill level and capacity of internal staff.
- Practice and learn. Even if you are having regular “live-fire” incidents, review your plan yearly and do simulations to create a continuous improvement cycle.
- Leverage expert advice and guidance. In addition to advice from a trusted security advisor, you can learn a lot from SANS Institute IR training or by reading resources like “NIST SP 800-61rev2”.
- Talk early, meaningfully and often, with your executives, with company staff and with contractors about your program’s readiness, your plans for improvement and your capacity for response. While discovering a security incident might be unwelcome, it shouldn’t be a surprise.