Incident Response Capability is #18 of the Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines and the third of five not directly supported by automated measurement and validation. Cymbel provides professional services in support of all five.
Incident Response Capability as introduced by the SANS 20 Critical Security Controls:
A great deal of damage has been done to organizational reputations and a great deal of information has been lost in organizations that do not have fully effective incident response programs in place. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus, the attacker may have far higher impact on the target organization, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible with an effective incident response plan.
The National Institute of Standards and Technology (NIST) has released detailed guidelines for creating and running an incident response team in Special Publication 800-61, available at http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf.
Cymbel can help you meet the SANS 20 Critical Security Controls prescribed standards:
- Ensure that you have written incident response procedures, which include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling consistent with the NIST guidelines cited above.
- Assign job titles and duties for handling computer and network incidents to specific individuals.
- Define management personnel that will support the incident handling process within each organization, acting in key decision-making roles.
- Devise organization-wide standards for the time required for system administrators and other personnel to report anomalous events to the agency incident handling team, the mechanisms for such reporting, and the kind of information that should be passed in the incident notification. This reporting should also include notifying US-CERT in accordance with federal requirements for involving that organization in computer incidents.
- Publish information to all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team. Include such information in routine employee awareness activities.
- Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that personnel understand current threats and risks, as well as their responsibilities in supporting the incident handling team.