Rethinking the Computer Incident Response Plan

Don’t reinvent the wheel when it comes to your computer incident response plan (CIRP), say experts in a recent article on CSO. Instead, take a look at your existing business continuity plan (BCP) that you have in place and use your existing resources.

“By leveraging important elements of the existing BCP and resources, the security team can jump start the CIRP and obtain a faster and more responsive organization,” writes information security professional George Viegas, who recommends the following five steps.

1.  Use the existing structure and organization

Don’t create separate reporting and management structures, advises Viegas. Instead, take look at overlap between the CIRP and the BCP — often they share most of a management team, so why not combine them? “For example, in the event of a computer incident, the internal audit team will need to be in the loop but in a business continuity incident that may not be the case. On the other hand in a business continuity incident, the physical security team will definitely need to be in the loop but not necessarily on the audit team. However a common leadership team can include leaders from both the audit and physical security teams, who can be brought in as needed for the incident response,” writes Viegas.

2.  Combine roles and responsibilities

Do your business recovery coordinator and incident response manager play similar roles and report to the same information security team? Why not combine these roles into one person’s responsibility, asks Viegas.

3. Reuse processes

Overlap in process, such as methods for getting responses and leadership communications, can be scaled down as well.

“For example, the role and process of the incident response manager, to triage and determine initial incident severity and escalate, can be similar in both the BCP and the CIRP,” says Viegas.

4.  Common contact information

The latest, up-to-date call trees and information hierarchies are part of your BCP, so use this info as a reference rather than a separate system in the CIRP, says Viegas.

5.  Combining exercises

Rather than running two disaster preparation exercises, perhaps try a combined BCP/CIRP event such as a data breach related incident or a crypto-locker takedown, says Viegas. “Using a computer-related incident sheds light to upper management on the importance of the computer-related outage or breach and builds awareness that the scale of a computer-related incident can rival and surpass that of the traditional physical security outages,” he says.