“I am on the cusp of change and the curve is shifting fast.” (Audre Lorde, 1988)
Autumn is my preferred season—and not just because of family birthdays, gatherings, and cooler temps that are all so energizing. It’s the time to plan for change: stain the deck, mount the snow tires, clear the gutters, etc. We’re in the planning cusp. September is National Preparedness Month (the US Department of Homeland Security posts a useful preparedness calendar) and October is National Cybersecurity Awareness Month. In recognition of shifting curves (e.g., Covid-19 incidence, stock indices, unemployment) and being in that “cusp of change,” a discussion about incident response planning seems appropriate.
Under the terms of Colorado’s data privacy and breach notification law (HB 1128), the majority of Colorado-based companies—not just those subject to regulatory frameworks like HIPAA, ITAR, or DFARS 7012— must have mechanisms for incident response in place. NIST SP 800-61 Rev. 2 describes how to design an effective incident response life cycle plan that covers the processes shown in the diagram below.
Incident Response Planning Steps
Preparing an incident response plan starts with understanding the current condition (in a health-related context, that would be similar to knowing one’s normal temperature), identifying protection priorities and acceptable risks, mitigating consequences, and learning from experience. An incident response plan cannot reasonably anticipate all potential adverse events (wherefore the need to calculate their probability). The steps outlined by NIST for preparing an effective incident response plan are as follows:
Planning for Business Resiliency
Companies can reduce the frequency of incidents by effectively securing networks, systems, and applications. Mitigating the damage incidents can wreak will save time, money, resources, collateral damage. As always, remember to secure the human factor!
Clear communication guidelines can help mitigate damage to reputation and contractual compliance failures. In our interconnected, interdependent world, an incident for one company can initiate rippling effects for others. The diagram below indicates other “persons of interest.”
The essential elements for incident response communication plans include the following:
• Who to contact (e.g., client, supply chain, partners, board of directors)
• What information to include (e.g., extent of breach or failure, provenance of attack)
• When to communicate (e.g., contractual or legal reporting deadlines, update frequency)
• How to report (e.g., communication channels).
Incident Response Plan Elements
An incident response plan incorporates multiple elements and should be considered a living document, reviewed regularly (whether due to calendar or business event triggers), championed by senior management, and shared with key staff:
• Strategies and goals
• Senior management approval
• Organizational approach to incident response
• How the incident response team will communicate with the rest of the organization and with other organizations
• Metrics for measuring the incident response capability and its effectiveness
• Roadmap for maturing the incident response capability
• How the program fits into the overall organization
Ideally, an incident response plan covers more than just IT systems and addresses a full range of business continuity considerations (e.g., weather emergencies, power outages, pandemic, key man failure). Additional guidelines and templates are available through organizations like the Association of Continuity Professionals, the Federal Emergency Management Agency, and the Centers for Disease Control and Prevention.
Resilient Not Resistant
The underlying objective is to be resilient when change occurs rather than resistant to change. Prepare and plan!