Many use the terms Business Continuity, Disaster Recovery, and Incident Response interchangeably. However, each of these components of the Resilience Triad (see the previous post) serve different purposes, and understanding the role and interactions of each is essential to maintaining a robust information security program.
In part one we reviewed Business Continuity and part two went over Disaster Recovery. The final component of the Resilience Triad is the Incident Response Plan, or IRP, which directs how the business will manage an incident as it unfolds. Incidents rarely affect internal operations and personnel only; clients, customers, citizens, and other partners and consumers of your business are critical stakeholders during an incident.
Often external stakeholders are stressed when your organization is in the middle of an incident. They may rely on your business to serve their customers, or to maintain business operations, or to manage personal lives. Companies have been severely impacted, if not ruined, by not managing an incident effectively.
To craft an effective IRP, a definition of “incident” needs to be adopted and understood by all stakeholders, internal and external. In information security, an incident is often described as one or more series of information security events that has resulted in a situation where there is significant likelihood that information or systems could be compromised. An information security event is an observed action that may lead to an incident. A basic example is logging systems record several events of an external entity attempting a brute force attack on a system, and traffic analysis shows connectivity between the system and an external, unknown entity. Collectively, these events point to a high likelihood that the system was compromised.
One component of an IRP that should never be overlooked is not technical. The business should have one and only one source of communication during an incident. Another component is “trigger points” – situations that direct a specific decision. One example is Ransomware and when or if to pay the ransom. In the heat of the moment a business should not be making such decisions without some prior planning. Often the cyber liability insurance carrier will have a say in this as well.
Organizations should craft their IRP with different scenarios (e.g., ransomware, pandemic). The choice of playbooks should be based on the realistic risks the organization may face. For example, a business located in Kansas may want to have a plan drafted to direct response actions in case of a tornado but likely won’t need to consider one for a hurricane.
Remember, like Business Continuity, Incident Response is not solely an IT issue. Don’t treat it as such.
Bottom Line: Understanding the Resilience Triad and paying each its proper due diligence on an annual basis is necessary when an actual disruptive incident occurs. No business should attempt to make decisions on the fly when timely restoration is critical for business survival. A virtual CISO can help ensure your Resilience Triad is effective and optimized.
Photo by James Hartono on Unsplash