Prepare Address Contain and Review Security Procedure

Creating an Incident Response Policy

Part 1: Research Incident Response Plans

Components of an Incident Response Plan

The University of California’s incident response plan can be found at the following link: UC Information Security Incident Response Standard.

The key components of the UC Incident Response Plan are preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. Preparation involves creating, training and supporting the incident response team so that it has all the necessary tools to conduct adequate response, such as defined roles, processes, plan, suppliers for assistance, and so on. Detection and analysis consist of determining whether an incident has occurred, and gathering preliminary data to understand the nature and scope of the incident. The goal of containment, which follows, is to limit the impact of the incident; short-term containment (immediate response) and long-term containment (actions to be taken until the system is restored) characterize the two approaches of this step. Eradication involves eliminating the cause of the incident, which may involve deleting malware and identifying and mitigating vulnerabilities. Recovery refers to restoring and validating system functionality, making sure that systems are clean, and looking for any signs of vulnerabilities that could still be exploited. Post-incident activity is conducted after the incident is resolved, and the team analyzes what happened and how it was handled. It is the final step that is meant to help learn from the incident and improve future response efforts.

Six-Stage Methodology for Incident Response

The six-stage methodology for performing incident response as described at Flylib.com consist of making sure that an organization is ready to respond to an incident (prepared), that it can detect when a situation is a security incident (identify), that it can isolate the systems affected by the incident (contain), that it can remove the cause of the incident and prevent the spread of malicious parts (eradication), that it can restore systems to normal operations (recover), and that it can learn from the incident through a thorough review (learning).

The UC Incident Response Plan closely follows this methodology, and basically reflects each of its steps with the recommended stages at Flylib.com.

Part 2: Create an Incident Response Policy

Policy Association with Incident Response Plan

The Security Response Plan Policy from the SANS Institute gives a template for creating an incident response policy. The point of following this template is that it helps organization to be better prepared to respond to any security incident. The policy outlines the responsibilities of the incident response team. Roles are clearly defined and duties listed so that all team members know what is expected of them and what procedures they are supposed to follow during an incident.

Incident Response Policy for Bankwise Credit Union

Based on the characteristics and requirements of the fictional Bankwise Credit Union, an incident response policy would consist of the following points.

Policy Statement

The Bankwise Credit Union is committed to protecting its information systems and data from security incidents. This policy represents a guide for responding to security breaches and other incidents, in order for a standardized approach to be understood and followed by the incident response team tasked with the protection of the organization’s assets, data, and reputation.

Purpose/Objectives

The objectives of this incident response policy are to have in place an adequate response to security incidents; minimize the impact of incidents on operations; protect sensitive data and maintain the integrity of information systems; comply with legal and regulatory requirements, including the Gramm-Leach-Bliley Act (GLBA); and improve the security awareness and preparedness of the organization.

Scope

This policy applies to all employees, contractors, and third-party users of Bankwise Credit Union’s IT assets, systems, and data. It covers all locations and branches of the credit union and applies to all types of security incidents.

Standards

1. Incident Identification and Reporting: All suspected security incidents must be reported immediately to the Incident Response Team (IRT).

2. Incident Classification: Incidents will be classified based on their severity and impact on operations.

3. Response Actions: The IRT will follow predefined procedures to contain, eradicate, and recover from incidents.

4. Chain of Custody: The IRT will maintain a detailed chain of custody for all evidence collected during an incident.

Procedures

1. Preparation: Regular training and drills for the IRT; ensuring all tools and resources are available.

2. Identification: Immediate reporting and logging of incidents; initial assessment by the IRT.