What is an incident response policy?
The Security Incident Response Policy (SIRP) states that the organization has the necessary controls in place to detect security vulnerabilities and incidents, as well as the processes and procedures to resolve them.
It must be both concise and comprehensive.This is a policy that, if poorly written, can have a major impact on productivity and customer perception.
In the initial stage of writing an SIRP, you will need to begin by distinguishing between a security alert and a security incident. A security alert is something you probably already receive consistently throughout the day. For example, you might receive an alert when someone scans your firewall looking for open ports or your antivirus reports that a critical system might be compromised. From the SIRP perspective, an alert becomes an incident when you start actively investigating. In the firewall example, if the device is accessed to block the source of the port scan, this will be considered an incident. Use your security event logging system to strike the right balance between alerts and incidents. If alert triggers are too sensitive, team members may suffer from fatigue from continuous alerts. On the other hand, if triggers are too weak, they may miss the warning signs of a serious incident.
In addition, there is no need to overcomplicate the incident documentation process. Use your existing ticket system as an incident reporting log to keep your teams updated on the progress of an incident. This could be as simple as a Slack channel. During the incident, create a dedicated, single-use Slack channel as a platform to attach logs, screenshots, and other evidence. When triage has been completed, corrective actions have been taken, and the post-incident discussion has concluded, be sure to save all evidence in a backup location for future reference and follow-up if necessary.
You also need to think about what to do in the event of a major incident, such as if the network suffers a security breach or if a critical system containing personal information is compromised. If you do not have the in-house expertise to initiate a full forensic investigation, you should rely on someone who does. Establishing a relationship with a security breach forensics team in advance will save you a lot of time, money, and stress when you find yourself in the midst of a major incident. By the time you have to refer to the SIRP, you will likely be engaged in a response to an incident, with the pressure mounting by the minute. The more you can think about and plan ahead for the SIRP, the better it will be. While writing the SIRP, ask yourself, "How can I keep this SIRP as simple and easy to follow as possible?"
Schedule an exercise twice a year, choosing a few "what if" scenarios and discussing them with your team. Make sure everyone knows who needs to be notified in the event of an incident, what initial incident information needs to be collected immediately, and how incidents should be classified. Also, make sure that every incident that is resolved undergoes an autopsy and root cause analysis.
In summary, here are 9 tips for creating an effective SIRP:
Work to continually refine the threshold between safety alert and safety incident;
It is normal for an incident to be resolved as a false positive, but it is good to use what you have learned to refine the threshold for promoting warnings;
Incident reporting can be conducted with a system your team is already using, such as Slack or Teams;
Have an incident response team (often called a Computer Security Incident Response Team or CSIRT) available to help in an emergency;
The incident response team will likely gather information in advance so that you are as prepared as possible should you require its services;
Information gathered could include network diagrams, copies of policies and the incident response plan, inventory of resources and IP addresses, and contact information for the Chief Information Officer (CIO) and/or other executives;
Incident response team members might also have a technical infrastructure to help you prepare for common attacks, such as distributed denial-of-service attacks (DDoS);
They may also recommend exercises you can practice to better prepare for a data breach, even something as simple as performing the backup and recovery process;
Regularly test the SIRP regularly and try to keep it as simple and complete as possible.