Cyber Incident Response Management
The speed at which you identify and mitigate a cyber attack or data breach makes a significant difference in controlling your risk, costs and exposure. As Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview observes: “The faster the data breach can be identified and contained, the lower the costs.”
Effective incident response processes can also reduce the risk of future incidents occurring.
With an effective incident response plan, you will be able to detect incidents at an earlier stage and develop an effective defence against attack.
Meet the stringent incident reporting requirements of the EU General Data Protection Regulation (GDPR)
Your clients have a right to know when their data has been compromised under the GDPR, which will be enforced from May 2018. The GDPR specifies that companies and organisations will be required to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
Under the Regulation, organisations will need to implement an effective incident response plan to contain any damage in the event of a data breach, and to prevent future incidents from occurring. Organisations with EU data subjects should take measures now in order to meet the stringent requirements of the Regulation.
Incident response planning is a part of all major cyber security regimes
The international information security standard (ISO 27001) and business continuity standard (ISO 22301) require organisations to develop cyber incident response (CIR) management plans.
A CIR is also a requirement of the Payment Card Industry Data Security Standard (PCI DSS), which requires that it should be tested at least annually.
UK government departments also have a responsibility to report cyber incidents under the terms of the security policy framework, issued by the Cabinet Office, effectively mandating a CIR for such organisations as well.
Typical phases of a cyber attack
CREST describes the following three basic phases of a cyber attack and their recommended countermeasures:
- Identify target
- Look for vulnerabilities
- Monitoring and logging
- Situational awareness
2. Attack target
- Exploit vulnerabilities
- Defeat remaining controls
- Architectural system design
- Standard controls (e.g. ISO 27001)
- Penetration testing
3. Achieve objectives
- Disruption of systems
- Extraction of data
- Manipulation of information
- Cyber security incident response planning
- Business continuity and disaster recovery plans
- Cyber security insurance
The top ten challenges of CIR management
Organisations can have significant difficulty responding to cyber security incidents, particularly sophisticated cyber attacks.
According to CREST, the top ten challenges organisations face when responding to a cyber security incident are:
- 1. Identifying a suspected cyber security incident.
- 2. Establishing the objectives of an investigation and a clean-up operation.
- 3. Analysing all available information related to the potential cyber security incident.
- 4. Determining what has actually happened.
- 5. Identifying what systems, networks and information (assets) have been compromised.
- 6. Determining what information has been disclosed to unauthorised parties, stolen, deleted or corrupted.
- 7. Finding out who did it and why.
- 8. Working out how it happened.
- 9. Determining the potential business impact of the cyber security incident.
- 10. Conducting a sufficient investigation using forensics to identify those responsible.
Absence of appropriate skills and inadequate cyber-readiness can significantly increase the duration and cost of a cyber incident.
Few organisations really understand their ‘state of readiness’ to respond to a cyber security incident, particularly a serious cyber security attack, and are typically not well prepared in terms of people, processes, technology and information.
Organisations of all types are struggling to deal with cyber security incidents effectively, with a growing number of cyber security incidents now taking place on a regular basis and causing significant business impact.
The IT Governance Cyber Incident Response Management consultancy service can help you develop the resilience to protect against, remediate and recover from a wide range of cyber incidents and is based on ISO 27001, ISO/IEC 27035 (the international standard for cyber incident response) and best-practice frameworks developed by CREST.
Prepare, respond to and follow up on incidents
Using the CREST Cyber Security Incident Response approach and drawing from ISO 27001 and ISO 27035 standards, we can help you define and implement an effective prepare, respond and follow up incident response approach as defined below:
- 1. Conduct a criticality assessment.
- 2. Carry out a cyber security threat analysis.
- 3. Consider the implications of people, processes, technology and information.
- 4. Create an appropriate control framework.
- 5. Review your state of readiness in terms of a cyber security incident response.
- 1. Identify cyber security incidents.
- 2. Define objectives and investigate the situation.
- 3. Take appropriate action.
- 4. Recover systems, data and connectivity.
- 1. Investigate the incident more thoroughly.
- 2. Report the incident to relevant stakeholders.
- 3. Carry out a post-incident review.
- 4. Communicate and build on lessons learned.
- 5. Update key information, controls and processes.
- 6. Perform a trend analysis.
IT Governance is an approved G-Cloud supplier. Our Cyber Incident Response Management service has been approved by the Crown Commercial Service (CCS) for sale on the government’s Digital Marketplace. G-Cloud service ID: 1607 9563 1889 722.
How IT Governance can help
Get started with your incident response planning strategy today with support from IT Governance’s CIR team.
Receive access to an experienced, dedicated technical team who are able to carry out sophisticated cyber security incident investigations quickly and effectively.
Identify, detect and contain incidents faster, mitigate the impact of an incident and restore services in a trusted manner.
You are never going to prevent the inevitable from happening, but you can prepare an effective response plan and do all you can to minimise the impact of a breach when it does happen.