Preparedness Is Key for Cybersecurity Incident Response
The key to successfully warding off or recovering from a cybersecurity incident is to be prepared. Cities and states need to plan ahead, and one of the best ways to do so is to create an incident response plan: a written policy that helps the organization manage cybersecurity incidents. The process of creating and testing an incident response plan, and then educating participants to implement the plan, helps prepare an agency to detect, respond to and quickly recover from a cyber incident. An effective IR plan limits disruptions to services and citizens, and reduces data loss and reputational damage.
It’s a great idea. But unfortunately, nearly 25 percent of state and local governments do not have an IR plan.
But there’s good news: Building an IR plan can be done in manageable steps, and there are examples and templates available to help governments of all sizes create effective IR plans.
A Stepwise Approach to Incident Response Plans
One simple way to create an IR plan is to tackle each of the sections as a separate step. The most basic approach includes four sections: organization, protection, detection and recovery.
Organization: Determine who has overall responsibility for the plan, then broaden that thinking to create the extended team — think IT, legal, finance and HR. Specify the roles and responsibilities of each member of the incident response team. The plan should include contact information for each team member.
Preparation/Protection: Prioritize all systems that must be kept online or brought back online first, and set up policies to protect them. Next, ensure that relevant security tools — such as firewalls, anti-virus, vulnerability scans and patching systems — are in place and kept up to date. Identify gaps in security and create a remediation plan. Ensure backups are stored offline and recovery is tested periodically. Provide security awareness training to employees and elected leaders, and even to citizens if possible. Create a detailed list of instructions on handling incidents. Test all of this periodically with the IR team.
Detection and Analysis: When an incident is detected, the process tree should be activated so team members can spring into action. This phase includes determining the cause and impact of the incident. If it is severe (if it limits availability or disrupts services) or catastrophic (if there is a total shutdown or information is leaked), information is gathered for further analysis and reported to relevant authorities. The plan should include information about mandatory reporting, as well as protocols for notifying local and state law enforcement, including Homeland Security and the FBI, if needed.
Containment and Recovery: This phase involves taking action to control the attack and limit the damage and impact. It may involve eradicating malware, mitigating misconfigurations or identifying other hosts that might be infected, so information on how to respond to each type of incident is included here. This section of the plan also includes steps necessary to restore the affected systems to normal operation, which might involve restoring from backups, rebuilding from a secure baseline, replacing compromised files with clean versions, patching or changing passwords. Once the incident has been resolved, the plan includes a step for evaluating lessons learned and incorporating that information into a revised IR plan.
To make the process even simpler, download a sample incident response plan from the state of Michigan. It lays out the steps, provides a sample IR team table and a process tree, and is an invaluable example of a local government incident response. Find it at statetechmag.com/MichiganIR.