THE TOP 5 CHALLENGES TO MEETING NIST 800-171 #2 INCIDENT RESPONSE PLANS
Unpacking why you not only need an Incident Response Plan but more importantly why you need to test it annually!
First and foremost, we should recognize that the Incident Response Plan is designed to minimize the impact of a Cybersecurity breach, or major systems failure, AFTER it has already affected your business operations. The fact that you are executing the plan implies that you already have a major issue that is, or will, affect your business operations in one way or another.
To establish and incident response plan you should follow the Basic steps below
Identify the Assets you need to protect
Identify the potential risks associated
Establish a procedure
Set up a response
Sell your plan
Train your team
More importantly, according to Darren King, Director, Defense Industrial Base Cybersecurity Assessment Center under the DCMA you need to test your plan.
Training the team and testing the plan is important because in a situation when the business is in crisis there is no time to read the manual or call a committee meeting to discuss the appropriate response. The organization should have defined roles and responsibilities for the Incident Response team and those members should be well rehearsed and educated as to their roles and responsibilities so they can execute the plan.
As part of the plan you should also have a list of resources that you have already formed relationships with, so you are not scrambling to find that forensic resource or legal counsel to give you advice. You also need a formal communications plan, both to address internal team communications as well as to inform your customers.
The reality is that your Incident Response team needs to hone their skills just like the Fire Department or Emergency Responders do, by practicing. When they engage they need to be prepared!
Some scenarios you might want top prepare plans for include; A worm, or a virus that spreads through a vulnerable service infects a host; a DoS (denial of service) attack against the operating system of a particular host or application; or a Network-based DoS against your network.