Incident Response Testing

Published by Joe D on

In the previous bulletin, we offered guidance on preparing and developing a plan to prepare for and address an information security incident, should it occur.  Once the plan has been developed, how do we verify that it is effective and will operate as planned?


In order to understand if the preparation we have done will result in an effective execution of our Information Security Incident Response Plan, it should be periodically tested.  These tests are typically performed at the desktop and are named as such.


What type of incident should be tested?

The test can span the spectrum of possible incidents.  However, there are a couple of recommendations:

  1. Choose a mock incident that occurs frequently in the market. For example, many organizations use a mock Ransomware incident or a mock Denial of Service Attack.
  2. Choose a different mock incident for each desktop exercise.


What are the key components of an effective Information Security Incident Response Test?

  1. Examine the ability to respond to a cyber incident in accordance with the written plans as well as supporting policies, procedures, and applicable laws. This sounds obvious on the surface.  However, this step truly tests how well the procedures have been considered and written.  Additionally, this step tests the ability and availability of key stakeholders who are responsible for executing all or specific steps in the plan.
  2. Identify and remediate any gaps. This step is critical as it is intended to identify any potential technological vulnerabilities as well as deficiencies in the process or personnel that are integral in the plan.
  3. Identify additional tools, process changes, and training that may be necessary to be successful in the future.


Additionally, in all these steps, organizations should identify strengths and weaknesses in the process.



The Improvement Plan

Once the details of the exercise are analyzed, an improvement plan should be developed and communicated to the key stakeholders in the organization.  Similar to the Risk Analysis exercise, the risk of each deficiency or area of improvement should be identified and communicated to the stakeholders.

Categories: Uncategorized