Incident Response Testing

Published by Joe D on

In the previous bulletin, we offered guidance on preparing and developing a plan to prepare for and address an information security incident, should it occur.  Once the plan has been developed, how do we verify that it is effective and will operate as planned?

 

In order to understand if the preparation we have done will result in an effective execution of our Information Security Incident Response Plan, it should be periodically tested.  These tests are typically performed at the desktop and are named as such.

 

What type of incident should be tested?

The test can span the spectrum of possible incidents.  However, there are a couple of recommendations:

  1. Choose a mock incident that occurs frequently in the market. For example, many organizations use a mock Ransomware incident or a mock Denial of Service Attack.
  2. Choose a different mock incident for each desktop exercise.

 

What are the key components of an effective Information Security Incident Response Test?

  1. Examine the ability to respond to a cyber incident in accordance with the written plans as well as supporting policies, procedures, and applicable laws. This sounds obvious on the surface.  However, this step truly tests how well the procedures have been considered and written.  Additionally, this step tests the ability and availability of key stakeholders who are responsible for executing all or specific steps in the plan.
  2. Identify and remediate any gaps. This step is critical as it is intended to identify any potential technological vulnerabilities as well as deficiencies in the process or personnel that are integral in the plan.
  3. Identify additional tools, process changes, and training that may be necessary to be successful in the future.

 

Additionally, in all these steps, organizations should identify strengths and weaknesses in the process.

 

 

The Improvement Plan

Once the details of the exercise are analyzed, an improvement plan should be developed and communicated to the key stakeholders in the organization.  Similar to the Risk Analysis exercise, the risk of each deficiency or area of improvement should be identified and communicated to the stakeholders.

Categories: Uncategorized

Related Posts

Uncategorized

Classification of Information Assets

If we would like to establish effective security controls to protect our information assets, we should first start by classifying those assets.  Like the controls in place to protect the information, the respective classification follows Read more…

Uncategorized

Vulnerability Scanning

What is vulnerability scanning? Vulnerability scanning is the process of examining external and internal attack surfaces to identify weaknesses that will be exploited by malicious actors who attempt to infiltrate an organization’s systems, data, network, Read more…

Uncategorized

Human Resources and Information Security

The HR team may not be the first group that comes to mind when the Information Security topic surfaces.  However, Human Resources plays a significant role in the protection of sensitive information in all stages Read more…