Intelligent CIO Africa Issue 17 | Page 52

FEATURE: DISASTER RECOVERY ////////////////////////////////////////////////////////////////////////// Morey Haber, Chief Technology Officer at BeyondTrust, looks at what companies can have in place so they are fully prepared for any disasters. A s a security professional, I have seen a wide variety of best practices for incident response. The methodologies vary greatly based on the sensitivity of the data and requirements to notify law enforcement. Best practices recommendations exist from non-profit security organisations through to regulatory compliance initiatives, but all suffer from the same problem: they are painfully too high level to actually execute. Every one of the standards will recommend having an incident response plan, assigning roles and responsibilities, preserving critical log information, notifying law enforcement and prioritising restoration of services. Sounds great, but how? Creating an incident response plan is one thing, but using it effectively without a fire drill is a completely different enigma. How do you take your incident response plan, regardless of its maturity and make it effective? The answer: periodic role playing and practice, much like regular vulnerable assessments and penetration testing. Roles and responsibilities To get started, first ask yourself how often you have fire drills at your office or even at home? You probably have the former at least once a quarter but rarely do you ever practice fire safety at home, let alone tell your children what to do if there is a fire. This is the first step in exercising an incident response plan. Typically, these plans require you to call out the roles and responsibilities for all the team members involved but do they know what to do? Do they know what to do when the incident happens while someone is on vacation, in the middle of the night, or during a holiday? Who are their backups? This may sound like a procedure maturity issue but all too often these procedures call out executives and various team members who are unaware of their role or what their tasks and responsibilities are. This is why practicing an incident response plan is so important to reference their participation including any context aware variables that may affect the plan outside of business hours. The results, good and bad, should obviously be re-rolled back into the plan. Transparency A second problem is controversial and revolves around transparency. How much information should you disclose internally, to team members and to the press or law enforcement? During practice exercises hypothetical scenarios should always include some form of catastrophic use case. This could include access to crown jewels or data leakage that could be a ‘game over’ event for the business and include aspects that may have human liability such as illicit photos or behaviour. Why? Teams need to learn how to communicate this information between each other to successfully navigate an incident response plan. Effective incident response: Practice makes perfect 52 INTELLIGENTCIO www.intelligentcio.com