FEATURE: DISASTER RECOVERY
//////////////////////////////////////////////////////////////////////////
Morey Haber, Chief
Technology Officer at
BeyondTrust, looks at
what companies can have
in place so they are fully
prepared for any disasters.
A
s a security professional, I have
seen a wide variety of best
practices for incident response.
The methodologies vary greatly
based on the sensitivity of the data and
requirements to notify law enforcement.
Best practices recommendations exist from
non-profit security organisations through
to regulatory compliance initiatives, but
all suffer from the same problem: they are
painfully too high level to actually execute.
Every one of the standards will recommend
having an incident response plan, assigning
roles and responsibilities, preserving critical
log information, notifying law enforcement
and prioritising restoration of services.
Sounds great, but how? Creating an incident
response plan is one thing, but using it
effectively without a fire drill is a completely
different enigma. How do you take your
incident response plan, regardless of its
maturity and make it effective? The answer:
periodic role playing and practice, much
like regular vulnerable assessments and
penetration testing.
Roles and responsibilities
To get started, first ask yourself how often
you have fire drills at your office or even
at home? You probably have the former at
least once a quarter but rarely do you ever
practice fire safety at home, let alone tell
your children what to do if there is a fire.
This is the first step in exercising an incident
response plan.
Typically, these plans require you to call
out the roles and responsibilities for all the
team members involved but do they know
what to do? Do they know what to do when
the incident happens while someone is
on vacation, in the middle of the night, or
during a holiday? Who are their backups?
This may sound like a procedure maturity
issue but all too often these procedures call
out executives and various team members
who are unaware of their role or what their
tasks and responsibilities are. This is why
practicing an incident response plan is so
important to reference their participation
including any context aware variables that
may affect the plan outside of business
hours. The results, good and bad, should
obviously be re-rolled back into the plan.
Transparency
A second problem is controversial and
revolves around transparency. How much
information should you disclose internally,
to team members and to the press or law
enforcement? During practice exercises
hypothetical scenarios should always include
some form of catastrophic use case. This
could include access to crown jewels or
data leakage that could be a ‘game over’
event for the business and include aspects
that may have human liability such as illicit
photos or behaviour. Why? Teams need to
learn how to communicate this information
between each other to successfully navigate
an incident response plan.
Effective
incident response:
Practice makes perfect
52
INTELLIGENTCIO
www.intelligentcio.com