Bill Tatun
May 23, 2014
The Benefits of an Incident Response Plan: More Than Just CJIS Security Policy Compliance
A security incident can be classified anywhere from a nuisance to an all out emergency. As such, it is best to be prepared ahead of time so that you and your organization’s staff know the steps to take and who is responsible for what in case of a security incident.
So, how does one best prepare for a security incident?
First step – is the foundation: develop, implement and utilize an Incident Response Plan created specifically for your organization.
Does your agency have an Incident Response Plan?
Yes?
– When was the last time you looked at it?
– Is it up-to-date?
– Is it valid?
– Would it serve your agency well during an incident?
No?
– Did you know that an organizational Incident Response Plan is one of those policies required by the FBI CJIS Security Policy?
– The benefits of having one greatly outweighs the time and resources it takes to create one.
Because it is so critical, either way, let’s review the high-level components of a solid Incident Response Plan.
An organization’s incident response plan (or policy) should outline the steps to prepare for, detect, contain, and eradicate an incident while restoring systems and conducting a comprehensive review post-incident. The objectives of the main components within the plan are:
Preparation:
– define roles and responsibilities
– perform awareness throughout the agency
– reporting requirements (who, what, where, when, why and how)
Detection:
– administrative and technical processes in place (as required by CSP) to know when an incident is occurring
– who is responsible for monitoring and making the determination that an incident is occurring
– reporting requirements
Containment:
– processes and procedures to limit the exposure, effect or damage
– technical and administrative processes
Eradication:
– eliminate the threat by using established technical/administrative processes defined for the particular type incident
– define methods and tools to be used
Restore:
– Set priority of systems to be restored
– Procedures and methods to restore systems to pre-incident state
– Verify functionality and soundness of systems and data
– Bring back on-line
Review:
– Lessons Learned
– New awareness topics?
– New administrative processes need to be developed?
– New technological processes, controls needed?
– Update any policies, procedures based on what was learned
We always hope for different, but it has been my experience that it is not a matter of if, but when your agency is going to be affected by a security incident.
The real questions are……
Is your organization prepared to respond appropriately to a security incident?
Is your agency compliant with the FBI CJIS Security Policy requirements of: “Agencies shall: (i) establish an operational, incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery and user response activities; (ii) track, document, and report incidents to appropriate agency officials and/or authorities.” ??
If either of the above answers is “no,” “I don’t know,” “who knows?” or “huh?” CJIS ACE can help.
If you are interested in finding out how CJIS ACE can help, just reach out to me directly at wtatun@diversecomputing.com or give me a call at the number listed below and we can discuss how to best address your specific needs.
Until next time, be safe.