Those that have been breached and those that will be.
The reality is that no security solution is foolproof. Even the most technologically advanced solutions with detailed procedural controls can be circumvented by a determined individual or group of individuals. And when that occurs, it is necessary to be prepared to clean-up the breach and minimize the effect of the loss.
This doesn’t mean that your organisation should just give up and implement no security solutions (that is a sure way to be breached over and over again – not a desirable state). What this means is that you need to be prepared in advance for the inevitable day when your well considered and well architected security solutions are brought under attack by a motivated individual or group determined to extract information that is important and critical to your organisation, employees, or customers.
So, what should be done in order to prepare for this inevitable day?
As a start, ensure that your incident response policy and procedures are up to date. Dust off a copy of ISO 27001/27002 and take a look at the implementation guidance for Section 13 – Information security incident management. There is a clear roadmap contained in this section for implementing a well considered incident management program. Measure your current plan against the implementation guidance. If it is not up to snuff, add some of the recommendations contained within the standard. If necessary, do get help.
One area that organisations often fail to consider is the performance of computer investigations as part of incident response (forensic investigations – if you are thinking CSI or NCIS, you are on the right track). Most organisations do not have an in-house capability to perform effective computer investigations that, if necessary, can be used by law enforcement or in court. I have seen novice investigators from both IT and information security stumble through an investigation that failed to produce usable information. In fact, they trampled upon the evidence needed to conclusively prove what occurred.
It pays to implement an effective program by contracting with a reputable forensic investigative firm to perform investigations when needed in the future. Pre-contracting for this type of service will end up being far more cost effective than waiting until the incident is occurring to find someone to help you at the last minute (at truly exorbitant rates).
Lastly, once you’ve improved your policies and process, it is time to test the effectiveness of your program. My recommendation is to have an external vendor assist you with your test as surprising scenarios from the vendor will give you results that will better mirror real-life occurrences. The results of the test can then be used to improve existing policies and processes to further mitigate weaknesses and raise response effectiveness.
Now is the time to review your incident response program. Consider this a call to action to conduct that review.
{ 1 comments }
