Sample Incident Response Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Sample Incident Response Standard

This Incident Response Standard builds on the objectives established in the Threat Assessment and Monitoring Standard, and provides specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions. The Company will satisfy these requirements through a formal Security Incident Response Team (SIRT).

Objectives

  1. General Requirements
    1. The Company shall develop a SIRT Concept of Operations (CONOP) that:
      1. Summarizes the overall mission of the SIRT
      2. Defines the SIRT constituents and capabilities
      3. Defines the SIRT organizational structure
      4. Defines specific roles and responsibilities of SIRT members
      5. Summarizes the operational capabilities of the team
    2. The SIRT, as defined in the CONOP, shall develop plans for responding to expected or typical types of intrusion events, as well as develop contingency plans for responding to new or unanticipated types of intrusions.
    3. The planned responses shall be dependent on the nature of the intrusion event and the criticality of the potentially impacted Company information assets.
    4. The SIRT shall maintain awareness of company information asset criticality definitions and shall develop incident response procedures that reflect these definitions.
    5. The SIRT shall work with other departments as necessary to coordinate, in advance, responses that may directly impact those departments.
    6. SIRT planning activities shall address the full response spectrum. One end of the spectrum includes information logging as well as personnel notification and alerting. The other end of the spectrum includes higher profile responses (e.g., blocking access to the external web site, denying access from specific external networks, etc.).
    7. The SIRT shall maintain metrics that address at least the following:
      1. Incidents detected per reporting period, by severity category
      2. Average time from incident detection to response initiation
      3. Average time from response initiation to incident containment
      4. SIRT performance during exercises
  2. Response Requirements
    1. A SIRT Incident Response Procedure shall be developed to describe how to:
      1. Confirm assigned priority for valid incidents.
      2. Conduct or execute pre-coordinated response plans based on incident category.
      3. Determine if incidents have been contained.
      4. Perform basic forensic process to support security investigations.
      5. Ensure consistent and timely reporting of SIRT response activities.
      6. Document "lessons learned" to improve SIRT operations.
      7. Initiate SIRT recovery efforts, if necessary.
    2. The SIRT shall verify the existence of network and system intrusions, and take actions to contain the threat, in accordance with the SIRT Incident Response Procedure.
    3. The type of threat activity, together with the criticality of potentially impacted assets, shall provide the direct basis for conducting the incident response.
    4. SIRT members shall perform their designated, pre-coordinated tasks, in accordance with the SIRT Incident Response Procedure.
    5. SIRT members shall meet periodically during the incident to check the status and effectiveness of the response.
    6. The SIRT shall coordinate with or notify impacted departments and external organizations as it conducts the incident response activities.
    7. The SIRT shall provide Company management with periodic status reports on the response activities.
    8. The SIRT shall transition to incident recovery activities when the incident or intrusion is contained and meets pre-defined SIRT recovery criteria.
    9. SIRT incident response capabilities shall be exercised, for evaluation purposes, at least annually. However, the SIRT members (with the possible exception of a senior SIRT manager) shall not be notified in advance of the exercises.
  3. Recovery Requirements
    1. A SIRT Incident Recovery Procedure shall be developed to describe how the SIRT will work within established business resumption and recovery capabilities.
    2. The SIRT Incident Recovery Procedure shall describe how to:
      1. Document SIRT damage assessment findings.
      2. Coordinate with Company departments or teams responsible for recovering impacted systems.
      3. Ensure consistent and timely reporting of recovery activities performed by the SIRT.
      4. Document "lessons learned" to improve SIRT operations.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.