Question

Design a cybersecurity incident response plan for a company, including disaster recovery and business continuity elements (mitigation strategies and resilience). This should be the detailed plan you wish your organization has in place before a cyber incident or data breach happens in order to effectively respond and limit the cascading effects of the incident and also define the role of a cyber incident report? Who has the responsibility? When the incident has occurred at the bank, what data has been compromised and how the incident occurred? What type of damage it contains and the impacts, any legal implications? Did they restore the business continuity and did they remove the threat? What do you learn from the incident to prevent future attacks? Do you understand what actions worked well and those that did not (Documentation); what to do to improve the organization’s cybersecurity posture; and to keep the management informed and follow proper chain of command procedures?

Answer 1

Answer: See the plan below:

----------------------------------

Introduction:

This document provides the detailed response plan to be adopted by he company in case of a cybersecurity incident. It definces the incident reporting requirements, roles and responsibilities, possible threat scenarios and risks to cyber security, response stratefies, precautionary measures to prevant reoccurring of incidents etc.

Scope:

This plan covers all IT systems, data stores, networks and all associated man power of the company.

Responsibility:

Company's Cybersecurity Emergency Response Team (CERT) has the responsibility to implement, maintain or update this plan. This team is also responsible for detecting, handling and responding to a probable cyber security incident.

Terminology:

Following are the definitions of various terms related to cyber security:

1. Incident: This refers to some event imposing threat to cyber security of the company.

2. Incident Response Process (IRP): It refers to the process to be followed in case of an incident.

Roles and Responsibilities:

Apart from regular security profiles and responsibilities, following roles and responsibilities specific to cyber security incident handling:

1. Incident Response Coordinator: It refers to a person responsible for coordinating the overall process of incident response including data handling and managements, communication with respective stakeholders, incident investigation, status and reporitng etc.

2. Incident Response Manager: It refers to a person who is responsible for collecting, preserving and analysing the evidence of incident.

Approach:

Incident response approach is based on the goal of incident response of reducing the scope of an incident and ensuring the recovery as fast as possible. Overall incident response will be managed in phased manner. Following are major six phases of response:

1. Preparation: Preparation involves carrying out activities that help CERT to handle the response in case of an incident like defining relevant policies, plans, strategies and procedures; deploying required tools and technologies; communication channels etc.

2. Detection: Detection refers to the idenfication, classification and notification of a suspected incident. It is during this phase CERT declares the incident and its severity.

3. Management: This phase refers to identifying the affected resources or systems, isolating or mitigating them, notifying the affected stakeholders in the company and starting investigation.

4. Investigation: It refers to the task carried out by relevant personnel to define the priority, scope and origin of incident.

5. Rectification: Rectification refers to the task to confirming that incident has been manages, notifying affected stakeholders about it and start the recovery of affected resources or systems.

6. Recovery: It refers to normalize the post-incident situation as early as possible, analyze the impact of incident on policies etc., recording the lessons learnt and experiences for future strategies and plans.