If you’re a manager in IT or Information Security, I’m sure you’ve already heard the phrase many times, “It’s not IF you’ll be breached, but WHEN.” In which case, you know that you need to do “something” to better prepare your organization for the possibility of a breach and how to respond, but how?
There are two immediate steps you and your organization can take:
1) Complete a risk assessment to identify your organization’s most vulnerable processes and
2) Prepare an Incident Response Team.
Complete a Risk Assessment
Until recently, completing a risk assessment on your organization either cost a lot of money, or required a skilled professional to complete. While there are other free tools available, in most cases the S2Org Risk Assessment is going to be the fastest and most effective way to get a complete view of your organization’s cyber security posture overall, and where your organization is the most vulnerable to a cyber security breach.
Based on the security assessment criteria used by information security consulting firm FRSecure for over 10 years, S2 Org is designed to identify the greatest risks to your organization’s information overall. The assessment allows you to quickly identify the weaknesses in your organization’s human-run processes, physical controls, and technical controls. Because S2 Org updates scores immediately based on your responses it enables you to complete a broad, high-level assessment, or to really dive deep into the controls at your organization by involving multiple people in the assessment process. A well-informed IT Director (or similar) at a small-to-mid sized organization could potentially complete the assessment in a couple hours, quickly enabling your organization to identify where you’re most vulnerable to attack, and thus most likely to experience a breach to your information.
At the completion of the assessment, your organization will receive an overall score as well as a score for each of the four phases (Administrative, Physical, Internal Technical, External Technical). S2 scoring is based on a scale of 300-850 (modeled after the credit score), with 300 being rated as Very Poor (High Risk), and 850 Excellent (Low Risk). Additionally, because of the way that S2 Org is divided into four control group phases, you can complete an assessment on any one of those groups independently and provide reporting immediately based on the results.
Equipped with the results of your risk assessment you’ll be able to develop a plan to address your most severe vulnerabilities to help prevent or reduce the impact of that impending breach, as well as to better equip and prepare your Incident Response Team to respond.
Prepare an Incident Response Team
While you don’t have to complete a risk assessment before you prepare your Incident Response Team, it will help you better select the appropriate people with the best skills suited to respond to the type of breach that your organization would be most impacted by.
An Incident Response Team is a group of individuals responsible for managing the organization’s response to an information security incident. An information security incident is defined as: A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with Information Resources or operations; or a significant violation of policy. For example, incidents may include:
- Violation of company policy
- Attempts to gain unauthorized access to the organization’s systems or information
- Denial of service to the organization’s systems or services
- Unauthorized use of company systems
- Loss of confidential or private information
No matter the size or industry, your organization should develop at least a basic Incident Response Plan (IRP) with the appropriate people identified to respond. Lack of a good communication plan is one of the primary reasons that so many organizations fail at responding to a breach. At a minimum your plan needs to identify how customers, personnel, and other sources of information will report potential incidents to your team, and who within your organization is responsible for managing your organization’s response.
The primary goal of your Incident Response Team (IRT) is a quick and appropriate reaction to a potential or actual breach. At a minimum, your team should have an Incident Response Commander. This person takes overall responsibility for the incident response program and the IRT’s response activities. They ensure that there is a plan and that it will be effectively executed when an incident occurs.
Other IRT members may hold the following roles:
- Privacy officer – familiar with privacy laws and requirements for the organization concerning the information it manages
- Security officer – familiar with security obligations of the organization concerning the systems it manages
- Legal Counsel – familiar with legal and contractual obligations of the organization
- Public Relations manager – oversees the development of any customer or public communications
- Financial Officer – able to make funds available for response activities
- Technology Manager – manages the technology team engaged in response activities
- Facilities Manager – manages facilities involved in response activities
Ideally your IRT should consist of 6-8 people, depending on the size of the organization; a small company’s IRT may consist of a few people with multiple responsibilities, where a large enterprise’s IRT may consist of key decision makers across multiple regions. Regardless of the size, a communication plan needs to be established ahead of time, and all team members need to be aware of the organization’s definition of an incident and appropriate response in order to achieve its response objectives.
Realistically, no organization can protect themselves from every possible type of threat to their information and systems. The best way to prepare your organization is to identify and address its most vulnerable processes and be prepared to react when a breach does occur.