Organizations should have the mindset “when we get breached” not “if we get breached” as the occurrence of most incidents cannot be determined, and a plan should be in place to ensure a coordinated effort of response activities. An incident response (IR) plan should contain roles and responsibilities and should list members (and alternatives) of a Security Incident Response Team (SIRT). Additionally, IR playbooks should be in place for various incident types. Incident handling should follow industry standard (i.e. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (PICERL)).
- Plan is documented, followed, reviewed, updated, and tested regularly
- Dedicated, virtual, or on-retainer team to lead response activities
- Identify roles and responsibilities in advance (e.g.. communications)
- Address preparation, identification, containment, eradication, recovery, lessons learned, and ensure chain of custody, impartiality, and follow evidence