Prepare for the Inevitable With an Effective Security Incident Response Plan

Transcription

1 G Prepare for the Inevitable With an Effective Security Incident Response Plan Published: 19 July 2012 Analyst(s): Rob McMillan A serious security incident is a question of "when," not "if," for most enterprises. This reality makes developing effective response plans a critical concern for any chief information security officer. Analysis Why You Need to Prepare Eventually, your security will fail. Maybe not today, maybe not tomorrow, but it will fail. The question is not whether security incidents will occur, but rather when they will occur. This troubling reality makes effective incident response that is, reducing the risk of incidents and mitigating the damage they cause a critical concern for security professionals. Incident preparedness is part of the standard of due care. This is encapsulated in some regulated industries globally (for example, financial services). It is also recommended in standards such as ISO/IEC and others. The real cost of these incidents can be huge well into the tens or hundreds of millions of dollars in extreme cases. The expectation is, therefore, set in regulation and legal precedent that a response to minimize the impact is required. Gartner predicts that, through 2016, 75% of chief information security officers (CISOs) who experience publicly disclosed security breaches and lack documented, tested response plans will be fired. Incident response is unquestionably one of the core security processes that any CISO must define, develop, implement and prioritize to protect the enterprise and to demonstrate security's value to the business. Action: CISOs should adopt and implement Gartner's guidelines for effective incident response, as outlined in this research.

2 "Predicts 2012: Sophisticated Attacks, Complex IT Environments and Increased Risks Demand New Approaches to Infrastructure Protection" This discusses why it is important to prepare adequately for security incidents. "The Security Processes You Must Get Right" This provides context for the incident response process and outlines characteristics that would be expected in a mature process. "Crisis/Incident Management Defined, 2012" This provides guidance on how to recognize incidents and crises, and the key elements to their management. The Decisions You Must Make Advance preparation is crucial to effective incident response, but it is also extremely difficult, especially in complex, distributed enterprises. Adequate preparation means that you have already determined what your most critical assets are, that you are able to detect that an incident has occurred or is occurring, that you have a procedure in place to resolve the incident and manage the consequences, and that the people involved know what their role will be. Once your organization is under attack, either by an external party or from somebody within, it is too late to consider these elements. You will inevitably be forced to make decisions on the fly and, consequently, carry a higher risk of making counterproductive decisions. Action: Prepare now for an incident that may occur in the future. Decide on your priorities, have the right procedures documented and available, and ensure that the participants know what roles they will be required to fill. "Six Decisions You Must Make to Prepare for a Security Incident" This identifies the key decision factors that CISOs must take into account when developing enterprise-specific incident response plans. "Toolkit: Security Incident Response Preparation" This offers a user-customizable framework for establishing incident response priorities and developing appropriate response plans. "How to Write a Security Incident Response Procedure Document" This lays out best practices for this challenging and crucial task. Page 2 of 5 Gartner, Inc. G

3 The Actions You Must Take The enforced transparency produced by an information leak requires an effective response capability that encompasses the entire impact of the incident, not just the impact on IT. You must develop the right expertise to lead the response to a security incident and, ultimately, survive it. For many enterprises, this takes the form of a computer security incident response team (CSIRT). It is equally important to exercise the response to an incident so that, when an actual incident occurs, the people who have roles to play will be adequately prepared for what they must do. This extends beyond the members of the CSIRT an effective response to a serious incident often requires the active participation of senior management. Finally, it is obviously preferable to avoid an incident if at all possible. Security threat intelligence services, for example, can be extremely useful even essential in identifying current and emerging security threats, and can help the enterprise minimize its exposure to potentially serious security incidents. Actions: Develop the in-house capability you need to lead the response to an incident. Run incident response exercises so that the people who will take part in the response understand their roles and will be equipped to make the right decisions at the right time. Consider using a third-party threat intelligence capability to gain as much warning as possible about emerging threats before they become the source of your next security incident. "Seven Steps to Creating an Effective Computer Security Incident Response Team" This presents a phased approach to developing and maintaining an incident response team that will identify, contain, escalate, investigate and remediate incidents in a timely and efficient manner. "Prepare Now for Tomorrow's Information Leaks" This provides insight into the issues that the CSIRT must consider when responding to an incident. "Toolkit: Sample Job Description for a CSIRT Manager" This offers a user-customizable template for selecting the leader of this team. "Toolkit: Security Incident Planning Scenarios" This presents simple mechanisms for testing specific incident types and ensuring security readiness. "How to Select a Security Threat Intelligence Service" Gartner, Inc. G Page 3 of 5

4 This discusses ways enterprises can identify their threat intelligence needs and determine what type of provider can deliver the high-quality, actionable threat information that is appropriate to their specific needs. All this research which will be supplemented by updates and other documents in the coming months is designed to guide CISOs as they set up the people, processes and technology necessary to prepare effectively and efficiently for a serious security incident. This is not a simple task, but it is an essential one for the enterprise and the CISO. Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Predicts 2012: Sophisticated Attacks, Complex IT Environments and Increased Risks Demand New Approaches to Infrastructure Protection" "The Security Processes You Must Get Right" "Crisis/Incident Management Defined, 2012" "Six Decisions You Must Make to Prepare for a Security Incident" "Toolkit: Security Incident Response Preparation" "How to Write a Security Incident Response Procedure Document" "Seven Steps to Creating an Effective Computer Security Incident Response Team" "Prepare Now for Tomorrow's Information Leaks" "Toolkit: Sample Job Description for a CSIRT Manager" "Toolkit: Security Incident Planning Scenarios" "How to Select a Security Threat Intelligence Service" Page 4 of 5 Gartner, Inc. G

5 Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT USA European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Japan Headquarters Gartner Japan Ltd. Atago Green Hills MORI Tower 5F Atago, Minato-ku Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, ombudsman/omb_guide2.jsp. Gartner, Inc. G Page 5 of 5