Cyber Incident Response Plan: Overview

By R. Eric Kiser

It is important to be aware that cyber incidents can occur as a result of accidental or malicious actions or events and have the potential to compromise the confidentiality, integrity, and availability of an organization’s information and IT assets. These incidents may include, but are not limited to, the theft or loss of physical equipment, unauthorized access to systems or information, and the failure to adequately protect electronic personal or health information. Such incidents can result in significant expenses, damage to systems, and reputational harm for the organization. To prevent the negative consequences of a cyber incident, it is crucial to take proactive measures.

The goal of the Cyber Incident Response Plan (CIRP) is to help departments manage and mitigate the impact of a cyber incident, restore confidence and trust among stakeholders, and reduce the recovery time and costs associated with a breach. The CIRP provides guidance on decision making, internal and external coordination, unity of effort, and minimizing reputational and financial losses. It outlines the steps to be taken in the event of a cyber breach, including the investigation and remediation process, the assembly of an internal response team, determining the escalation level, contacting law enforcement, engaging vendors, and establishing a call center.

Effective planning for a cyber incident requires coordination across all business functions, including leadership, regulatory affairs, legal, compliance, and operational functions. Internal coordination and easy access to the CIRP documentation ensures that all levels of the organization are prepared to respond effectively in the event of an incident.

The Incident Response Team (IRT) is established to:

• Protect the assets
• Provide specialized expertise in managing and handling incidents.
• Assess the extent to which an incident may compromise the privacy, confidentiality, or security of the County’s information and systems, including the risk of identity theft.
• Implement the response plan, engage necessary resources, and track the progress of containing the breach to minimize damage and recover from the incident.
• Prevent systems from being used in attacks against other systems, thereby avoiding legal liability.
• Minimize negative impacts on the organizations reputation and rebuild trust with the public.

It is recommend that the Incident Response Team (IRT) establish and familiarize themselves with a clear structure for the cyber incident response team. This will ensure that the team is able to effectively coordinate and respond to incidents in a organized and efficient manner. An example is shown below

THE STAGES OF RESPONSE:

1. Identification and Detection: It is important to gather as much relevant information as possible about the incident, and notify the appropriate individuals and technical teams based on the type of incident. At this stage, it will also be determined whether the incident is a natural event, internal incident, or external incident.
2. Protect and Respond: This stage involves limiting the scope and impact of the incident, particularly in cases where malicious code may be involved. It may also involve containing stolen or unauthorized access to electronic data and preventing the dissemination of information to external databases. The Incident Lead (IL) and Incident Response Team (IRT) will assess the criticality of the incident and determine whether it has county-wide impact. They will also conduct root cause analysis and take actions to minimize the risk to core business operations, which may include temporarily removing affected systems.
3. Eradication and Recovery: The focus at this stage is on restoring systems to normal business operations, including verifying the success of the restore or recovery and ensuring that the system is back to its normal condition or that the affected data has been contained. The IRT may also conduct a computer forensic examination to determine any external electronic storage locations of lost data and verify whether the affected data has been disseminated to any external locations. The IL will document ongoing events, personnel involved, and findings into a timeline for evidentiary purposes. The IRT will assess the risk of harm caused by the incident and determine whether external notification (e.g. to affected individuals, businesses, law enforcement) is necessary. The process of removing the cause of the incident may involve virus removal, prosecution of perpetrators, or dismissing employees.

Post Incident Meeting

The importance of follow-up after a cyber incident in imperative. This follow-up can support legal action against those who have committed a crime, and may involve revising policies as needed. Incidents that reach a high severity level should be reviewed by the Cyber Incident Response Team (CIRT) and the Information and the enterprise risk management team to ensure that existing processes were followed and were effective. A lessons-learned meeting with the Incident Response Team (IRT) department involved, and ERM team should be scheduled to identify any improvements to the response plan and processes that worked well during the incident. It may also be advisable to engage external services, such as law enforcement, insurance companies, or cyber vendors, to assist with future incidents. The financial impact and potential reputational effects on the County should also be considered. A logbook of events and investigation report should be maintained, including information about the data lost, the nature of the threat, the number and type of individuals affected, the likelihood of unauthorized access and use of the data, the intentionality of the breach, the effectiveness of security technologies, the potential harm caused, and the ability to mitigate risk.