Site icon Blog | Cyber Security News & Training | Einnosec

Prevention, Detection, and Recovery from Cyberattacks – Part II

The second blog post in the series of Prevention, Detection, and Recovery from Cyberattacks.

The global survey conducted by Ponemon Institute and sponsored by IBM Security surveyed 3400 IT and IT security practitioners about their organizations’ approach to becoming resilient to security threats.

The fifth annual Cyber Resilient Organization Report noted that the vast majority of organizations surveyed (74%) are still reporting that their plans are either ad-hoc, applied inconsistently, or that they have no plans at all. Additionally, more than half (52%) of those with security response plans said they have never reviewed or have no set time period for reviewing or testing those plans

With business operations changing rapidly due to an increasingly remote workforce, and new attack techniques constantly being introduced, this data suggests that surveyed businesses may be relying on outdated response plans which do not reflect the current threat and business landscape.

We have noted below relevant points (checklist) that will assist your organization to perform a quick review of the incident response plans.

Can you please post how your organization performs the periodic reviews of incident response plans? What do you feel is the best approach?

Review if plans are comprehensive

The comprehensive plan needs to address the six stages listed below:

1. Preparation4. Eradication
2. Identification5. Recovery
3. Containment6. Lessons Learned

The listed below are a few question auditors can ask to conclude if the plans are comprehensive:

Standards

Auditing and reviews allow an organization to validate its  compliance effectiveness with the incident management standards they have set for themselves and to measure the risk appetite. Below are some standards for your ready reference:

StandardsIncident Management Control Reference
NIST Cybersecurity FrameworkPR.IP-9, PR.IP-10, DE.AE-4, DE.AE-5, DE.DP-4, RS.RP-1, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4, RS.CO-5, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.MI-1, RS.MI-2, RS.MI-3, RS.IM-1, RS.IM-2, RC.RP-1, RC.IM-1, RC.IM-2, RC.CO-1, RC.CO-2, RC.CO-3
FIPS PublicationsAll current FIPS Publications especially FIPS 140-2
NIST 800-53 (rev4)IR-1 to IR-8
NIST 800 SeriesNIST SP 800-61, NIST SP 800-86
HIPAA / HITECHHIPAA 164.308(a)(6)
NERC CIP (v5)CIP-008-5
ISO 27000: 2013Section A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A16.1.6
COBIT 5DSS02
CIS Critical Controls (v6.1)CIS Control 19
PCI DSSSection 12.10.2, 12.10.3, 12.10.4, 12.10.5, and 12.10.6