First, what is a CSIRP and why do you need one

What are the odds your company or business will be a victim of a cyber attack? A lot of people are saying that it’s not a matter of IF but WHEN. However, I like to think that some businesses, including my own, will never be a victim. Therefore, why not be prepared instead of just reacting to a cyber attack? There’s a lot of talk about what to do after a cyber attack, how to recover and get back to business. Why not have a plan BEFORE it happens? A CSIRP is that plan. It is a written document which outlines what you will do in case of an attack or incident. Who will do it and how you will do it.

How do you create an incident response plan

This is where I come in. I can help you prepare your response plan! As a Certified Information Systems Security Professional #CISSP, I have the knowledge, training and experience to help you prepare for an incident. In fact, I just completed a course on this very topic from (ISC)² – the International Information System Security Certification Consortium. Contact me and I can help you build your plan. The purpose of this plan is to serve as a fully executable plan and foundation to your policies and procedures. It is classified as confidential and proprietary information.

What does a Cybersecurity Incident Response Plan look like

Your plan establishes the following organizational structure, operating authority, plan of actions, and procedures needed to:

  1. Identify, contain, and rapidly respond to an incident;
  2. Assess and ascertain the severity of the incident quickly and effectively;
  3. Initiate communication procedures and notify the appropriate individuals;

The Plan is designed to provide an initial response to any confirmed security incident, such as a DDOS based attack, ransomware, or exfiltration of sensitive data. The plan defines the requirements, strategies and proposed actions needed to respond to such an event. The plan is designed to minimize the operational, financial, and reputational impacts of a security related incident.

You will need a CSIRT or Cyber Security Incident Response Team

A Cyber Security Incident Response Team (CSIRT) is established to provide a quick, effective and orderly response to cyber security related incidents. As a former RCMP police officer, I have a lot of experience in managing response teams. I have managed teams up to 25 employees and been the lead investigator for multiple search warrant operations. Your CSIRT will be broken into 5 components:

  1. Information Security
  2. Service Desk
  3. Operations
  4. Communications
  5. Legal/Public Relations

Your CSIRT team will need to communicate with external partner:

Incident Response Methodology

The image below is from the NIST SP 800-62 Rev. 2, Computer Security Incident Handling Guide, and describes the 4 phases of incident handling:

Being prepared is the first phase of the plan, including having an inventory of your systems. As they say, you can’t protect what you don’t know you have! One thing that is key to success is documentation. Document everything! The second phase is the detection and analysis phase. For this you can use in-house resources or contract out to outside companies and services. If you do not have the necessary resources, I can help you and bring in the best people. The third phase is the investigation, which includes evidence gathering and handling. Again, as a former police officer, this is one of my strongest assets. This is also the recovery and business continuity phase.

Lastly, there is the post-incident analysis where you will examine what worked and what did not. This is not about putting blame on anyone, it is simply a good business practice. You can’t improve what you do not measure and this phase will also make you stronger against any future attack.

Let’s build your Cyber Security Incident Response Plan together! If you have any questions, contact me on LinkedIn. It is the best place to reach me.

https://www.linkedin.com/in/alain-filotto