Cyber Security

CIR BC Strategies: Respond

Written by Moh Heng Goh | Nov 23, 2022 3:02:52 AM

CIR BC Strategies: Respond

CIR entails procedures for cyberspace incident constructs, risk models, or notification and alerting methodologies that are recognized, standardized, and documented. To achieve the desired outcome of a cyber security incident, cyber security response measures enable the effective transfer of intent, objective, and resource limitations.

Planning and preparation should occur before an actual cyber security incident occurs. Once the response measures have been established, the roles and responsibilities of the respective employees are to be understood and documented. Based on the preparedness, inherent knowledge, and capabilities of the employees, the desired outcome of a cyber security incident can be achieved.

1. Governance

Governance refers to the methods of organizing and managing the response team. It ensures that the following activities are carried out accordingly:

  • Bring together the different departments within an organization
  • Document policies, procedures, and incidents
  • Assign roles and responsibilities clearly
  • Execute protocols and procedures

Governing the response team aligns the entire organization to collectively tackle cyber security; coordination between employees facilitates cross-functional communication and exchange of information for integration of activities. The entire organization works together toward one objective: to protect themselves against cyber security attacks.


2. Strategy

Strategy refers to how the response team responds and communicates during a cyber security incident. Response strategies include procedures of leaders coordinating response activities, prioritization of business functions to recover, and communication protocols to ensure respective personnel of the response team receive the necessary information to facilitate decision-making.

Strategies developed should be aligned with the organization’s mission and vision to ensure products/services continue to be delivered to customers through effective response procedures that allow affected critical functions to be recovered as soon as possible.

Effective strategies provide a framework for a cost-effective, well-resourced, and organization-wide approach to tackling cyber security. Key aspects include:

  • Define escalation and prioritization processes to coordinate the different departments
  • Establish notification protocols to inform the government affairs team/government liaison functions/regulatory agencies
  • Align response procedures with security management and IT engineering initiatives

3. Incident Response

Before drafting an incident response plan, organizations need to identify the different categories of data collected, protection measures in place for these identified data, storage locations, and users with privileged access.

These facilitate the development of response procedures. The response procedures should include detailed descriptions of the roles and responsibilities of respective members and timelines.

For an organization to retain integrity and credibility, customers must be informed and reassured about any breach. This means that the incident response procedures need to include crisis communication protocols.

Email letters/templates and scripts for spokespeople can be drafted. Communicating to stakeholders immediately after an incident limits further risk to affected parties or potential targets.

The negative impact on the organisation's reputation can be controlled if relationships between the organization and the media have been established. Channels that organizations can use to communicate:

  • Email
  • Social Media
  • Press release
  • Corporate website and blog
  • Custom website providing details of the breach

When a breach is first discovered, the forensics team should begin investigating to assess the scale of the breach. The cause of the breach (cyber security attack employee error) and associated impacts can be evaluated to determine if the entire organisation's infrastructure is at risk.

The incident response team should be assembled, and the notification process for authorities and relevant agencies should kick in. Then, the engineering team begins fixing and patching the affected systems (HSF, 2016) to limit the spread and impacts once they have been identified. Larger organizations can request assistance from third-party vendors to accelerate the rectification of issues. Usually, the initial assessment does not reveal the severity of the breach.

Organizations have to plan for the worst-case scenario to be prepared to mitigate some of the risks. Organizations must reach out to credit card providers and banks if payment details have been compromised.

The communication team needs to gather information regarding the breach, assess it, and share them with relevant stakeholders such as customers or suppliers. The organization has to initiate resets for passwords for their customers and employees should user credentials (Hawthorn, 2016) have been compromised. 

During and after the resolution of the cyber security incident, customers and media will bombard the organization with inquiries. The organization needs to have the plan to manage the influx of calls and emails to portray the right image and show that the organization cares about its stakeholders.

Component of Prevention/ Mitigation CIR BC Strategies

BACK TO: Mitigation and Response Strategies  CIR BC Strategies for Infrastructure CIR BC Strategies for People CIR BC Strategies for Policy

CIR BC Strategies for Process

CIR BC Strategies: Respond CIR BC Strategies: Recover CIR BC Strategies: Defence Lines

 

 

 

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 7 Developing Mitigation and Response Strategies 7.25 Respond

Note:  This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.