Cybersecurity Practice #8: Incident Response (small)

Incident response is the ability to discover cyberattacks on the network and prevent them from causing data breach or loss. Incident response is often referred to as the standard “blocking and tackling” of information security. Many types of security incidents occur on a regular basis across organizations of all sizes. Two common security incidents that affect organizations of all sizes are 1) the installation and detection of malware, and 2) phishing attacks that include malicious payloads (via attachments and links). Though neither of these incidents directly results in a data breach or loss, each event enables breach or loss to occur through subsequent events.

Sub-Practices for Small Organizations

Small organizations are often challenged by incident response management, in part because incident response procedures may not be established. Employees who rarely encounter cyberattacks may not remember what to do in the case of an incident. Members of the management team may not know whom to contact to obtain or provide information about the incident. In many cases, there are no dedicated information security professionals in small organizations, resulting in increased reliance on the IT department. A common concern is the fear of penalties from regulators if the organization contacts acknowledges and rectifies a security incident.

Establish and implement an incident response plan: Before an incident occurs, make sure you understand who will lead your incident investigation. Additionally, make sure you understand which personnel will support the leader during each phase of the investigation. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. Ensure that the leader is fully authorized to execute all tasks required to complete the investigation. A sample incident response plan is provided in Appendix G of the Main document. Examples of actions to respond to incidents are described in Table 7.

            Table 7. Incident Response Recommendations to Mitigate Risk of a Data Breach

Establish a method to receive notifications about cyber threats that are actively targeting other organizations. The most effective way to do this is to join an information sharing and analysis organization (ISAO) or information sharing and analysis center (ISAC). Participating in an appropriate ISAO or ISAC is a great way to manage incident response. As directed by Executive Order 13691, when a member organization provides an ISAO with information about cyber-related breaches, interference, compromise, or incapacitation, the ISAO must:

• protect the individuals’ privacy and civil liberties,
• preserve business confidentiality, and
• safeguard the information being shared.

ISAOs and ISACs establish communities of professionals who are prepared to respond to the same cyber threats. By joining such a community, security and IT professionals bridge knowledge gaps with information provided by their peers via the ISAC/ISAO. ISACs and ISAOs tend to focus on a specific vertical (such as the Health Information Sharing and Analysis Center [H-ISAC] within the health care sector) or community (such as the Population Health ISAO). In all cases, the primary function of these associations is to establish and maintain channels for sharing cyber intelligence.

Threats Mitigated

1. Phishing attack
2. Ransomware attack
3. Loss or theft of equipment
4. Insider, accidental or intentional data loss
5. Attacks against connected medical devices that may affect patient safety