The Incident Response Poll closed last week and I was out of town over the weekend so I didn't get a chance to write up the summary. Here are the results:
67% of you answered either "Has a general idea what they will do" or "Not have a plan". That's not very encouraging. It shows that we have not done a good job in conveying the need to management. Perhaps you don't think that the need is that great. I live in a world filled with compliance and most regulations out there require an IR plan. That alone should be enough for you to take to management. Not to mention the sheer lack of understanding of what needs to happen to respond to a breach. If you don't have a plan then how will you know what to do? Do you disconnect the system from the network or leave it connected? Do you power it off or leave it on? Do you have to notify the police? The FBI? A financial institution? Your Customers? Your employees? The media? If you don't know now how do you think you will know when the time comes and you are in the heat of the moment?
When it comes to Incident Response does Your Company
Have a formal and tested plan 8 (25%) Have a plan that hasn't been tested 2 (6%) Has a general idea what they will do 9 (29%) Not have a plan 12 (38%)
A IR Plan details all of this. It tells you what to do and what not to do. It tells you who you need to notify and how to do so. It tells you how to stop breach from continuing and how to clean it up. All of these things and much more are included. Things that can make the difference in a successful incident response and one that is a dismal failure. A successful one is one that your company survives and continues on with little impact. A failure may mean that the company has to shut their doors and go out of business. It may mean that the company survives you you don't. It may drastically alter the way your company does business. That may be good or it may be bad.
If you yourself don't understand the need in a IR plan PLEASE, PLEASE, PLEASE!!!!!! do some research and discover the need. If you do understand the need but haven't been able to communicate it effectively to management PLEASE, PLEASE, PLEASE!!!!!! do some research and find someone who will help you be able to do that. The Security Catalyst Community is a great place to start with that. There are people there who will be able to help you understand the need and be able to communicate it effectively.
For the rest of you that have a plan I only have a little to say. First, congrats to you and your companies for seeing the need and doing something about it. Second, please ensure that it is kept up to date. An outdated plan is almost as bad as not having a plan. Third, if it hasn't been tested please talk to management about testing it. Even if it's just having several people review it and ensure that it makes sense that is better than nothing.