Computer incidents today are a far cry from those of the past. Computer incidents involving data breaches today can take down businesses and leadership, in much the same way or greater than an earthquake or fire can destroy a company through a physical business outage. Data breaches such as that at Target have shown that having the ability to recognize an incident quickly and escalate up to appropriate leadership is a critical business competency.
Instead of reinventing the wheel why not leverage the existing business continuity plan (BCP) to build the computer incident response plan (CIRP)? The business continuity plan in all likelihood is in place and may have some measure of review and exercise already. By leveraging important elements of the existing BCP and resources, the security team can jump start the CIRP and obtain a faster and more responsive organization.
Here are five strategies to give you a head start in putting together your incident response plan by using built-in and existing components of the BCP.
1. Use the existing business recovery structure and organization
The existing BCP usually has a well laid out management and reporting structure that is to be activated during an outage. Rather than create a separate reporting and management structure for the CIRP, try and use the existing BCP structure where possible. In smaller to midsize organizations where leadership wears many hats it is quite possible that you will find 75 percent or greater overlap between the management response team for the CIRP and that of the BCP.
The leadership team that is usually pulled in for a business continuity incident will most likely consist of the same senior management that would be required to weigh in on a computer-related incident. I would combine the leadership team from both plans into a single leadership team that is common to both the business continuity and computer incident response plans. For example, in the event of a computer incident, the internal audit team will need to be in the loop but in a business continuity incident that may not be the case. On the other hand in a business continuity incident, the physical security team will definitely need to be in the loop but not necessarily on the audit team. However a common leadership team can include leaders from both the audit and physical security teams, who can be brought in as needed for the incident response.
2. Combine roles and responsibilities
The business recovery coordinator is the central figure around who rotates the response to a business outage. The incident response manager plays a similar role in the CIRP plan. In addition and oftentimes, the business continuity manager will be reporting into the information security team. Instead of having a separate coordinator for business continuity and another coordinator/manager for computer incident response, consider using the same role and business continuity person for both.
Sign up for CIO Asia eNewsletters.