Organizations Offer Best Practices for State and Local Incident Response Plans | #government | #hacking | #cyberattack

Preparedness Is Key for Cybersecurity Incident Response

The key to successfully warding off or recovering from a ­cybersecurity incident is to be prepared. Cities and states need to plan ahead, and one of the best ways to do so is to create an incident response plan: a written policy that helps the organization manage cybersecurity ­incidents. The process of creating and testing an incident response plan, and then educating ­participants to ­implement the plan, helps prepare an agency to detect, respond to and quickly recover from a cyber i­ncident. An ­effective IR plan ­limits ­disruptions to services and ­citizens, and reduces data loss and ­reputational damage.

It’s a great idea. But unfortunately, nearly 25 percent of state and local governments do not have an IR plan. 

But there’s good news: Building an IR plan can be done in manageable steps, and there are examples and templates available to help governments of all sizes create effective IR plans.

EXPLORE: Diver deeper into incident response tools for state and local agencies.

A Stepwise Approach to Incident Response Plans

One simple way to create an IR plan is to tackle each of the sections as a separate step. The most basic approach includes four sections: organization, protection, detection and recovery.

Organization: Determine who has overall responsibility for the plan, then broaden that thinking to create the extended team — think IT, legal, finance and HR. Specify the roles and ­responsibilities of each member of the incident response team. The plan should include contact information for each team member.

Preparation/Protection: Prioritize all systems that must be kept online or brought back online first, and set up ­policies to protect them. Next, ensure that relevant security tools — such as firewalls, anti-virus, vulnerability scans and patching systems — are in place and kept up to date. Identify gaps in security and create a remediation plan. Ensure backups are stored offline and recovery is tested periodically. Provide security awareness training to employees and elected leaders, and even to citizens if possible. Create a detailed list of ­instructions on handling incidents. Test all of this periodically with the IR team.

Detection and Analysis: When an incident is detected, the ­process tree should be activated so team members can spring into action. This phase includes determining the cause and impact of the incident. If it is severe (if it limits availability or disrupts services) or catastrophic (if there is a total shutdown or ­information is leaked), information is gathered for further analysis and reported to relevant authorities. The plan should include ­information about ­mandatory reporting, as well as protocols for notifying local and state law enforcement, including Homeland Security and the FBI, if needed.

Containment and Recovery: This phase involves taking action to control the attack and limit the damage and impact. It may involve eradicating ­malware, mitigating misconfigurations or identifying other hosts that might be infected, so information on how to respond to each type of incident is included here. This section of the plan also includes steps necessary to restore the affected systems to normal ­operation, which might involve ­restoring from backups, rebuilding from a secure baseline, replacing compromised files with clean versions, patching or changing passwords. Once the incident has been resolved, the plan includes a step for evaluating lessons learned and ­incorporating that information into a revised IR plan.

To make the process even simpler, download a sample incident response plan from the state of Michigan. It lays out the steps, provides a sample IR team table and a process tree, and is an invaluable example of a local government incident response. Find it at

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

− 3 = one