Cyber Security Incident Response Services

Setting Goals

What do you want to achieve in this test? You may be evaluating the flow of your plan, the ability of our staff and vendors to respond and notify, or the readiness of your information security program.

Participants

At a minimum, those listed with defined roles and responsibilities in the IRP should be included and present at the test. A facilitator of the test should also be invited. A key or critical vendor who provides services for your organization might be involved in your incident response program. They should also be in attendance. Also consider a member or two of the executive management team for observational and awareness purposes.

Create a Welcoming Environment

Ground rules are necessary to create a good testing environment. There should be no fault and no blame. An environment should be created where participants are encouraged to share their opinion on what to do during a portion of the scenario.

Pick Your Scenario

There are many different ways a cyber incident could occur in your environment that would make for a feasible testing scenario. An employee falls for a phishing email, which spreads malware. A laptop is stolen from an employee’s car containing sensitive data. Private information is leaked due to an insider threat. Or perhaps a data breach occurs at a key vendor, which impacts your organization and or customers. A cyberattack might initially be isolated to one department, but then spread to the entire network, causing massive data loss. It could then become a ransomware event when hackers call demanding cash or crypto currency.

Document Lessons Learned

Once the exercise has been completed, the group will take time together to discuss what went well and where improvements can be made. Those who took notes or facilitated the exercise can express their opinions and share their thoughts. This is a critical part of the overall exercise as the noted areas for improvement will be used to update the incident response plan.

An organization should anticipate an actual cyber incident attack at any time. Many organizations only discover the flaws in their incident response plans when they are trying to deal with an incident.

Incident response testing can expose gaps in even the most seemingly robust of cyber incident response plans and provides valuable insight into whether the incident response plan actually delivers its stated goals and objectives. Even organizations with incident response plans in place are finding that the time to resolve incidents is increasing. This is largely due to organizations not testing their incident response plans, then finding that they can’t adequately address all the aspects of a genuine security incident.