Control 19.1: Document Incident Response Procedures

Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management.

Category

Procedural

Purpose

If an organization continuously operates for a long enough period of time, it is likely that they will suffer a cyber breach. Even if a breach never occurs, it is best to plan for the possibility, even if just from a legal liability standpoint. When a data breach occurs, it can feel like multiple extremely important events are all taking place at the same time. Important processes, procedures, and security critical tasks can be forgotten during this time frame. That is in part why a series of written procedure for how to handle a cyber incident before it occurs is needed.

The threats surrounding this Sub-Control mostly revolve around the inappropriate handling of a cyber incident while it is active. This means accidents from internal employees tasked with responding to the breach. This is especially true if the breach is the first one an organization has experienced. Improper data breach handling can lead to the breach getting worse, for instance malware getting deeper into a network and having additional access to sensitive data.

Automation

There is no way to automate this this Sub-Control. Yet this does not mean that an incident response plan and associated response procedures must be made from scratch. Incident response procedures can be procured from other similar organizations that already have them in place. These procedures can be modified to fit most organizations’ needs.

Guidance and Tools

Many organizations offer useful incident response guidance.