Cyber Incident Plan a Must

Tuesday, February 14, 2012 @ 11:02 AM gHale

There is a new cyber security guidance that urges federal agencies to have formal incident response plans in place in preparation for the inevitable network or application intrusion.

This guidance comes from a second draft revision of the National Institute of Standards and Technology “Computer Security Incident Handling Guide,” or SP 800-61. NIST published the first version in March 2008.

DoD Readies for Stuxnet-like Attack
Cyber Report: Bad Guys Winning
Security Best Practices will Cut Downtime
Government Tries to Define Cyber Security
DHS Unveils Cyber Strategy Plan

While this document focuses on the federal government, it could give good idea of what the private sector should also look at in terms of an incident response plan. Of course, prevention through the use of continuous monitoring is important — especially because threats grew stealthier since the last SP 800-61 revision, guidance authors said.

“Continually monitoring threats through intrusion detection and prevention systems (IDPSs) and other mechanisms is essential,” said a NIST spokesperson.

However, incidents will and do happen, and when they do a rapid response will minimize damage.

In the publication, NIST reminds agencies that the Federal Information Security Management Act requires they designate primary and secondary points of contact with the Homeland Security Department’s computer emergency readiness team, or US-CERT.

Agencies should have a policy and plan for reporting to US-CERT; procedures for incident handling and reporting; guidelines for communicating with outside parties on incidents; a reporting staff model with clearly designated internal and external relationships; specific services the incident response team is prepared to provide; and appropriate training in place.

All guidelines for interacting with US-CERT or other organizations following an incident should also undergo thorough documentation, NIST recommended — this includes guidance for prioritizing incidents and lessons learned on past incidents. In addition, agencies should be ready for a broad array of incidents, as well as the most common incidents, such as attacks executed through attachments in email messages or thumb drive-based viruses.

NIST will accept comments on the latest revision via email through March 16, 2012.

Leave a Reply

You must be logged in to post a comment.