topic Re: Incident Response Policy and Procedures in Governance, Risk, Compliance

Incident Response Policy and Procedures

Lwhite — Mon, 09 Oct 2023 09:14:38 GMT

Any recommendations for a Incident Response Policy and Procedures template?

I'm building a cyber program from scratch.

Any guidance is appreciated.

Thank you,

Linda

Re: Incident Response Policy and Procedures

Chuxing — Mon, 24 Jun 2019 20:55:06 GMT

NIST, SANS, all have rather comprehensive documentations and templates on IRT.

Also check out ITIL- Service Operation, on incident management, a fairly concise guideline on incident and response process, including a good diagram on the flow.

Re: Incident Response Policy and Procedures

twoand4 — Tue, 25 Jun 2019 00:52:02 GMT

My organization bases our policy and procedures on NIST 800 framework. The NIST 800-61 Computer security Incident guide is extremely helpful.

Re: Incident Response Policy and Procedures

rslade — Tue, 25 Jun 2019 01:00:39 GMT

> Lwhite (Newcomer II) posted a new topic in Welcome on 06-24-2019 04:06 PM in the

> Any recommendations for a Incident Response Policy and Procedures template?

Ha!

I guess my reaction is a little different than most: having started out in malware
research (way back when it was possible) good IR was about the first to work on.

More recently I've been doing a 2-4 hour IRP presentation with a one-page
handout as an inducement to quick and dirty "get started, durnit!" activity ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
This is primarily an investigative unit and I don't think we
should get sidetracked into the finer details of technology.
- Chief Superintendent Len Hynds
head of the UK National Hi-Tech Crime Unit
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Incident Response Policy and Procedures

ScottNicholson — Tue, 25 Jun 2019 02:40:51 GMT

As stated by others, the NIST Special Publication 800-61 Revision 2 is a good starting point. You can find it here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

If you have any workloads in the cloud you will need to adapt to account for any shared responsibilities/CSP requirements.

Scott

Re: Incident Response Policy and Procedures

Steve-Wilme — Tue, 25 Jun 2019 07:24:00 GMT

An alternative you could look at is ISO 27035, as a top level approach. It'll also make sense to outline a playbook for each general type of incident.

You'll need to determine if you can have a permanent CSIRT or if you'll need to pull together a virtual CSIRT at the point of detecting major incident. This will probably depend on your organisations business and its resource budget. vCSIRT can work, but can also be problematic as getting the time to train and rehearse when there is actually an incident can be a tough ask with the members line management. A common solution is to have first call on staff from your SoC or pay a retainer to a third party for first responders.

Re: Incident Response Policy and Procedures

Lwhite — Fri, 28 Jun 2019 01:56:21 GMT

Thank you!

Re: Incident Response Policy and Procedures

Shwetaksagar — Sat, 03 Aug 2019 14:22:55 GMT

HI,

I found that this thread did not have any answer and therefore would like to put my thoughts.

NIST's Cyber Security Maturity Assessment Framework can be a good start as it has a dedicated domain on Incident Management life cycle. In addition, inputs from well known security standards such as ISO 27001 and PCI DSS (current version 4.0) should also be considered.

Policy which is a high level document must be specific to the organization, the business units, operating environment and in line with the risk appetite of the organization.

Hope this helps.