cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer II

Incident Response SOPs/Policies

Good morning,

 

I am in the process of reviewing/editing/consolidating my organization's set of SOPs and policy documents regarding incident response.  These include DR-BCP, incident response framework, roles and responsibilities, etc..  All in all, we have 7-8 documents all surrounding cyber incident response, with a lot of double dipping.  I believe this creates confusion, not to mention version control issues.  So I was wondering - in your organizations, how many separate documents do you have that deal with cyber incident response? 

1 Reply
Highlighted
Contributor III

Re: Incident Response SOPs/Policies

I work with a lot of orgs and review their policies and documentation.

 

What I typically see:

 

A BC/DR Policy document

A CSIR Policy document

 

A BIA document listing critical applications and their owner, RTO, RPO, etc

 

A BC/DR plan document (larger orgs will have this as 2 separate plans), which gives the details on how these are done.

 

A CSIR plan document.  Some groups will have a 'run book' or 'play book' with details on how to handle different specific incidents (DDOS attack, malware, ransomware, etc)

 

Ideally, orgs should do a run thru of their BC plan, DR plan and CSIR plan on at least an annual basis.  I am really impressed when orgs do this more then once a year, but that seems rare.

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSLC, GSTRT, ISSA Fellow