cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer II

Incident Response Policy and Procedures

Any recommendations for a Incident Response Policy and Procedures template?

I'm building a cyber program from scratch.

Any guidance is appreciated.

Thank you,

Linda

7 Replies
Community Champion

Re: Incident Response Policy and Procedures

NIST, SANS, all have rather comprehensive documentations and templates on IRT. 

 

Also check out ITIL- Service Operation, on incident management, a fairly concise guideline on incident and response process, including a good  diagram on the flow.

 

 

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Viewer

Re: Incident Response Policy and Procedures

My organization bases our policy and procedures on NIST 800 framework. The NIST 800-61 Computer security Incident guide is extremely helpful.

Community Champion

Re: Incident Response Policy and Procedures

> Lwhite (Newcomer II) posted a new topic in Welcome on 06-24-2019 04:06 PM in the

> Any recommendations for a Incident Response Policy and Procedures template?

Ha!

I guess my reaction is a little different than most: having started out in malware
research (way back when it was possible) good IR was about the first to work on.

More recently I've been doing a 2-4 hour IRP presentation with a one-page
handout as an inducement to quick and dirty "get started, durnit!" activity ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
This is primarily an investigative unit and I don't think we
should get sidetracked into the finer details of technology.
- Chief Superintendent Len Hynds
head of the UK National Hi-Tech Crime Unit
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Newcomer I

Re: Incident Response Policy and Procedures

As stated by others, the NIST Special Publication 800-61 Revision 2 is a good starting point. You can find it here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

 

If you have any workloads in the cloud you will need to adapt to account for any shared responsibilities/CSP requirements.

 

Scott

Scott P. Nicholson, MSM, CAP, RDRP
Contributor III

Re: Incident Response Policy and Procedures

An alternative you could look at is ISO 27035, as a top level approach.  It'll also make sense to outline a playbook for each general type of incident.

 

You'll need to determine if you can have a permanent CSIRT or if you'll need to pull together a virtual CSIRT at the point of detecting major incident.  This will probably depend on your organisations business and its resource budget.  vCSIRT can work, but can also be problematic as getting the time to train and rehearse when there is actually an incident can be a tough ask with the members line management.  A common solution is to have first call on staff from your SoC or pay a retainer to a third party for first responders.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Newcomer II

Re: Incident Response Policy and Procedures

Thank you!

Highlighted
Newcomer I

Re: Incident Response Policy and Procedures

HI,

I found that this thread did not have any answer and therefore would like to put my thoughts.

 

NIST's Cyber Security Maturity Assessment Framework can be a good start as it has a dedicated domain on Incident Management life cycle.  In addition, inputs from well known security standards such as ISO 27001 and PCI DSS (current version 4.0) should also be considered. 

 

Policy which is a high level document must be specific to the organization, the business units, operating environment and in line with the risk appetite of the organization. 

 

Hope this helps.