V.F.1     Incident Response

Incident response helps management minimize the disruption of services or loss of information from an adverse event. Incident response priorities include preservation of life, preservation of property, incident stabilization, and communicating with stakeholders (e.g., impacted personnel, third-party service providers, customers, regulators, law enforcement). As shown in figure 4, the incident response team should coordinate communication with the noted stakeholders. Management should align incident response procedures with other related processes (e.g., cybersecurity, network operations, and physical security), outsourced services (e.g., contracted incident response obligations), and verify that the procedures are considered during planning and BCP development.

Figure 4: Incident Response Team (Adapted From NIST SP 800-61, Rev. 2)

Figure 4 depicts an image of a wheel and spoke diagram with the Incident Response Team at the center.  There are six groups that interact with the Incident Response Team and they include: 1. Customers 2. Media/Other 3. Board and Senior Management 4. Regulatory Agencies 5. Law Enforcement 6. Third-Party Service Providers  The interaction is a two-way process between the Incident Response Team and each of the six groups.

Management should designate a spokesperson(s) to communicate with the news media. Management should consider various, pre-planned response scenarios approved by the board and senior management. Communication with the news media and via social media may be important for disseminating accurate information. Social media monitoring during an event can help management resolve conflicting messages and proactively respond to issues and concerns. Management should train personnel to adhere to the plan when approached by the news media or communicating via social media.

Furthermore, management should leverage routine processes (e.g., vulnerability management and network monitoring) to anticipate potential incidents, including cyber incidents, and coordinate incident response planning with any third-party service provider plans. Furthermore, management should consider prearranging third-party forensic and incident response services. Management should periodically update and test the entity’s incident response program to verify that it functions as intended, given rapidly changing threats. Refer to the IT Handbook’s “Information Security” booklet for additional information.


Previous Section
V.F Other Components
Next Section
V.F.2 Disaster Recovery