III.D     Incident Response

Management should have an incident response program.See also "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice," supplementing the Information Security Standards. The goal of incident response is to minimize damage to the institution and its customers. The institution's program should have defined protocols to declare and respond to an identified incident. More specifically, the incident response program should include, as appropriate, containing the incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, providing assistance to customers, and otherwise facilitating operational resilience of the institution.

The response involves a combination of people and technologies. The quality of incident response is attributable to the institution's culture, policies, procedures, and training. Incident response is also a function of the relationships the institution formed before the incident with law enforcement, incident response consultants and attorneys, information-sharing entities (e.g., FS-ISAC), and others. Management should prepare for potential incidents by developing an incident response plan that is comprehensive, coordinated, and integrated with existing institution policies, procedures, and training. To validate the effectiveness of the institution's incident response program, management should periodically test it through different test types, including scenario planning and tabletop testing, and perform the tests with appropriate internal and external parties.

Preparation determines the success of any intrusion response. Such preparation involves defining the policies and procedures that guide the response; assigning responsibilities to individuals; providing appropriate training; formalizing information flows; and selecting, installing, and understanding the tools used in the response effort. Additionally, management should define thresholds for reporting significant security incidents, and consider developing processes for when the institution should notify its regulators of incidents that may affect the institution's operations, reputation, or sensitive customer information. These incidents may include those that could affect the financial system. Primary considerations for incident response include the following:

  • How to balance concerns regarding confidentiality, integrity, and availability for devices and data. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. Management may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
  • When and under what circumstances to invoke the incident response activities, and how to ensure that the proper personnel are notified and available.
  • When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both containment and restoration.
  • Protocols to define when and under what circumstances to notify and involve regulators, customers, and law enforcement, including names and contact information for each group.
  • Which personnel have authority to perform specific actions in the containment of the intrusion and restoration of the system. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisions within the organization.
  • How, when, and what to communicate outside of the institution, whether to law enforcement, regulatory agencies, information-sharing organizations, customers, third-party service providers, potential victims, or others.
  • How to document and maintain the evidence, the decisions made, and the actions taken.
  • What criteria must be met before compromised services, equipment, and software are returned to the network.
  • How to learn from the intrusion and use lessons learned to improve the institution's security.
  • How and when to prepare and file a Suspicious Activities Report.

Successful implementation of any response policy or procedure requires the assignment of responsibilities, training, and testing. Some institutions formalize the response program with the creation of a security incident response team (SIRT). The SIRT typically is tasked with performing, coordinating, and supporting responses to security incidents and intrusions. Because of the wide range of technical and nontechnical issues posed by an intrusion, typical SIRT membership includes individuals with a wide range of backgrounds and expertise from different areas within the institution. Those areas include management, legal, and public relations, as well as IT staff. Other organizations may outsource some of the SIRT functions (e.g., forensic examinations). When SIRT functions are outsourced, management should require the third-party service provider to follow the institution's policies and maintain the confidentiality of data.

Institutions should assess the adequacy of their preparation through testing. There are a variety of testing methods; therefore, management should consider the most applicable tests for its IT environment. Institutions can also participate with outside entities that provide testing activities (e.g., FS-ISAC).

While containment strategies between institutions can vary, they typically include the following broad elements:

  • Isolation of compromised systems or enhanced monitoring of intruder activities.
  • Search for additional compromised systems.
  • Collection and preservation of evidence.
  • Communication with affected parties and often the primary regulator, information-sharing organizations (e.g., FS-ISAC), or law enforcement.

Restoration and follow-up strategies should address the following:

  • Elimination of an intruder's means of access.
  • Restoration of systems, programs, and data to a known good state.
  • Initiation of customer notification and assistance activities consistent with laws, regulations, and interagency guidance.
  • Monitoring to detect similar or further incidents.

Management should periodically review the actions taken in response to intrusions to identify improvements and implement those improvements through changes in policy, standards, procedures, training, and practices.


Previous Section
III.C Incident Identification and Assessment
Next Section
IV Information Security Program Effectiveness