1. Develop and Implement a Security Incident Management Program
Create a scalable incident response program without breaking the bank.

2. Our understanding of the problem
A CISO who is dealing with the following:
Inefficient use of time and money when retroactively responding to incidents, negatively affecting revenue and workflow of the business.
Resistance from management to adequately develop a formal incident response plan.
A lack of closure of incidents, resulting in being re-victimized by the same vector.
Develop a consistent, scalable, and usable incident response program that is not resource intensive.
Formally track and communicate incident response.
Reduce the overall impact of incidents over time.
Learn from past incidents to improve future response processes.
Business stakeholders who are responsible for the following:
Improving workflow and managing operations in the event of security incidents to reduce any adverse business impacts.
Ensuring that incident response compliance requirements are being adhered to.
Efficiently allocate resources to improve incident response in terms of incident frequency, response time, and cost.
Effectively communicate expectations and responsibilities to users.

3. Executive summary
Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
The incident response of most organizations is ad hoc at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources.
You will experience incidents. Organizations can’t rely on “out-of- the-box” responses anymore. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
Results of incident response must be analyzed, tracked, and reviewed regularly. Otherwise a lack of comprehensive understanding of trends and patterns regarding incidents leads to being re-victimized by the same vector.
Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and share information mutually with other organizations to stay ahead of incoming threats.
Tracked incidents are often classified into “out-of-the-box” responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being re-victimized by the same vector.
Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.
Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

4. There is more value in security incident management than just increasing security
This blueprint applies to you whether you need to develop an incident response plan from scratch or optimize and update your current strategy.
Impact
Value of developing security incident management program:
Short term: Streamline the process of formalizing an incident management program customized to your organization-specific needs. Respond faster and more effectively by leveraging a mature process rather than starting from scratch.
Long term: Once the program is in place, damage will be minimized. As incidents are properly tracked, analyzed, and handled according to a well-defined process, potential breaches will be reduced to minor incidents.
Impact
Increased operational efficiency in terms of asset management, change control, etc.
Reduced probability of large breaches.
Improved standardization of data collection.
Increased accountability.
Enhanced overall security posture.
Better prepared for auditing and compliance requirements.
Value of Info-Tech’s security incident management blueprint:
Classification standards.
Improved detection and identification processes.
Application of intelligence gathered from previous incidents leading to continuous improvements.
Templates to document accountability and post-incident metrics.
Strategy around incident identification, mitigation, and post-mortem.
Process around effective maintenance and optimization of your incident response operations.

5. Use these icons to help direct you as you navigate this research
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

6. Incident management is essential for organizations of any size
Your incidents may differ, but a standard response ensures practical security.
Certain regulations and laws require incident response to be a mandatory process in organizations.
Compliance Standard Examples
Description
FISMA
Organizations must have “procedures for detecting, reporting, and responding to security incidents” (2002).
They must also “inform operators of agency information systems about current and potential information security threats and vulnerabilities.”
Federal Information Processing Standards (FIPS)
“Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.”
PCI-DSS v3
12.5.3: “Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.”
Health Insurance Portability and Accountability Act (HIPAA)
: Response and Reporting – “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”
Security incident management is applicable to all verticals.
Examples:
Finance
Insurance
Healthcare
Public administration
Education services
Professional services
Scientific and technical services

7. Info-Tech offers various levels of support to best suit your needs
Guided Implementation
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
DIY Toolkit
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
Workshop
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
Consulting
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostics and consistent frameworks used throughout all four options

8. Best-Practice Toolkit Guided Implementations
Develop and Implement a Security Incident Management Program – project overview
1. Prepare
2. Operate
3. Maintain and Optimize
Best-Practice Toolkit
1.1 Examine the security incident landscape and trends.
1.2 Gauge your current process to identify gaps.
1.3 Understand your security obligations.
1.4 Establish your scope and boundaries.
1.5 Establish the drivers, challenges, and benefits.
1.6 Formalize the security incident management charter.
1.7 Identify key players and develop a call escalation tree.
1.8 Develop a security incident management policy.
2.1 Understand the incident response framework.
2.2 Develop a security incident management plan.
2.3 Understand the purpose of runbooks.
2.4 Prioritize the development of incident- specific runbooks.
2.5 Develop top-priority runbooks.
3.1 Conduct tabletop exercises.
3.2 Initialize a security incident management metrics program.
3.3 Leverage best practices for continuous improvement.
Guided Implementations
Understand the incident response process, and define your security obligations, scope, and boundaries.
Formalize the incident management charter, RACI, and incident management policy.
Use the framework to develop a general incident management plan.
Prioritize and develop top-priority runbooks.
Develop and facilitate tabletop exercises.
Create an incident management metrics program, and assess the success of the incident management program.
Onsite Workshop
Module 1:
Prepare for Incident Response
Module 2:
Handle Incidents
Module 3:
Review and Communicate Security Incidents
Phase 1 Outcome:
Formalized stakeholder support
Security Incident Management Policy
Security Incident Management Charter
Call Escalation Tree
Phase 2 Outcome:
A generalized incident management plan
A prioritized list of incidents
Detailed runbooks for top-priority incidents
Phase 3 Outcome:
A formalized tracking system for benchmarking security incident metrics.
Recommendations for optimizing your security incident management processes.

9. Workshop overview
Contact your account representative or for more information.
Workshop Day 1
Workshop Day 2
Workshop Day 3
Workshop Day 4
Workshop Day 5
Activities
Kick off & introductions.
High-level overview of weekly activities and outcomes.
Understand the benefits of security incident response management.
Formalize stakeholder support.
Assess your current process, obligations, scope, and boundaries.
Identify key players for the security incident response team.
Develop a security incident response policy.
Develop a general security incident response plan.
Prioritize incident-specific runbook development.
Understand the incident response process.
Develop general and incident-specific call escalation trees.
Develop specific runbooks for your top-priority incidents (e.g. ransomware).
Detect the incident.
Analyze the incident.
Contain the incident.
Eradicate the root cause.
Recover from the incident.
Conduct post-incident analysis and communication.
Develop specific runbooks for your next top-priority incidents:
Reassess the general incident response plan.
Identify key tools to incorporate into the program.
Determine key metrics to track and report.
Understand best practices for both internal and external communication.
Finalize key deliverables created during the workshop.
Present the security incident response program to key stakeholders.
Workshop executive presentation and debrief.
Finalize main deliverables.
Schedule subsequent Guided Implementations.
Schedule feedback call.
Deliverables
Incident Management Charter
Incident Management Policy
General Incident Management Plan
Security Incident Runbook Development Prioritization Tool
Prioritized list of runbooks
Understanding of incident handling process
Incident-specific runbooks for 1-2 incidents
Discussion points for review with SIRT
Formalized post-mortem written report template
Steps for communication and root-cause analysis
Incident-specific runbooks for 2-3 incidents
Plan for further optimization of the incident management program
List of key tools
List of key metrics
Communication plans
Workshop summary documentation
All final deliverables

10. Measured value for Guided Implementations
Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings. GI
Purpose
Measured Value
Section 1: Prepare
Understand the need for an incident response program.
Develop your incident response policy and plan.
Develop classifications around incidents.
Establish your program implementation roadmap.
Time, value, and resources saved using our classification guidance and templates:
2 FTEs*2 days*$80,000/year = $1,280
2 FTEs*5 days*$80,000/year = $3,200
Section 2: Operate
Prioritize runbooks and develop the processes to create your own incident response program:
Detect
Analyze
Contain
Eradicate
Recover
Post-Incident Activity
Time, value, and resources saved using our guidance:
4 FTEs*10 days*$80,000/year = $12,800 (if done internally)
1 consultant*15 days*$2,000/day = $30,000 (if done by third party)
Section 3: Maintain & Optimize
Develop methods of proper reporting, and create templates for communicating incident response to key parties.
Time, value, and resources saved using our guidance, templates, and tabletop exercises:
2 FTEs*3 days*$80,000/year = $1,920
Total Costs
To just get an incident response program off the ground.
$49,200

11. Insurance company put incident response aside; executives were unhappy
Organization implemented ITIL, but formal program design became less of a priority and turned more ad hoc.
Situation
Challenges
Ad hoc processes created management dissatisfaction around the organization’s ineffective responses to data breaches.
Because of the lack of formal process, an entirely new security team needed to be developed, costing people their positions.
Lack of criteria to categorize and classify security incidents.
The need to overhaul the long-standing, but ineffective, program means attempting to change mindsets, which can be time consuming.
Help Desk is not very knowledgeable on security.
New incident response program needs to be in alignment with data classification policy and business continuity.
There is a lack of integration with MSSP’s ticketing system.
Next steps:
Need to get stakeholder buy-in for a new program.
Begin to establish classification/reporting procedures.
Follow this case study to Phase 1

12. Establish baseline metrics
Metrics involve information from the whole incident response process. Look for this symbol for when metrics add value to your program.
Metrics
Metrics are key to the ongoing success of your incident response program.
Besides trying to reduce the overall incidents your organization experiences, you are also trying to reduce the time spent on responding to those incidents.
Most organizations are responding to incidents inefficiently and that means increased costs and resource allocation because people are tied up with responding.
Metrics will assess the current status of the overall security program, identifying areas to improve through training or new preventative/detective technology.
Examples
Time needed to move from incident detection to mitigation.
Track reduction in time spent responding to each incident.
The amount of incidents actually occurring per quarter, per month, or per year (choose most applicable).
Track (ideally) a reduction in incidents year over year.
The types of incidents your organization is facing.
Track the severity of the incidents. Goal would be to reduce either:
The high severity risks (if your organization is experiencing those the most). OR
The amount of small, time-wasting tasks so you can properly address potential bigger issues.