Why is this important? Getting it right with training and reviewing processes… Major incidents don’t often occur in most organisations, so incident responders may be unfamiliar with their procedures. To get incident responders more familiar with response procedures, you have some options.
Training: An instructor (perhaps one of the senior or experienced incident responders) will conduct training on procedures. Our To include physical, personnel, systems, environment, threats, risks and incident management…no name but a few.
Tabletop Exercises: The more useful type of training, where incident responders are guided through one or more simulated incidents by a moderator who is himself / herself an experienced security incident responder. The tabletop exercise is just training that simulates an actual incident, making the experience more real and memorable. It’s recommended that incident responders be trained at least once a year. Senior management need to buy into this, do yours?
Reviewing Process Documentation: This should be carried out at least annually to look for changes that will improve the documents. Have you amassed ‘shelf-ware’? Are your documents peer reviewed and baselined out of draft?
Reviewing Existing Tools: Reviewing tools and their capabilities to look for opportunities to accelerate incident detection, response, and remediation. When was the last time you updated your software tooling solutions?
Reviewing Incidents: (all big ones, and some smaller ones) to look for improvement opportunities in response procedures, as well as changes or improvements in systems and processes to help reduce the probability and impact of incidents in the first place. Lessons identified and lessons learnt! Who captures these for you?
Practice Makes Perfect! You must practice the procedures laid out in the Incident Response Plan (IRP), Business Continuity Plan (BCP), Disaster Recovery Plan (DRP) or whatever other plan you have in place that covers recovery, in order for them to be effective when the time comes. When was the last time you carried out an exercise where you recovered from a major outage? Improvements can take many forms, including advances in technology, additional details in procedure documents, updates in industry standards, better incident response and forensics tools, and more training for personnel.
Don’t put security or security training in AOB. Have it as an Agenda Item. Do you have any security bullet points in your routine management meetings?