Incident Response Planning in a Nutshell: Roles and Responsibilities
“Great things in business are never done by one person. They’re done by a team of people.” – Steve Jobs
As part of our 5-part series about Incident Response Planning (IRP), this article dives deeper into the roles and responsibilities required to implement and respect an effective Incident Response Plan.
Find more detailed information about IRP in the articles below:
- Part 1/5: The 5 Benefits of an Incident Response Plan
- Part 2/5: Best Practices for Building an Incident Response Plan
- Past 4/5:
- Part 5/5:Lessons Learned: The Unsung Hero of the Incident Response Planning Process
Incident Response Planning has proven to be most effective to help organizations respond to incidents when at least three distinct functions are in place:
- The Computer Security Incident Response Team (CSIRT)
- The Legal Expert
- The Public Relations/Communications Expert
To help your organization become more confident when facing a security incident, we’re explaining each of these three roles down below.
The Computer Security Incident Response Team (CSIRT)
A Computer Security Incident Response Team (“CSIRT”) is defined as the group of individuals in charge of executing the technical aspect of an Incident Response Plan. CSIRT members are responsible for the detection, containment and eradication of cyber incidents as well as for the restauration of the affected IT systems.
To set up a CSIRT, organizations can opt for three different staffing models:
- Employees – the organization conducts all incident response-related activities by itself, without any guidance or intervention from external parties.
- Partially Outsourced – the organization outsources certain elements of its incident response-related activities to external parties.
- Fully outsourced – the organization outsources all elements of its incident response-related activities to external parties.
According to the U.S. National Institute of Standards and Technology (NIST), “the most prevalent arrangement is for the organization to outsource 24-hours-a-day, 7-days-a-week (24/7) monitoring of intrusion detection sensors, firewalls, and other security devices to an offsite managed security services provider (MSSP). The MSSP identifies and analyzes suspicious activity and reports each detected incident to the organization’s incident response team”.
This recommended scenario related to a partially outsourced staffing model as described above. Fully outsourcing options often require on-site contractor.
A contextual analysis may drive organizations to opt for either a partially outsourced or a fully integrated response capability. In these scenario, a CSIRT must be set up.
What should I consider when setting up a CSIRT?
Regardless of what your organization decides to do, your choice should be motivated by a consideration of the following:
- Implementing and maintaining IRPs may require specialized knowledge in several technical areas that may not be readily available internally
- Your internal team may not possess the necessary knowledge of intrusion detection systems, vulnerability management and other cybersecurity techniques to properly respond to a security incident
- MSSPs may have a more global view of the latest and most common security incidents from their customer base and may therefore correlate events better than an individual organization could
- If you decide to hire an internal team of security experts as part of your CSIRT, make sure to keep retention strategies in mind to avoid high employee turnover – a common occurrence in today’s IT security talent shortage phenomenon
- MSSPs have access to secure facilities and state-of-the-art IT infrastructure, such as Security Operations Centers (SOCs) in various countries
- Generally speaking, MSSPs tend to be less costly than hiring in-house, full-time security resources because they are able to spread their costs of Information Security Analysts, hardware, software etc. across multiple customers across the globe
Disclaimer: When opting for a partially outsourced model, organizations must understand that outsourcing does not transfer their legal obligations to MSSPs. Organizations remain fully responsible, both legally and morally, to ensure that they meet legal requirements in terms of information security. This being said, MSSPs are liable for the quality of service that they provide according to the terms of the service level agreement (SLA).
What factors impact how I build my CSIRT?
CISRTs vary in terms of their service offering and organizational structure. The responsible department will usually examine a number of relevant factors before choosing a model.
The objective of the exercise is to identify the organization’s needs and the framework in which the prospective CSIRT will be inserted in order to develop a vision of its mission.
- Types of incident activity that currently characterizes the organization’s threat landscape, as this will inform the types of skills that are required from the CSIRT’s members
- Practices of other organizations in the same sector
- Stakeholders’ expectations and needs, including opinions from business managers, IT staff, legal department, human resources, public relations, physical security, audit and risk management specialists, etc.
- Enterprise’s organizational model and principal business functions
- Risk assessments results, critical assets that must be protected and business-continuity plans
- Existing policies, plans, directives and guidelines (especially those related to confidential data and physical security breaches)
- Applicable legislations and/or recommendations
What are the functions of the CSIRT?
CSIRTs may exercise a wide range of functions that can be grouped under reactive, proactive and security quality management services:
Ideally, CSIRTs should aim to provide the usual baseline of services and eventually add other features that pertains to their mission. In other words, the primarily function of CSIRTs remains incident response.
Only once the team has acquired all necessary resources, training and experience to properly and effectively accomplish these tasks, management should consider adding additional responsibilities.
The extension of functions can be part of a development plan for the CSIRT. For instance, with proper funding and management support, the CSIRT can become a “key player in providing risk and business intelligence to the organization”.
Which roles should be assigned within the CSIRT?
NIST’s publication 800-64 proposes that CSIRTs should be composed of a manager, a technical lead and team members. The PCI DSS makes it mandatory to assign an individual or a team to various tasks, including establishing, documenting and distributing security incident response and escalading procedures when necessary.
Under this standard, the team must monitor and analyze security alerts and access to data.
CSIRT: Tasks and Skills Needed
Note that the PCI-DSS also requires an IRP that involves the documentation of roles and responsibilities.
The Computer Emergency Readiness Team [CERT] recommends the following roles amongst the CSIRT members:
- Manager or Team Lead
- Assistant Managers or Group Leaders
- Help Desk or Triage Staff
- Incident Handlers
- Vulnerability Handlers
- Artifact Analysis Staff
- Platform Specialists
- Trainers
- Technology Watch
In reality, CSIRTs are rarely staffed enough to cover all of these roles and personnel is expected to be versatile.
The table above describes the usual tasks and skills of team members.
Note that some organizations are required by law to have a privacy officer (an individual accountable for the respect of the privacy legislation in the constituent), especially in the health sector (see Ontario’s Personal Health Information Protection Act).
Harmonization between the privacy policies and practices with those of data security is critical. Organizations should consider integrating their privacy officer into information security planning and attributing him responsibilities during IRP.
Anything else to consider when creating a CSIRT?
- Deciding on the CSIRT’s authority
- Deciding on the CSIRT’s location
- Deciding on the equipment and network infrastructure needed to support its daily functions
- Deciding on funding and sustainability
- Deciding on hours of operation and determining whether there is a requirement for a 24/7 monitoring and corresponding funding (Note that PCI-DSS requires that specific personnel be available to monitor and respond to alerts on a 24/7 basis)
The Legal Expert
In the process of attributing roles and responsibilities, the need for judicial expertise should not be overlooked. Legal experts endorse many critical roles throughout the phases of IRP, but particularly in the phase of drafting policies, plans and procedures.
CMU-SEI’s Handbook for CSIRTs rightly emphasizes the need for individuals who are experienced in cybersecurity as such to understand technical terminology and particular issues relating to CSIRT’s daily activities. They also recommend a year-long capability of engagement due to the amount of domain specific knowledge needed and the difficulty of finding such legal expertise on the market.
The role of the legal expert can be summarized as providing quality assurance about every topic – from the mission statement to the actual incident handling.
Regarding policies and plans, lawyers inform the decision-makers about legal requirements, preferred practices and any conflicts with other jurisdictional legislations in which the organization does business. Their contract drafting experience help to adjust the scope of these documents with proper definitions.
In the same line of thought, they conduct contract analysis with outsourced services and draft all the needed material pertaining to the CSIRT’s operations (e.g. non-disclosure agreements).
Overall, legal experts are concerned with being able of demonstrating due care at all times by warranting the adequacy of rules regarding the handling of confidential information, evidence and documentation. In doing so, they proactively defend the organization against liabilities.
Legal Expert: Tasks and Skills Needed
See the table below for a detailed description of the tasks of a legal expert.
The Public Relations/Communications Expert
Each organization should have a predetermined point of contact with the media, usually a public relations (PR) expert who is trained on developing precise and impactful press releases.
In case of a data breach of public interest, this person will be updating the media about the work of the CSIRT and any remedial action taken. In this regard, the PR expert should have received training on information disclosure and is well aware of the organization’s policies.
In the event of a data breach, communication is key. The PR expert should have communication templates ready to address different scenarios, such as data breach notification. His role is to balance the need to protect the company’s business interests (e.g. its reputation) with the need to inform the public. Pre-written templates provide sufficient time to reflect on the appropriate wording. This should be done before a crisis occurs, as there will be little time to reflect during ‘war time’.
In the same line of thought, pre-written statements should be analyzed by legal experts who will consider all ramifications such as balancing mandatory notification, non-disclosure agreements, the protection of personal information and the company’s best interest.
PR Expert: Tasks and Skills Needed
Here’s what the PR expert is supposed to do as well as the skills he or she should have for this crucial role:
In a Nutshell
We can all agree that security incidents against organizations are here to stay. And sooner than later, we’ll all need to live up to the fact that careful incident planning and preparation is one of the best strategies to respond to security incidents.
For Incident Response Plans to be effective, organizations need to be proactive and create at least three crucial roles to help navigate the stormy waters of a security incidents.
- A Computer Security Incident Response Team will possess the necessary technical knowledge and expertise to mitigate the damage of the incident, conduct repairs, perform regular audits, patch vulnerabilities and handle incidents when they occur.
- A legal expert will help organizations draft the required policies, advise the management team on necessary legal action and perform quality assurance duties to ensure that an organization’s legal standing is well protected even in the case of a security incident.
- A PR expert will help the organization communicate properly about the security incident to the public and other relevant channels to demonstrate confidence even in moments of crisis, facilitate open and adequate communications and protect the organization’s reputation.
Now that we’ve learned about the roles and responsibilities for effective Incident Response Planning, how does IRP look like in different jurisdictions across the world?
Stay tuned for part 4 of our 5-part blog series about Incident Response Planning in next week’s article.
