CIS CSC #19 – Incident Response and Management

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

This control includes eight (8) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are four (4) IG1 controls and seven (7) IG2 controls. This means that, at a minimum, we want to:

  • Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management.
  • Designate management personnel, as well as backups, who will support the incident handling process by acting in key decision-making roles.
  • Assemble and maintain information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.
  • Publish information for all workforce members, regarding reporting computer anomalies and incidents, to the incident handling team. Such information should be included in routine employee awareness activities.

We’re implementing all these controls to prevent security breaches – but we need to be prepared for something to get through. Many of these controls also have a detection side, which will then trigger our response processes, discussed here.

First and foremost we want to plan ahead for security incidents. Capture those plans in documentation that you can turn to when speed of response is critical. These plans should be made available to all involved players (primary and secondary responders). These plans should cover both the technical response actions and responsibilities, but also the related tasks such as communications within the organization, and PR as needed. You’ll also want to identify any third parties that may be involved in the response activities. This could be an MSSP, a pre-arranged forensic firm, legal counsel, etc.

The final step in IG1 here is to identify and document the ways your end users can identify and report any suspected incidents. In my opinion, this should be a very low-friction process – we (as an industry) cannot expect all end users to be security experts. BUT – we should make it as easy as possible for them to report any suspicious activity.

Relevant News Stories

Relevant Tools

CommercialOpen-Source & “Freemiun”
Archer (RSA)GRR (Google)

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #19 page here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s