General principles of Enterprise Incident Response:

An incident response plan establishes processes that accomplish the following:

• Detect and identify events
• Triage and analyze events to determine whether an incident is underway
• Respond and recover from an incident
• Improve the organization’s capabilities for responding to a future incident.

Additionally, an effective Incident response program will accomplish the following:

• Establishment of a formal incident response plan
• Development of procedures for performing incident handling and reporting
• Establishment of guidelines for communication with outside parties
• Establishment of a team structure and staffing model
• Establishment of relationships and communication channels between the incident response team and other relevant groups
• Identification of what resources the incident response team should be provisioned with
• Staffing and training of the incident response team

Events and Incidents:

An event can be defined as one or more occurrences of something that affect an organization’s assets and have the potential to disrupt its operations. An incident is a high-magnitude event (or series of events) that significantly effects an enterprise’s assets and requires the organization to respond to prevent (or limit) the scope of the disruption.

Information Sharing & Communication:

Incident response planning requires the establishment of formal information sharing and communication protocols.

Communication procedures and the chain-of-custody should be established between the incident response team and the organization’s relevant stakeholders as determined by management.

These procedures should also include any external parties that might need to become involved in the incident response process (e.g., law enforcement, etc.).

Organizations should dedicate specific personnel to the Incident Response team. This team structure should also recognize organizational dependencies and ensure that the team has the adequate resources and authority to accomplish their stated duties

Establishing and supporting an ongoing incident management program enables your organization to evaluate the impact of significant events that may adversely affect employees, assets, or customers. The incident management program helps to ensure that your organization can recover its mission-critical functions and meet its responsibility to its stakeholders.

References

• https://www.cisa.gov/uscert/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-IM.pdf (CERT-RMM IM)
• https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final (SP-800-61_R2)
• https://www.fema.gov/sites/default/files/2020-07/fema_nims_doctrine-2017.pdf (FEMA NIMS)
• https://resources.sei.cmu.edu/asset_files/Handbook/2016_002_001_514462.pdf (CERT-RMM)