Companies have developed a range of response plans to counter data breaches: disaster-, business continuity-, and incident response plans (DRP, BCP, and IRP respectively). Where are the “never-gonna-happen” data breach plans? There are none because companies know that the question isn’t if a security breach occurs but when a security breach occurs. Each of these plans are constantly evolving to respond to whatever the Internet has dreamed up today for cybercrime.
What is an incident response plan (IRP)?
Response plans vary somewhat. Today we’ll focus on IRPs, but it helps to put into perspective where this plan falls in security planning. In BizTech magazine, Ken M. Shaurette, CISSP, compared IRPs and DRPs to a heart attack:
“A disaster is thought of like a heart attack. Disaster management [...] is the medicine or exercise program that your doctor has to keep you alive until you can recover from the heart attack. Incident management is all the symptoms that you might [have had] for several months before the heart attack.”
Perceiving and fixing data breaches in companies means all hands on deck: everyone has a responsibility. And audit can provide value in assessing IRPs more fully and being part of the creation process.
Chances are, no one is going to come toot internal audit’s horn for IRPs. It’s up to you to convince the business that you have the skills. Below are tips where internal audit can raise their hand and say, “Toot-toot! We can help.”
Auditor Tip: Analyze whether the IRP is in place and is effective for current cybersecurity conditions. Sometimes the plans in place have been mostly tested but not fully tested. Sometimes the current plans need to be updated or changed to reflect the current risk environment.
Focus on what auditors do naturally
Jose Tabuena is a former compliance and internal audit executive for companies including Orion Health and Texas Health Resources. According to Tabuena, companies are relying on internal audit to bring their assessment and evaluation skills to the incident response planning process.
"Internal audit should play a larger role in providing assurance over incident response. It needs to be more than assuring an incident response plan is in place and that it has been tested," he says. "I think internal audit can play a more critical role in evaluating the details of the plan and looking at whether it is going to operate as effectively as the information security folks say that it does."
As an auditor, look at the things built into your job that you are really good at doing and which lend themselves to contributing to and executing an excellent IRP. But sometimes you need a pep talk to remember what comes naturally to you...
As an auditor, you develop plans and timelines. You execute on a strict timeline. You analyze everything (maybe to a fault). You are good with people (you hope!). You communicate and meet with a wide variety of people, from warehouse worker to executives. You might notice what’s going well, but you have an eagle eye for gaps in a process. You look at risks from those gaps. You analyze. Sometimes you analyze your dog, children, spouse, and wall paint, but you do it and you do it pretty darn well.
All of these strengths add to an excellent incident response prep team. IRPs by definition need a plan with organized procedures and timelines to remediate any sort of attack or breach. Everyone from help desk to director may take part in mitigating incidents, so your skill set helps you communicate with a wide variety of disciplines within the company. You can spot gaps and risks from a mile away. Considering incident risk scenarios, you can help pinpoint gaps and where to improve.
When it comes to planning security plans, you, the auditor, are a great teammate.
Auditor Tip: Speaking of gaps, your organization and analysis skills might just fill the gaps in helping complete company’s incident response plan. You may have audited these plans in the past, but perhaps not to the depth you should begin auditing these plans. Start digging deeper when auditing IRPs.
Pay attention to 3 P’s in auditing response plans
When auditing an IRP, audit the 3 P’s: policy, plan and the procedures. First, the policy should establish goals and a vision for the breach response process. Next, the plan should define to whom the incident applies and under what circumstances, as well as the roles and responsibilities of individuals. Also, look at the standards the company follows, as well as metrics, feedback, remediation, and any other requirements for awareness training of the IRP.
Lastly, audit procedures. The plan should cover all phases of the response activities. Response phases include the following: risk mitigation, preparation, resolution, recovery, and resuming normal business processes.
Auditor tip: Check IRPs for policies, plans, and procedures without gaps. Talk with other auditors who have audited IRPs and learn what the company may be lacking overall in its response plans.
Check for full run-throughs of the plan
Incomplete run-throughs are common, so as an auditor, don’t assume an IRP is fully tested. When users and system administrators haven’t fully tested or are unaware of incident response procedures, the response will be delayed and evidence can be corrupted or lost, thus increasing the potential impact of an incident.
Just because a person sees the book on how to drive a car doesn’t mean they actually know how to drive the car.
The same idea fits for an incident response plan: Just because key people have seen the plan doesn’t mean they can execute the plan, or that the plan even makes sense in real-time.
Auditor Tip: Check to see if the audit client has performed a run-through using a potential scenario. The scenarios are helpful because audit clients actually get to take their plans for a test drive in a non-threatening, low-stress environment.
Perform tabletop exercises
Tabuena suggests that companies perform “a tabletop exercise where you pull the key people in the room to provide an actual scenario and install the actual response. It’s important to do that at the beginning and make sure everyone is involved and is on the same page.”
Additionally, Tabuena believes audit should be included in these exercises. “It might be helpful to have internal audit involved to sit in and comment.” For Tabuena, it’s okay to include others on the incident response plan. The plan should be no secret.
In addition, audit’s role should go beyond checking if something is in place and tested. “Be critical,” asserts Tabueno. “Evaluate [whether] the incident response plan is going to operate as effectively as the information security folks think it will.”
Auditor Tip: If the audit client has executed live exercises, test for completeness. You can request documentation, attendee lists, and testing outcomes. Make sure everyone who needed to be included was included and that the outcomes show successful IRP implementation.
When auditing the incident response plan, it’s important to dig a little deeper. If audit is asked to be part of the planning or the run-through scenarios, take part. You can add your voice to the plan and improve security for the company.