Scenario
You are in charge of writing an IRP (Incident Response Plan) for an online retail business. The company is strictly online (no physical retail store available) with 500 employees. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located near a co-location data center, managed by third-party data center hosting vendors.
According to the NIST 800-61, there are 4 stages of IRP.
When putting together your incident response team, be sure to design a cross-functional group of individuals who represent the management, technical, and functional areas of responsibility most directly impacted by a security incident. Potential team members should be:
- Representative of senior management
- Establishes incident response policy, budget, and staffing
- Information security professionals
- CSIRT (leading the most incident response cases)
- SOC (in charge of malware analysis, social-engineering, network monitoring, log correlation, manage proxy/email blocks and filters, general cyber incidents)
- Forensics (investigations, support IR with imaging process, evidence collection)
- Endpoint Controls (custom detection using signatures-based endpoint antivirus software)
- Red Team (benchmark and application testing)