Respond

Know what to do when the alarms go off

1. IT Security Monitoring & Performance Monitoring

Hackers are notorious for lurking inside systems while planning their attack – often for months beforehand. An effective IT security monitoring system that examines both internal and external activity across your systems is essential and will help you spot users that don’t belong before they can do significant damage. Aside from security, monitoring the performance of components is an essential part of avoiding costly downtimes. Many components give warnings that they are going to break before they stop working – a network switch, for example, could be logging errors for months before it finally begins to break down. Having an active IT monitoring and alert system in place gives you advance notice of failures, allowing you to respond to them ahead of time rather than reactively.

2. Response Plan

When something goes wrong with an organization’s technology, it is easy to tell the organizations that have a proactive security posture versus those that don’t. A recent example was a major telecom carrier in North America whose system went down country-wide for a day, during which time virtually no information or updates were provided to millions of users. However, a response plan is more than a communication plan, it is a set of guidelines that support rapid action and effective decision-making under pressure. This type of plan is called an Incidence Response Plan (IRP).

In the case of a cybersecurity event:

  • How are we to identify the threat
  • Isolate the intruder
  • Eject the intruder
  • Continue to operate as a business

In the case of physical system failures, like a critical server failure, a non-functional internet connection, or a natural disaster destroying a location:

  • What are your single points of failure?
  • Can you design failover options in those systems?
  • Can you design redundancy options, i.e., have two internet service providers with separate pathways into your facilities?
  • Do you need a physically separate site to transfer over to? If so, how quickly do you need to get it back up, (Hot: real-time failover, Warm: live in 24 hours, Cold: live in a week or more)?

If these options are not available, how long will it take the emergency teams to arrive, and do they have what they need to respond?

In all situations, you should specify a communication plan:

  • Who needs to be notified?
  • When do they need to be notified?
  • Where is help going to come from, how do we reach them?

Effective IRP

Have you built an Incident Response Plan that Operations deserves?

Protect Operations

Is Operational Technology represented in your organization’s Incident Response Plan?

3. Fire Drills

Having plans and systems in place are important; however, they also need to be practiced and tested. Best practices in IT risk management IT Risk Management focuses on reducing the frequency and scope of business disruptions due to IT system security and reliability failures. At the core of IT Risk Management is the art of anticipation and preparation: there are no surprises, just a lack of foresight. dictate that the organization’s response plan should be tested through both physical tests, like unplugging a server and seeing if the failover works, as well as tabletop exercises that go through the response to an imagined event.