Streamlining Incident Handling: Designating Personnel for Incident Management

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

In the realm of cybersecurity, incidents are inevitable. The key to minimizing their impact lies in having a well-coordinated incident handling process. Central to this process is designating one key person and at least one backup who will manage the enterprise’s incident handling. This ensures that incident response and recovery efforts are coordinated and documented efficiently. Whether you rely on internal employees, third-party vendors, or a hybrid approach, having clear roles and responsibilities is essential. This blog post explores the importance of this practice using engaging references from popular culture.

The Role of Key Personnel in Incident Handling

Think of the incident handling process as a mission led by a skilled team. In "The Avengers," Nick Fury coordinates the efforts of the superhero team, ensuring that each member knows their role and that their actions are aligned towards a common goal. Similarly, the designated key person in your incident handling process plays a pivotal role in coordinating and documenting response efforts.

Key Responsibilities:

1. Coordination: The key person is responsible for orchestrating the response to an incident. This involves communication with all relevant stakeholders, ensuring that everyone knows their roles and responsibilities, and keeping the response efforts organized.
2. Documentation: Just as Hermione Granger meticulously documents spells and strategies in "Harry Potter," the key person must maintain detailed records of all actions taken during an incident. This documentation is crucial for post-incident analysis and continuous improvement.
3. Recovery Efforts: In "Jurassic Park," when things go wrong, Dr. Alan Grant coordinates efforts to restore order. Similarly, the key person oversees the recovery process, ensuring that systems are restored, vulnerabilities are addressed, and lessons are learned.

Designating Backup Personnel

In any mission, having a backup plan is essential. In "Star Wars," when one Jedi falls, another is ready to step in. Similarly, designating at least one backup person ensures that the incident handling process is resilient and not dependent on a single individual.

Backup Responsibilities:

1. Support: The backup person supports the key person during an incident, helping to manage tasks and communications.
2. Redundancy: If the key person is unavailable, the backup steps in to take over their responsibilities, ensuring continuity in the incident handling process.
3. Training and Readiness: Backup personnel should receive the same training and have access to the same information as the key person to ensure they are fully prepared to assume the role if needed.

Involving Third-Party Vendors

In some cases, enterprises may rely on third-party vendors for incident handling. This is similar to how organizations in "The Expanse" hire skilled specialists to handle complex situations. If using third-party vendors, it’s crucial to designate at least one person internal to the enterprise to oversee their work.

Internal Oversight Responsibilities:

1. Liaison: The internal designee acts as a liaison between the enterprise and the third-party vendor, ensuring clear communication and alignment of goals.
2. Quality Assurance: They monitor the third-party’s work to ensure it meets the enterprise’s standards and requirements.
3. Documentation: They ensure that all actions taken by the third-party are documented and integrated into the enterprise’s incident records.

Regular Reviews and Updates

In "Game of Thrones," the Night's Watch regularly reviews and updates their strategies to defend the Wall. Similarly, your incident handling process should be reviewed annually or whenever significant enterprise changes occur. This ensures that the designated personnel and their backups are still relevant and that the process remains effective.

Practical Steps for Implementation

1. Clear Designation: Clearly designate the key person and backup for incident handling. Ensure that their roles and responsibilities are well-defined and communicated.
2. Training: Provide comprehensive training to both the key person and backup. This should include incident response procedures, communication strategies, and documentation practices.
3. Third-Party Coordination: If using third-party vendors, designate an internal overseer. Ensure they are trained to manage and monitor the third-party’s work effectively.
4. Regular Reviews: Conduct annual reviews of the incident handling process and personnel designations. Update as necessary to reflect any changes in the enterprise or its operations.

Designating a key person and a backup for managing the incident handling process is crucial for effective incident response and recovery. Whether using internal employees, third-party vendors, or a hybrid approach, clear roles and responsibilities ensure that incidents are handled efficiently and effectively. Drawing parallels to popular culture can help make these concepts more relatable and engaging for your workforce.

Start your designation process today and ensure your enterprise is prepared for any incident that comes its way.

Here’s a link to the Incident Response Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/incident-response-policy-template-for-cis-control-17

Here are some details on this specific Control/Safeguard. If you want more info, DM me.

CIS Control 17 – Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Implementation Group 1

CIS Safeguard 17.1 - Designate Personnel to Manage Incident Handling

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard.