What’s Your Incident Response Maturity?
Business leaders often wonder how they measure up against their peers for a variety of business and technology topics. I am routinely asked about the maturity of their information security incident response program and how they relate to other organizations in their industry. I don’t tend to measure one organization against another because an organization’s ability to respond to and manage a cyber security incident is relative to each organization and their assets in relation to their risk appetite and application laws and/or regulations.
It is impossible to implement enough safeguards and controls to completely protect an organization against all threats and cyber security incidents. There is a trade-off between risk and resources and sometimes, the threats are realized. With our growing reliance on Internet communications and services, cloud solutions, and mass data storage, security incidents are increasing in the number of records involved and people affected.
Cyber security incidents represent the worse case scenario has been realized by an organization. Damage to an organization’s reputation and the material costs can be catastrophic. Based on experience, we know the first 24 hours after an incident is detected, it is critical how the organization responds and manages the many variables. The scale below will help you get an idea of your organization’s maturity for incident response when the worse case scenario is realized.
Incident Response Maturity Scale
Using my incident response maturity scale you can consider all of the variables in your organization and leverage this scale to identify how mature your cybersecurity breach and incident response program is relative to your risk appetite and tolerance.
0 – Aware, but no measurable actions taken.
1 – An Incident Plan may partially exist, but not repeatable.
2 – Incident Plan is documented, but response is inconsistent, eradication is the focus, and no postmortem analysis and training.
3 – Incident Response Plan is documented, repeatable, and postmortem learning is documented, but scope is contained to quick eradication.
4 – A comprehensive Incident Response Program is in place, tested routinely, and postmortem is conducted. Forensic evidence is properly collected for analysis and integration with proper law enforcement has been established.
5 – A dedicated team of knowledgeable and trained incident response professionals are part of the formal Incident Response Program. The team is able to monitor an active incident and they execute a methodical strategy to identify the source, root causes, and they pursue eradication and containment based on established risk protocols.
I always welcome your input and comments.
Read More: Tim’s Security Blog