Today, I will be going over Control 19 from version 7 of the top 20 CIS Controls – Incident Response and Management. I will go through the eight requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 19
- Most of the same. Control 19 remains relatively intact from the previous version of the controls. The notable difference is the addition of section 8 regarding a scoring mechanism for handling incidents.
- Plan and Test. The overall theme of this section is to make sure you plan and test for an event before it happens. As with any emergency, you don’t want to be figuring things out on the fly.
Requirement Listing for Control 19
1. Document Incident Response Procedures
Description: Ensure that there are written incident response plans that defines roles of personnel as well as phases of incident handling/management.
Notes: Define what needs to be done when an incident happens. It’s likely the first time you make a pass at this that roles and responsibilities will be left out. Follow guidance from someone like NIST on defining what these roles and responsibilities will be.
2. Assign Job Titles and Duties for Incident Response
Description: Assign job titles and duties for handling computer and network incidents to specific individuals and ensure tracking and documentation throughout the incident through resolution.
Notes: After completing section 1, you’ll need to assign bodies to the roles and responsibilities. Don’t be afraid to have a single person responsible for multiple roles. However, be wary that you shouldn’t overburden a single person in the event of an emergency.
3. Designate Management Personnel to Support Incident Handling
Description: Designate management personnel, as well as backups, who will support the incident handling process by acting in key decision-making roles.
Notes: The management personnel in an incident response case may not necessarily be a people manager in their everyday role. This person will be in charge of making decisions about handling an incident during the incident response lifecycle. Without this, you may be left with “too many cooks in the kitchen.”
4. Devise Organization-wide Standards for Reporting Incidents
Description: Devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification.
Notes: This has much less to do with defining the time limits for reporting an incident since you want them reported as soon as possible. I see this section as creating the plumbing for anyone in the company to be able to properly report an incident as well as making employees aware of this process. You want everyone in the company to be responsible for the security of your network, not just the information security team.
5. Maintain Contract Information For Reporting Security Incidents
Description: Assemble and maintain information on third-party contract information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC partners.
Notes: While it’s important to have this information on hand, it’s more important to establish these relationships before they are warranted. Joining your industries ISAC and applying to be part of your local FBI Infragard will help build these relationships. They are also a great way to leverage the collective knowledge of the industry in furthering your security posture.
6. Publish Information Regarding Reporting Computer Anomalies and Incidents
Description: Publish information for all workforce members regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.
Notes: Similar to section 4, it is critical to make sure everyone in the company can be part of the security team.
7. Conduct Periodic Incident Scenario Sessions for Personnel
Description: Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real world threats. Exercises should test communication channels, decision making, and incident responders technical capabilities using tools and data available to them.
Notes: Table top scenarios are a great way to make sure the plan works, at least on paper. There are going to be things you will find when responding to an actual incident that you will not find in a table top scenario, but there will be far fewer surprises if you test the plan ahead of time.
8. Create Incident Scoring and Prioritization Schema
Description: Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures.
Notes: New for version 7. Not all incidents are created equally. There will be events that hit business critical systems, while others could be a ransomware outbreak on the receptionist’s computer. While both need to be responded to, it’s important to be able to have a way to triage cases so energy is focused on those which will impact the business the most.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.