We’ve seen an uptick in ransomware attacks recently making organizations assess their Incident Response (IR) procedures. Many organization’s will rely on their MSP’s IR plan or Run Book. While it’s important that an MSP has proper IR procedures it’s equally important to have an internal plan should your organization experience a ransomware attack.
There are many things to consider for your internal IR plans. Having a document that lays out instructions and responsibilities is important in handling an incident efficiently. The following are just some of the questions that should be answered by your IR policies and procedures:
- Which vendors need to be contacted?
- Who is responsible for contacting them and what information is needed?
- How will the incident be documented?
- Who will be assisting?
- Legal Council
- A Compliance Committee
- Privacy Officer
- Forensics Services
- When should an incident be reported to management and proper authorities?
- Who is responsible for reporting to management and proper authorities?
After getting your IR policies and procedures documented the next step is to test them. During the tests and exercises, be sure to take notes on which steps worked and what needs to be revamped. Then revisit your IR procedures and make the appropriate adjustments based on your findings. It’s also important that your team is properly trained on how to handle an incident. Testing and exercises are a great way to find which holes in your team’s knowledge need to be addressed.