What Do You Mean You Aren’t Testing Your Incident Response Plan?Brian Toevs
Jenny Roland-Vlach, CISM, Compliance Analyst – Jack Henry & Associates
As part of the Jack Henry & Associates Gladiator IT Regulatory Compliance group, I have had the opportunity to have some interesting conversations with customers, and I have noticed there is one topic in particular that seems to keep popping up: Incident Response Plan testing. The questions that I am most often asked regarding testing are the following: “We don’t test our Incident Response Plan, can we remove the section on how to test it?”,” Is testing something that we are supposed to be doing, since we already test our Disaster Recovery Plan?” and “The Senior Management personnel of my institution just asked me how we plan to respond to a particular attack, what do I tell them?”
The first few times I had those questions posed to me I was genuinely surprised. Unfortunately, hearing those types of questions on response plan testing have become more routine. However, as a former banker myself, I realize that community bankers wear a multitude of hats and incident response plan testing probably is not at the top of their priority list. If we are being honest with ourselves, it’s probably not the most exciting thing either.
Having said that, testing of your incident response plan is something that should become a top priority for any financial institution. Why? How else will you know that your plan will work during a real incident and do so in the manner that you need it to, if it has never been tested? Having a plan in place is an absolute necessity, but it has to go beyond that. You have to ensure that when the time comes for your financial institution to follow your response plan that it will actually be of benefit to you. Discovering that it doesn’t quite work the way you hoped will certainly complicate matters even more for you and your team. Not only can it complicate your response actions, but think of the potential damage to your financial institution’s reputation. Assurance of effectiveness aside, there is yet another driving factor in why financial institutions should be testing their plans: FFIEC guidance strongly encourages at least annual testing of your Incident Response Plan to ensure proper correspondence with business continuity guidelines.
So, for those readers that may have never tested their Incident Response Plan, or maybe it has just been a while, what is the best way to go about testing? Your first step is going to be Incident Response Plan Testing to assemble your Incident Response Plan team members together. If you have never put one together, now would a great time to do so. Each team member should have certain responsibilities during an incident and testing provides you with a chance to validate their response capabilities. Next, decide what types of scenarios you want to cover in your test. Generally, it is a good idea to include scenarios of varying severity levels and types. For example, you could have a scenario where a file is stolen from a CSR’s desk, or a malware attack on your network. Given the increasing attention, using a DDoS attack as an example would also be a viable scenario. I have worked with financial institutions that have also used real scenarios they have experienced in the past for their testing purposes.
Once you have all the appropriate folks involved and you have decided what type of scenario you want to test, you can move forward with the actual testing. Follow the steps laid out in your Incident Response Plan, just as you would for a real scenario. Remember to note any issues that come up during the test such as, perhaps some of your steps need to be reorganized (are you trying to proceed with remediation activities before you have contained the incident?), or if you discover that you are missing a step. These can all be addressed after you are finished to better enhance your plan for the future. If you can, utilize some sort of worksheet to help you notate the entire test. Evaluate what worked, what didn’t work and what could be done differently.
Hopefully Incident Response Plan testing doesn’t sound that painful to you anymore. Remember that testing your plan on at least an annual basis will make life much easier for you in the long run. As always, feel free to leave comments on your experiences, or questions you might have.
Jenny Roland-Vlach is a Compliance Analyst, Advanced for Jack Henry & Associates’ Gladiator IT Regulatory Compliance group. In her current role, she is responsible for assisting financial institutions with developing and maintaining their IT and Information Security related policies and risk management efforts. She possesses 13 years’ experience of working both in and with community financial institutions and holds the CISM designation. Opinions expressed in this blog are solely the author’s and do not necessarily reflect those of Jack Henry & Associates, Inc.