Developing an effective cyber security incident response capability is vital. However, it needs to be recognised that responding effectively to a cyber security incident should be seen as part of a comprehensive cyber security framework and then the overall business continuity plan (BCP).
The BCP is the ultimate guide to how the organisation ensures it understands what risks it faces, prioritises them, and then develops strategies to mitigate them. These risks span political instability, fire, flood, industrial action, to cyber risk.
An integral part of the BCP is the cycle of creating realistic exercises to ensure the plans do actually work and that they are constantly updated and improved.
By embedding the incident response plan into the BCP, therefore, cyber security risks are formally identified and mitigation strategies created. A key point is that incident response is integrated into the business process framework to ensure disruptions are minimised − a cyber incident cannot be seen in isolation.
The impact of cyber security incidents on the business as a whole has to be considered and alternative processes put in place, while communicating with internal and external stakeholders is critical.
By treating incident response as part of the BCP, the organisation will make strides towards mitigating risks and enhancing resilience. Its ability to respond to incidents will also be greatly enhanced.
ICT is so central to business that keeping it safe and honing the ability to respond to incidents has become existential.
In particular, the danger of treating incident response as a goal rather than an ongoing process of testing and refinement can be avoided, and a proactive posture becomes second nature.
By integrating cyber security incident response into the cyber security strategy and BCP, it will be mandatory to update and test the incident response plan.
Keeping the regulators happy
At this point, it's important to note that South Africa has specific regulations that require an organisation to have a cyber security incident response plan.
Regulators are focused on ensuring the protection of personal or other sensitive data, and so want to ensure organisations have a credible plan in place to respond to data breaches and any other cyber security incidents in a timely and effective way.
The most important local regulation is the Protection of Personal Information Act (POPIA). It requires organisations to take appropriate, reasonable, technical and organisational measures to prevent unlawful access to, or processing of, personal information.
This includes having a cyber security incident response plan to manage and respond to data breaches or any compromise of personal information. Under POPIA, organisations must notify the Information Regulator and the affected individuals as soon as reasonably possible after discovering a data breach.
An effective incident response plan is critical in ensuring compliance with these notification requirements.
Organisations should also bear in mind the National Cyber Security Policy Framework (NCPF). Although it's not regulatory in nature, the NCPF establishes South Africa's approach to cyber security, and encourages the development of incident response capabilities and the establishment of a National Cyber Security Incident Response Team.
The NCPF highlights the importance of having incident response mechanisms in place at both the organisational and national levels.
King IV, the current version of the King Report on Corporate Governance, also comes into the picture. Principle 12 requires the governing body to “govern technology and information in a way that supports the organisation setting and achieving its strategic objectives”. It also requires risk to be governed effectively.
Of particular note are Recommended Practice 13 (c) and (d), which demand that the governing body implement arrangements to provide for business resilience, and ensure proactive monitoring “to identify and respond to incidents, including cyber attacks and adverse social media events”.
Of course, organisations that do business internationally also need to bear in mind the similar requirements of other regulations; for example, the General Data Protection Regulation in the European Union.
In summary, ICT is now so central to business that keeping it safe and honing the ability to respond to incidents has become existential.
Integrating incident response into the overall cyber security framework and strategy within the context of the business continuity plan ensures the cyber security incident response plan becomes part of the organisation's living set of processes to build its resilience.
The specifics of responding to a cyber security incident are supported by a comprehensive strategy that covers the business processes, a cycle of continuous improvement and, crucially, a crisis communications plan.
Incident response becomes part of the organisation's drive to make itself resilient − vitally important in an increasingly threatening world.
Share