Publications & Resources

September/October 2009
Focus: Information Systems & Security

Security 101: Building a Computer Security Incident Response Plan (CSIRP) for Banks

By Kristen Flerl

What is the purpose of having a CSIRP?

Being well-prepared to react to an incident is essential for both the security of your bank and your customers. A CSIRP serves as a guide for threats to be analyzed and moderated in an efficient and thorough way; this, in turn, allows a bank to better prepare for any future hacker attacks. Specifically, utilizing a CSIRP will help you:

Determine what happened
Determine how it happened
Assess the impact/damage
Contain the incident to prevent further damage
Recover from the incident
Prevent similar information security incidents in the future
Identify the attacker (if possible)
Document the incident

How do you prepare a CSIRP?

A critical component of creating a CSIRP that will best fit your bank’s needs is remembering to incorporate a balance of thoroughness and usability. While you want to be as prepared as you can be, it is next to impossible to anticipate every kind of threat – even if preparing for every possibility was doable, the amount of procedures necessary to accommodate such an extensive range of possibilities would render the CSIRP ineffective.

An important thing to remember while preparing your CSIRP is that you don’t have to reinvent the wheel – that is, utilizing best practice frameworks that are already available will allow you to tailor those frameworks to your bank, therefore creating a more efficient plan. These frameworks outline the tasks of each member of the CSIRP Team, which you can then fit to your bank’s employees. Rather than start from scratch, take advantage of these resources in order to supplement your own plan.

The first step in preparing a CSIRP is creating a list of priorities that guide your response activities. These priorities will establish what the overall goal of your bank is during a crisis. Banks, for example, would have to consider the safety of their customers first during a crisis, so when an incident occurs, the safety of the customer must be the top priority, and the other priorities should be determined accordingly.

After you have established a thorough set of priorities, your next step in preparing your CSIRP is outlining a broad plan of action for the most common incident situations that your bank might encounter. This plan should include guidelines for both incident response and incident recovery; however, it is important to incorporate flexibility into your plan of actions – no situation will be completely identical to another. This step is integral to developing an efficient CSIRP: utilizing this plan of action will eliminate any confusion regarding the order of priorities.

Finally, a CSIRP should define the responsibilities and tasks of employees to avoid delay and misunderstanding during the response and recovery process. The priorities and plan of action previously established cannot be properly utilized without the proper people in place to take action. Specific roles should be assigned, as well as specific levels of authority, to anyone involved in the response process. Additionally, it is important to establish a chain of command that members of the CSIRP team need to use in their decision-making process – this allows the proper approval to take place in a timely manner so you can mitigate the incident as soon as possible.

How do you review and test your CSIRP?

After you have established and prepared your CSIRP, regular testing and review is necessary to ensure that your processes are serving your bank and customers in the most effective manner possible. Reviews should be conducted at least annually, as well as after each incident. Tabletop exercises are an effective way to test your response team against a variety of broad situations: Gather your team for a review and walk them through a fictional but probable scenario, asking them what their next steps would be and how they would fulfill their individual responsibilities.

Going through your CSIRP without some of the key personnel present is also a great way to make sure your team is familiar with both the chain of command and the individual processes – often, a CSIRP might rely too much on one member of the team, and if that person can’t be present during a real incident, the rest of the team needs to be able to fill in the gap.

Kristen Flerl is public relations specialist for SecureWorks. She can be reached at 404-417-3712 or KFlerl@secureworks.com. SecureWorks is a WIB-endorsed Value & Income Program (VIP) Partner.