Training Your Incident Response Team
PCI Requirement 12.10.4 requires that your organization provides appropriate training to staff with security breach response responsibilities. One type of training that we recommend is table-top incident response exercises. Experts suggest that participating in table-top exercises to simulate a real-world scenario is the best way to prepare and test your incident response plan. When facilitating these exercises at your organization, be sure that the employees understand the purpose for conducting the exercises. They should understand that participating in these exercises will help determine if everyone can hypothetically talk through their respective functions during an incident and be sure everyone fully understands their role when responding to an actual incident.
The facilitator should present a scenario and from there, participants will engage in a discussion that focuses on roles, responsibilities, coordination, and decision-making during an incident. Prepare several scenarios in advance that will address specific areas of your Incident Response Plan you wish to test. Some sample scenarios include:
- During a routine evaluation of system logs, an administrator discovers that company data has been obtained by an unauthorized user account.
- A remote user has lost his/her laptop containing stored sensitive company data.
- After a recent move, it has been discovered that a locked cabinet containing sensitive company data is missing.
- A former employee, disgruntled after employment termination, has realized that he/she still has remote access to the company’s server and decides to infect the system with a virus.
To verify compliance with PCI Requirement 12.10.4, an assessor will interviews of personnel and observe training policies.
You’re required to provide appropriate training to staff with security breach response responsibilities. Once again, we’re looking for some type of evidence that you trained your staff and what were the things that you trained your staff for. We’re also looking to see that there’s some type of marriage between what you’ve trained them and your actual documented incident response program.