Modifying Your Incident Response Plan
Your incident response plan should be able to easily modify so it can be as thorough and up-to-date as possible. PCI Requirement 12.10.6 says, “Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.” This is sort of a management exercise to analyze what could’ve been done better during incident response and to keep your incident response plan current and able to react to emerging threats and security trends.
PCI Requirement 12.10.6 defines that after you have an incident or after you’ve practiced your incident response plan, you have “lessons learned.” Understand that this is not really about that Johnny did good and Susie did bad; this is really a management exercise to identify what you did good and what you could have done better. It’s really meant to evolve your practice to the next level. We look for evidence that you perform this process of evaluation, making sure that you look at what are the new incidents and types of events that could impact you. We’re also making sure that your organization has that documented after an incident or a practice incident response as a requirement and that you retain evidence of that occurring.