Incident Response Plans
PCI Requirement 12.10 requires organizations to implement an incident response plan and be prepared to respond immediately to a system breach. Incident response plans are incredibly important to business continuity, and we believe that organizations should spend more time developing and testing their plan. The absolute worst thing that could happen in the event of an incident is no one knowing what to do next.
There are six basic steps to follow when creating an incident response plan:
- Preparation – How are you currently preparing for a security incident? What are you doing to prevent an incident? How are you limiting the impact of an incident? Have you tested policies and procedures?
- Detection and Identification – How would you identify an incident? How do you report an incident? How do you detect malicious activity? Do you have a specific team dedicated to incident response?
- Containment – Has the appropriate personnel been notified? What evidence should be collected? Have you fully assessed the scope of the damage? How can you prevent further damage?
- Remediation – Do you have backups in place? Has a complete forensic analysis been performed? Have you cleaned the system? Can you make changes to prevent a repeat incident? How can you test the changes?
- Recovery – Have you securely restored the system? Do you have continuous monitoring to ensure problem is resolved? Have you replaced any lost files with backups?
- Lessons Learned – What happened? What gaps can you now identify and remediate? Have you regained your consumers’ confidence? Have you reviewed policies and procedures to prevent future attacks?
PCI Requirement 12.10 requires organizations to implement an incident response plan so that confusion and lack of a unified response do not create further downtime for the business, unnecessary public media exposure, as well as new legal liabilities.
PCI Requirement 12.10 is rather short, sweet, and simple. It says that you need to implement an incident response plan and be prepared to respond immediately to a system breach. This is another one of those controls where organizations really ought to spend a lot more time in developing and correction. The last thing that you want to have happen in the event of a breach is standing around and wondering, “What do we do next?” This program needs to be tested and fully documented. There’s a lot of things that the PCI DSS calls out as it relates to the incident response program, but as part of this particular assessment, your assessors are going to be asking you for a copy of your incident response program and making sure that it contains the attributes that are called out within the rest of the requirement.