SOC 2 Academy: Testing Your Incident Response Plan

by Joseph Kirkpatrick / March 8th, 2019

Common Criteria 7.4

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.4 says, “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.” While we’ve already discussed why it’s important to establish incident response teams and how organizations can comply with common criteria 7.4, there’s one component of this criterion that we’d like to emphasize: the importance of testing the incident response plan.

Why Do You Need to Test Your Incident Response Plan?

No plan works the way it’s supposed to without a little practice. An organization’s incident response plan might look perfect on paper, but what happens when a security incident actually occurs and it’s time to put that plan into action? The incident response team members might get confused or miss a critical step in the recovery process. To ensure that the incident response plan resolves the security incident as smoothly as possible, organizations should practice it at least annually.

Let’s look at the following scenario as an example of how organizations can comply with common criteria 7.4. An organization wants to make sure that their incident response plan has all of the kinks worked out because they know that security incidents are unavoidable and want to be best prepared. They decide to hold an annual incident response training with their incident response team members where they review three possible scenarios: malware has attacked their network, an employee fell victim to a phishing attack, and a former employee stole sensitive data before resigning. While there is no telling if any of these scenarios will actually occur at that organization, having the incident response team members practice responding to different scenarios allows them to learn how to adapt the incident response plan to different situations.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

More Incident Response Resources

What is an Incident Response Plan? The Collection and Evaluation of Evidence

Incident Response Planning: 6 Steps to Prepare Your Organization

Business Continuity and Disaster Recovery: How to Avoid a Crash Landing

I know sometimes people roll their eyes when auditors come along because we make you go through all these methods, like annual risk assessments, annual disaster recovery tests, and a business continuity and incident response test. Clients often ask, “Can we consolidate these things? Can we just check a box somewhere?” We hope you understand that the reason why we push for these things is because each one of these things is important. I specifically want to address common criteria 7.4 and why an incident response test is so critical. If people on your team are not used to responding to incidents on a daily basis – and that’s most of our customers because they don’t have a group of people in an environment where there’s an incident every day, and they’re just getting more knowledgeable, stronger, and better every day – these incidents that rise to the level of critical only happen a couple of times a year, so you’ve got people on the team who aren’t very well practiced or versed in that. What’s the value of an incident response test once a year? It’s an opportunity to go into the conference room, sit down, take three scenarios, and walk through them with your incident response team. For example, you might give a scenario where X data was stolen or one of your former employees left and their using information that they took with them to try and attack your systems. You’d want to walk through these scenarios and ask questions like: what would we do here? How do we respond? What type of resources do we need? What kind of tools would we employ? The reason this is so valuable is because even if that specific example doesn’t happen in real life, some element of what you’ve practice will come up during a real-life situation. When this happens, you’ll be very thankful that you’ve figured out some resources that you can call during the heat of the moment, and you’ve identified some tools that you could have at your disposal to help out with incident response. Ultimately, doing an incident response test every year shouldn’t just be a motion that you go through to satisfy an auditor. It really should be real practice to prepare your people for the real thing. Think about your next incident response test and how you can make it better, so that you can learn from it and be better prepared for the real situation.