Business continuity management handbook: Incident response planning update

An updated version of the February 2015 Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet was released in November 2019. The new version, now titled Business Continuity Management (BCM) Information Technology (IT) Handbook, focuses on enterprise-wide approaches that address technology, business operations, testing, and communications strategies critical to the continuity of the entire entity. One major change is the inclusion of a section dedicated to incident response.   

The goal

Incident response planning is aimed at preparation and training. The goal of an incident response plan is to help minimize the loss of institution data and reduce disruption to services as a result of an adverse event. Priorities that should be considered in an incident response plan should include:

• Preservation of life
• Preservation of property
• Incident stabilization
• Communication with stakeholders

Use of social media

While the necessity of designating a point person for formulating press releases and speaking with media is understood and accepted, the use of social media must also be addressed. Often representatives from media check an institution’s social media platform for information on an incident that may be occurring or has occurred at the institution. Having predetermined communications for social media that have been approved by senior management and the board of directors can help to ensure timely communications. 

Training and Involvement

As with any process that is implemented in an institution, training is an integral component. Management should train personnel on the institution’s incident response plan. The key groups of individuals and entities to be involved in the training are:

• Those responsible for detection and monitoring.
• Individuals assisting in managing the incident (both employees and third parties).
• Media and stakeholder communications representatives.

Cyber and third-party forensics services

While an incident involving the loss or exposure of the institution’s data due to breach of confidentiality, integrity, or availability may occur in many different forms, analysis of events shows a large percentage of incidents are related to cyber threats. The National Institute of Standards and Technology (NIST) defines a cyber threat as “an event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.”   The updated BCM IT Handbook acknowledges the challenges to attaining true cyber resilience with the potential broad and continuously increasing reach of cyber threats. Therefore, the guidance recommends resilience measures that are flexible and have the ability to adapt to a diverse range of events.  

Testing – Performing the “exercise”

Testing of any plan or process is imperative. A productive method of testing the institution’s ability to effectively respond to an event involving the security of the institution’s data is the tabletop test. A tabletop exercise is a process where a group is gathered to run a pre-determined incident scenario using the written incident response plan as the playbook. Once complete, the team’s strengths and weaknesses can be quantified. Also, the testing exercise will result in having attained the proverbial “two birds with one stone,” as validation and training of key staff are both accomplished through the exercise. While tabletop tests are highly effective for honing the institution’s incident response preparations, the updated BCM IT Handbook encourages the establishment of multi-year testing strategies to encompass all areas of the institution’s business continuity planning.

Preventing versus curing

There is a quote by Benjamin Franklin that states “An ounce of prevention is worth a pound of cure.” This is especially true for business continuity testing and cybersecurity resilience due to the heavy impact an incident can have on an institution today. Methods of prevention include an effective patch management strategy, virus protection, security monitoring and comprehensive security awareness training. In addition to tabletop tests of the institution’s incident response plan, testing strategies should incorporate social engineering, penetration testing, vulnerability scanning and IT controls reviews. 

Please contact James Marks at 815.626.1277 or by email at jmarks@wipfli.com to discuss how Wipfli can help you with these and other prevention methods.