Incident Response Plan

← Back to Legal Stuff

Document Control

Document Owner: Gareth Jones
Last updated:
April 26, 2022

 


Executive Summary

To maintain the trust of our employees, customers, and partners and meet regulatory requirements, it is essential that we do everything we can to protect confidential information and systems in the face of a cyberattack. The better prepared we are to respond to a potential cyberattack, the faster we can eradicate any threat and reduce the impact on our business. 

This document describes the plan for responding to information security incidents at Sparrow Connected Inc. This document will explain how to detect and react to cybersecurity incidents and data breaches, determine their scope and risk, respond appropriately and quickly, and communicate the results and risks to all stakeholders. 

Effective incident response involves every part of our organization, including IT teams, legal, technical support, human resources, corporate communications, and business operations. It is important that you read and understand your role as well as the ways you will coordinate with others.  

This plan will be updated annually to reflect organizational changes, new technologies and new compliance requirements that inform our cybersecurity strategy. We will conduct regular testing of this plan to ensure everyone is fully trained to participate in effective incident response. 

 

Roles, Responsibilities & Contact Information

This Security Incident Response Plan must be followed by all personnel, including all employees, temporary staff, consultants, contractors, suppliers and third parties operating on behalf of Sparrow Connected Inc. For the purposes of this document all personnel are referred to as ‘staff’. 

 Below are details about the roles and responsibilities of each member of Sparrow Connected Inc. to prevent and respond to a workplace incident. It is not an exhaustive list of duties but designed to give each employee a general understanding of their role and the roles of other employees in incident response and prevention. 

 

Overview

The Incident Response Lead is responsible for: 

  • Making sure that the Security Incident Response Plan and associated response and escalation procedures are defined and documented. This is to ensure that the handling of security incidents is timely and effective. 
  • Making sure that the Security Incident Response Plan is current, reviewed and tested at least once each year. 
  • Making sure that staff with Security Incident Response Plan responsibilities are properly trained at least once each year. 
  • Leading the investigation of a suspected breach or reported security incident and initiating the Security Incident Response Plan when needed. 
  • Reporting to and liaising with external parties, including pertinent business partners, legal representation, law enforcement, etc., as is required. 
  • Authorizing on-site investigations by appropriate law enforcement or third-party security/forensic personnel, as required during any security incident investigation. This includes authorizing access to/removal of evidence from site. 

Security Incident Response Team (SIRT) members are responsible for:  

  • Making sure that all staff understand how to identify and report a suspected or actual security incident. 
  • Advising the Incident Response Lead of an incident when they receive a security incident report from staff. 
  • Investigating and documenting each reported incident. 
  • Taking action to limit the exposure of sensitive data and to reduce the risks that may be associated with any incident. 
  • Gathering, reviewing, and analysing logs and related information from various central and local safeguards, security measures and controls.  
  • Documenting and maintaining accurate and detailed records of the incident and all activities that were undertaken in response to an incident. 
  • Assisting law enforcement during the investigation processes. This includes any forensic investigations and prosecutions.  
  • Initiating follow-up actions to reduce likelihood of recurrence, as appropriate. 
  • Determining if policies, processes, technologies, security measures or controls need to be updated to avoid a similar incident in the future. They also need to consider whether additional safeguards are required in the environment where the incident occurred. 

 All staff members are responsible for: 

  • Making sure they understand how to identify and report a suspected or actual security incident. 
  • Reporting a suspected or actual security incident to the Incident Response Lead (preferable) or to another member of the Security Incident Response Team (SIRT). 
  • Reporting any security related issues or concerns to line management, or to a member of the SIRT. 
  • Complying with the security policies and procedures of Sparrow Connected Inc. The Sparrow team is constantly looking at opportunities to raise our level of redundancy and increase our robustness. As we examine new technologies and look at our ever-growing options, we revisit the changes in the needs of our customers to see how we can exceed expectations.  

 

Roles & Responsibility Matrix

Role 

Responsibility 

Contact Details 

Technical 

CTO/CISO 

Strategic lead. Develops technical, operational, and financial risk ranking criteria used to prioritize incident response plan. 

Authorizes when and how incident details are reported. 

Main point of contact for executive team and Board of Directors. 

Name: Gareth Jones 

Email: gareth.jones@sparrowconnected.com 

Security Team 

Central team that authorizes and coordinates incident response across multiple teams and functions through all stages of a cyber incident. 

Maintains incident response plan, documentation, and catalog of incidents. 

Responsible for identifying, confirming, and evaluating extent of incidents. 

Conducts random security checks to ensure readiness to respond to a cyberattack. 

Responsible for privilege management, enterprise password protection and role-based access control. 

Discovers, audits, and reports on all privilege usage.  

Conducts random checks to audit privileged accounts, validate whether they are required, and re-authenticate those that are. 

Monitors privileged account uses and proactively checks for indicators of compromise, such as excessive logins, or other unusual behavior. 

Informs incident response team of potential attacks that compromise privileged accounts, validates and reports on the extent of attacks. 

Takes action to prevent the spread of a breach by updating privileges. 

Provides security bulletins and technical guidance to employees & customers in case of a breach, including required software updates, password changes, or other system changes. 

Name: Sparrow Security 

Email: security@sparrowconnected.com 

IT Operations & Support Team 

Manages access to systems and applications for internal staff and partners. 

Centrally manages patches, hardware and software updates, and other system upgrades to prevent and contain a cyberattack. 

Name: Sparrow Support 

Email: support@sparrowconnected.com 

Compliance 

CTO/CISO 

In consultation with external Legal Counsel 

Confirms requirements for informing employees, customers, and the public about cyber breaches.  

Responsible for checking in with local law enforcement. 

Ensures IT team has legal authority for privilege account monitoring. 

Communicates with regulatory bodies, following mandated reporting requirements. 

Coordinates internal employee communications regarding breaches of personal information and responds to questions from employees. 

Name: Gareth Jones 

Email: gareth.jones@sparrowconnected.com 

Communications 

Web & Social Media Lead 

Posts information on the company website, email, and social media channels regarding the breach, including our response and recommendations for users. 

Sets up monitoring across social media channels to ensure we receive feedback or questions sent by customers through social media. 

Name: Karen Yao 

Email: karen.yao@sparrowconnected.com 

Executive 

CEO 

Communicates externally with customers, partners, and the media.  

Coordinates all communications and request for interviews with internal subject matter experts and security team. 

Maintains draft crisis communications plans and statements which can be customized and distributed quickly in case of a breach. 

Name: Chris Izquierdo 
Email: chris.izquierdo@sparrowconnected.com 

 

 

Testing and Updates

Annual testing of the Incident Response Plan using walkthroughs and practical simulations of potential incident scenarios is necessary to ensure the SIRT are aware of their obligations, unless real incidents occur which test the full functionality of the process. 

  1. The Incident Response Plan will be tested [at least once annually].  
  2. The Incident Response Plan Testing will test [your business]’s response to potential incident scenarios to identify process gaps and improvement areas. 
  3. The SIRT will record observations made during the testing, such as steps that were poorly executed or misunderstood by participants and those aspects that need improvement. 
  4. The Incident Response Lead will ensure the Security Incident Response Plan is updated and distributed to SIRT members. 

 

Incident Response Process

Overview

Below is the structured 6-step process followed in this document as defined by the SANS Institute in their Incident Handler’s Handbook. The six steps outlined are: 

  1. Preparation—review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT). 
  2. Identification—monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.  
  3. Containment—perform short-term containment, for example by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems. 
  4. Eradication—remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future. 
  5. Recovery—bring affected production systems back online carefully, to prevent additional attacks. Test, verify and monitor affected systems to ensure they are back to normal activity. 
  6. Lessons learned—no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved. 

 

Incident Response Checklist

To demonstrate and improve the effectiveness of Sparrow Connected Inc. incident response team and security tools, Sparrow Connected Inc. requires a record of all actions taken during each phase of an incident. Supporting documentation is required, including all forensic evidence collected such as activity logs, memory dumps, audits, network traffic, and disk images.  

Phase of cyber incident 

Action 

Team Member/ System  

Day/time  

Action Taken 

Incident Discovery and Confirmation 

Describe how the team first learned of the attack (security researcher, partner, employee, customer, auditor, internal security alert, etc.). 

 

 

Analyze audit logs and security applications to identify unusual or suspicious account behavior or activities that indicate a likely attack and confirm attack has occurred. 

 

 

Describe potential attacker, including known or expected capabilities, behaviors, and motivations. 

 

 

Identify access point and source of attack (endpoint, application, malware downloaded, etc.) and responsible party. 

 

 

Prepare an incident timeline to keep an ongoing record of when the attack occurred and subsequent milestones in analysis and response. 

 

 

Check applications for signatures, IP address ranges, files hashes, processes, executables names, URLs, and domain names of known malicious websites. 

 

 

Evaluate extent of damage upon discovery and risk to systems and privileged accounts. Audit which privileged accounts have been used recently, whether any passwords have been changed, and what applications have been executed. (See Appendix A for more information on Threat Classification). 

 

 

Review your information assets list to identify which assets have been potentially compromised. Note integrity of assets and evidence gathered. (See Appendix A for more information on Threat Classification). 

 

 

Diagram the path of the incident/attack to provide an “at-a-glance” view from the initial breach to escalation and movement tracked across the network. 

 

 

Collect meeting notes in a central repository to use in preparing communications with stakeholders. 

 

 

Inform employees regarding discovery. 

 

 

Analyze incident Indicators of Compromise (IOCs) with threat intelligence tools. 

 

 

Potentially share information externally about breach discovery. You may choose to hold communications during this phase until you have contained the breach to increase your chances of catching the attacker. If so, make sure this aligns with your compliance requirements. 

 

 

Containment and Continuity 

Enable temporary privileged accounts to be used by the technical and security team to quickly access and monitor systems. 

 

 

Protect evidence. Back up any compromised systems as soon as possible, prior to performing any actions that could affect data integrity on the original media. 

 

 

Force multi-factor authentication or peer review to ensure privileges are being used appropriately.  

 

 

Change passwords for all users, service, application, and network accounts. 

 

 

Increase the sensitivity of application security controls (allowing, denying, and restricting) to prevent malicious malware from being distributed by the attacker.  

 

 

 

Remove systems from production or take systems offline if needed. 

 

 

Inform employees regarding breach containment. 

 

 

Analyze, record, and confirm any instances of potential data exfiltration occurrences across the network. 

 

 

Potentially share information externally regarding breach containment (website updates, emails, social media posts, tech support bulletins, etc.). 

 

 

Eradication 

Close firewall ports and network connections. 

 

 

Test devices and applications to be sure any malicious code is removed. 

 

 

Compare data before and after the incident to ensure systems are reset properly. 

 

 

Inform employees regarding eradication. 

 

 

Potentially share information externally regarding eradication (website updates, emails, social media posts, tech support bulletins, etc.). 

 

 

Recovery 

Download and apply security patches. 

 

 

Close network access and reset passwords. 

 

 

Conduct vulnerability analysis. 

 

 

Return any systems that were taken offline to production. 

 

 

Inform employees regarding recovery. 

 

 

Share information externally regarding recovery (website updates, emails, social media posts, tech support bulletins, etc.). 

 

 

Lessons Learned 

Review forensic evidence collected. 

 

 

Assess incident cost. 

 

 

Write an Executive Summary of the incident. 

 

 

Report to executive team and auditors if necessary. 

 

 

Implement additional training for everyone involved in incident response and all employees. 

 

 

Update incident response plan. 

 

 

Inform employees regarding lessons learned, additional training, etc. 

 

 

 

Potentially share information externally (website updates, emails, social media posts, tech support bulletins, etc.). 

 

 

 

 

Responsibilities at a Glance

Activity 

Role 

 

 

 

 

 

CSIRT Incident Lead 

IT Contact 

Legal Representative 

Communications Officer 

Executive 

Initial Assessment 

Owner 

Advises 

None 

None 

None 

Initial Response 

Owner 

Implements 

Updates 

Updates 

Updates 

Collects Forensic Evidence 

Implements 

Advises 

Owner 

None 

None 

Implements Temporary Fix 

Owner 

Implements 

Updates 

Updates 

Advises 

Sends Communication 

Advises 

Advises 

Advises 

Implements 

Owner 

Check with Local Law Enforcement 

Updates 

Updates 

Implements 

Updates 

Owner 

Implements Permanent Fix 

Owner 

Implements 

Updates 

Updates 

Updates 

Determines Financial Impact on Business 

Updates 

Updates 

Advises 

Updates 

Owner 

 

Questions or concerns?

Please feel free to contact us if you have any questions about Sparrow Connected's Security, Privacy Policy or practices.