The California State Office of Information Security and Privacy Protection publishes a fair range of awareness materials of interest to State agencies and others. Their 4-page Hostile Takeover paper gives a decent outline of multiple controls against insider threats, including the need to cater for such incidents in incident response procedures. Good point!
As with other forms of contingency planning, there are two common ways of preparing incident response procedures:
- Create a detailed manual explaining how to respond to a range of types of incident. This is costly and tedious for the documentation team, since such detailed manuals are usually voluminous and complex to maintain. Keeping the manual updated, and ensuring that responders are adequately trained and aware of the latest procedures is an ongoing requirement. On the other hand, it is easier for responders to grab a manual, look up the type of incident, and follow the instructions - rather like a pilot might consult his flight manual to deal with unusual situations when flying.
- Create a simpler generic incident response process and multi-skilled team that can deal with practically anything that occurs. Train the team, emphasizing flexibility and thinking-on-your-feet. There is less documentation to prepare, agree and maintain, but a lot more depends on the skills and capabilities of the particular responders, hence responses to similar incidents are more likely to vary.
Approach 1 can run into trouble if the particular incident that unfolds is not covered by one of the scenarios in the manual, or (just as bad) is covered by several e.g. an insider attack involving malware and fraud might be covered by three response plans. Approach 2 can lead to confusion and errors in the process, particularly if different people are working on the same incident simultaneously, but separately.
A third way involves a combination i.e. a less-detailed manual covering a suite of common scenarios, with the responders being trained and skilled to cope with more complex situations on the fly.
If your organization takes a different approach, I'd be fascinated to hear about it, and to find out how it works in practice. Please comment on this posting, or email me.