This is the sixth of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems,compliance. This entry covers the controls contained in the Incident Response Policy and Procedures family.
What is it?
Systems are subject to a wide range of threat events, from corrupted data files, to viruses, to natural disasters. The organizational impact of some threats can be lessened by having policies and plans in place that can be followed when an incident occurs. Threat events can result from a physical outage, a virus, other malicious code, or a system intruder (either an insider or an outsider). The definition of a threat event is somewhat flexible and may vary by company and computing environment. Although the threats that hackers and malicious code pose to systems and networks are well known, the occurrence of such harmful events remains unpredictable. Security incidents on public infrastructure networks (e.g., the internet), such as break-ins and service disruptions, have harmed many companies’ computing capabilities. When initially confronted with such incidents, most companies respond in an ad-hoc manner. However, recurrence of similar incidents can make it cost effective to develop a standard capability for quick discovery of and response to such events. This is especially true since incidents can often “spread” when left unchecked, thus escalating the damage and seriously harming an organization.Examples of incident response requirements include: incident response training, incident response testing, incident handling, incident monitoring, and incident reporting. Companies should establish an operational incident handling capability for company systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities, and track, document, and report incidents to company management and/or authorities.
How does Greenfield solve it?
NIST SP 800 – 171 tasks wanna be compliers (I made that word up) with three requirements:To establish an incident-handling capability that includes adequate preparation, detection, analysis, containment, recovery, and response activities.To track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.And to test the incident response capability.📷To answer the first requirement, the Greenfield system utilizes Red Canary, an industry leading managed security service, to detect, analyze and contain incidents. Additional services are available to assist with response if need be.For the second and third requirements, The Greenfield system provides a incident tracking mechanism that assists with documentation and reporting. Additionally, the Greenfield Support Team can assist with incidents as a professional service if requested. We provide an Incident Response Policy for clients to adopt or integrate into their existing policies and plans. The plan provides step-by-step instructions on how to report incidents to the defense industrial base, and as always our services are available to assist if requested, but ultimately the client is responsible for reporting incidents to the government and contract prime if required. Finally, our plan contains easy to implement testing scenarios to train your staff on how to quickly and efficiently handle an incident. 📷