skip to navigation
skip to content

Financial Outsourcing Solutions

Corporate People

FOS Blog

05 Nov

Dust off your Incident Response Plan

Dust off your Incident Response Plan

As we near the end of the calendar year, if you haven’t planned on testing your incident response plan (IRP), you should get something on the calendar now (and going forward).  Unfortunately, security incidents occur every day and your institution could be next.  You need to make sure that your IRP remains accurate, comprehensive, and tested.  The Federal Financial Institution Examination Council (FFIEC), states in their IT Examination HandBook InfoBase that, “institutions should assess the adequacy of their preparations through testing” and furthermore that “financial institutions should assess the adequacy of their preparation by testing incident response guidelines to ensure that the procedures correspond with business continuity strategies.”

Your current strategies should contain, in some capacity, those identified by the FFIEC:

  1. Isolation of compromised systems, or enhanced monitoring of intruder activities;
  2. Search for additional compromised systems;
  3. Collection and preservation of evidence;
  4. Communication with effected parties, the primary regulator, and law enforcement;
  5. Elimination of an intruder’s means of access;
  6. Restoration of systems, programs and data to known good state;
  7. Filing of a SAR (guidelines for filing are included in individual agency guidance), and
  8. Initiation of customer notification and assistance activities consistent with interagency guidance.

So what are some key things you should consider in your next testing simulation?  Here are some good questions that should be addressed in your next test.

  1. Who are the parties that will be responsible for monitoring compromised systems?  Are there sufficient backups to ensure timely detection?
  2. Do you have sufficient IT resources (in-house or contractual) to search the compromised systems?
  3. Are any of your systems managed by a third-party?  If so, what responsibilities do they maintain as part of your contract?
  4. Who will be the person(s) communicating the incident to the proper authorities (regulator, law enforcement, and subsequently customers)?

For additional information contact Jeffrey Johns at