Nmedia - Fotolia
How to develop a mobile incident response plan
Mobile devices are often overlooked when it comes to an incident response plan, but they shouldn't be. Here's how to integrate mobile devices into an essential security system.
Mobile devices contain sensitive information and are susceptible to viruses and breaches, but organizations don't often develop mobile incident response plans.
Incident response -- the art and science of addressing computer and network-related security incidents -- is a function that many organizations neglect. Some organizations address incident response from a logging, monitoring and alerting perspective by focusing on external-facing firewalls and servers. Other organizations address incident response more broadly, incorporating critical internal servers and workstations. Other organizations bring critical applications and databases into scope.
No matter which approach organizations take, they should ensure that mobile is a key component of their incident response plan.
Basics of a strong incident response plan
An effective incident response plan doesn't have to be complicated. It's just a document that outlines the who, what, when, where and how of governing security events.
At a high level, incident response plans should contain the following sections:
- Incident preparation: This section specifies what constitutes an incident or breach, along with the existing security controls and team member roles and responsibilities.
- Incident detection and containment: This section outlines what IT monitors or reviews to detect and adequately address security incidents.
- Incident eradication and recovery: This section outlines steps to clean network systems, restore order and monitor for repeat
- Breach reporting: Many laws, business partners or customer contracts require that organizations notify customers and other parties if they have experienced a data breach.
- Incident follow-up: This section addresses root causes, lessons learned and related steps in the aftermath of an event.
An incident response plan should include the contact information of everyone involved, including outside vendors. It should also include which incident response tests IT needs to perform and should reference related documents such as security policies, network diagrams and cyberinsurance policies.
Why a mobile incident response plan is important
Organizations often leave mobile devices, tablets and even laptops out of incident response documentation. Mobile devices, however, can create tangible risks because they enable end users to access sensitive systems and information.
Security incidents often begin with mobile devices, including social engineering via phishing or phone calls. Malware-related incidents are rare, but they are still possible on mobile devices.
Mobile devices can also enable improper or unauthorized user access and data exfiltration. End users can easily lose mobile devices, which can put devices and the assets stored on them at risk.
What to include in a mobile incident response plan
At a minimum, IT should include the following sections in a mobile incident response plan:
Logging, monitoring and alerting. IT should include logging, monitoring and alerting whether they perform these functions using standard mobile controls or via a mobile device management, enterprise mobility management or unified endpoint management tool. IT should also address logging, monitoring and alerts associated with technologies that the mobile devices run, including mobile apps; network connections; and security technologies such as data loss prevention, multifactor authentication and web content filtering.
Data backups. In the event of theft, loss or another type of exposure, IT might have to rely on a cloud or local backup to restore operations. Most mobile devices have many business assets on them that are exposed to the world, and many devices store the only copies of these assets.
Passwords. IT should list the procedures involved to reset a password once a suspicious or confirmed security event has occurred. If there is a chance that an unauthorized user has accessed a device, IT should look beyond the device accounts and consider what to do with the accounts that end users save in mobile apps and web browsers.
Remote wipe. IT should perform a remote wipe to ensure that network connections and information assets are not exposed after a loss or theft.
As IT builds out mobile incident response capabilities, they should incorporate any vendor, customer or contractor devices that might somehow access, store or otherwise process information on any of the business systems.
In addition to including mobile in an incident response plan, IT should also take an inventory of the organization's systems and perform vulnerability and penetration testing on mobile devices whenever possible.