COI Report – Part VII
Page
400 of
425 1161.
In drafting the IR plan, guidance can besought from relevant documents produced by standards bodies, such as, the NIST Computer Security Incident Handling Guide 1162. In essence, the IR plan must address the immediate questions that would come to an employee during the course of an attack. It must make clear a) Who is in charge of the response process b) Who should be alerted and c) Who can be approached for help.
1163. The IR plan must have a special focus on the reporting responsibilities of line staff.
As emphasised by Dr Lim, cybersecurity involves
all staff in an organisation, because the impact
of a cyber attack affects the whole organisation. As demonstrated by the facts of the Cyber Attack, it is the line staff, like Sze
Chun, that will often be the first responders. Line staff must be encouraged to take the initiative and report proactively. As CE, CSA said Staff should have a clear and common understanding of the
incident reporting framework, the relevant reporting structures and processes, and what measures must be immediately taken in the event of a cybersecurity incident. New staff should be on-boarded in a timely manner, and regular refresher training should be conducted to ensure compliance with these SOPs.”
1164. The IR plan for line staff should be augmented with playbooks (focusing on step-by-step directions) that act as helpful manuals for more specific threat situations. This is especially
important for the line staff, whose normal functions do not involve security and incident reporting. As Vivek testified, effective
112
NIST.SP.800-61 Revision 2.
