Creating a Compliant Incident Response Plan
How to Respond to Security Incidents
PCI Requirement 12.10 is all about incident response. What is considered an incident? Anything that compromises the integrity, confidentiality, or availability of cardholder data. Developing a compliant Incident Response Plan and training a team that’s responsible for incident response will prepare your business to immediately identify, contain, and analyze security incidents.
When thinking about incident response in relation to a cloud environment, AWS says, “All AWS users within an organization should have a basic understanding of security incident response processes, and security staff must deeply understand how to react to security issues. Experience and education are vital to a cloud incident response program, before you handle a security event.” AWS recommends developing an Incident Response Plan around a four-step process: educate, prepare, stimulate, iterate. To learn more, visit the AWS Security Incident Response Guide.
PCI DSS Requirement 12.10 has six subtopics. Combining them all up, we are talking incident response. Separately, the six tell you what makes up a good incident response plan, program, and team. Number one, you need a team comprised of senior management as well as engineers, people who will be on the ground that understand how to stop a breach, triage a breach, and find root cause. From all of that, the biggest takeaway after mitigations is lessons learned. The PCI DSS even includes two different types of training – one is lessons learned for everyone and the other one is in PCI Requirement 12.10.4, which is specific incident response training for the members of your incident response team. This is why I like this so much: as technologists, we’re always behind the curve and always learning, so the requirement that the team who is going to find the breaches and incidents will be well trained to do that.