Incident Response Testing: An Australian Perspective

Written by Adam Wall | Aug 29, 2024

In today's rapidly evolving digital landscape, organizations must be prepared for the inevitable occurrence of cybersecurity incidents. Incident response testing is a critical component of a robust cybersecurity strategy, ensuring an organization can swiftly and effectively respond to incidents when they occur.

This article highlights the importance of incident response testing, outlining its key components, who should be involved, the benefits to organizations, and the complex regulatory landscape in Australia.

Like many nations, Australia has a myriad of federal, state, and local laws that may impact an organization's requirement for maintaining and testing an incident response plan. While some organizations may have a legal responsibility, others may have a compliance requirement for incident response exercises. We will address this landscape in more detail further down in this article, but first, let’s take a look at why testing incident response is important for any organization.

The Importance of Incident Response Testing

Incident response exercises, focus on testing an organization's response to simulated cybersecurity incidents. These exercises involve key personnel discussing and walking through their roles and decisions during a hypothetical scenario, aiming to evaluate and improve the organization's incident response plans and communication strategies. In contrast, penetration testing involves ethical hackers attempting to exploit vulnerabilities within the organization's systems, networks, or applications to identify and remediate security weaknesses before malicious actors can exploit them. While tabletop exercises are more about preparedness and process evaluation, penetration testing directly assesses the technical security posture of an organization.

Assessing the Effectiveness of the Incident Response Plan

One method for testing the effectiveness of your incident response plan is using tabletop exercises. These are a great way to prepare your team to respond swiftly and effectively to cyber incidents. By simulating different attack vectors and scenarios, staff can identify gaps in your response plan and improve coordination among different departments. This preparedness is crucial to minimize the impact of actual cyber incidents, helping your organization maintain critical services, protect sensitive data, and swiftly recover.

Tabletop exercises can uncover important response issues that include:

Updating procedures: Reflecting changes in the organizational structure, technology, or regulatory requirements.
Training staff: Ensuring all team members are familiar with the plan and their specific roles.
Incorporating lessons learned: Applying insights from past incidents and exercises to improve the plan.

Evaluate the Response Capabilities of the Incident Response Team

Simply conducting an incident response test is not sufficient. To ensure an incident response team is fully prepared, you should evaluate the results:

Role Clarity: Confirm that every team member understands their specific roles and responsibilities and the steps they need to take during an incident.
Plan Execution: Assess the team's ability to follow the incident response plan accurately and efficiently, ensuring all protocols are followed.
Performance Under Stress: Put the team under simulated pressure to gauge their performance and identify weaknesses in decision-making or execution.
Self-Evaluation and Feedback: Collect feedback from team members to understand their challenges and refine the response plan based on their experiences.

Identify Gaps in Resources and Training

Incident response testing reveals areas where your organization may lack the necessary tools or knowledge. Regular testing helps identify:

Resource Shortfalls: Identify if there are any missing tools, software, or hardware that hinder the incident response process.
Skill Gaps: Determine if team members require additional training or certifications to handle incidents more effectively.
Process Inefficiencies: Uncover any procedural inefficiencies that could slow down the response, such as unclear protocols or outdated technologies.
Training Programs: Develop targeted training programs to address identified gaps, ensuring the team is better prepared for future incidents.

Enhance Communication and Coordination

Effective incident response relies on seamless communication and coordination across the organization. Testing helps with functions like interdepartmental coordination. Testing ensures different departments, such as IT, legal, and public relations, can work together smoothly during an incident. External communication is also improved through testing, and it’s important to include communication protocols with external parties, including customers, partners, and regulatory bodies, to ensure clarity and timeliness.

Incident response testing helps refine internal crisis communication strategies to keep all employees informed and reduce panic or misinformation during an incident.

Finally, testing will validate the organization’s chain of command is respected and the decision-making processes are clear and efficient, minimizing delays in response actions. Similarly, escalation and communication decision points can be assessed and tested.

Who Should Be Involved

It's a widespread misunderstanding that incident response is the sole responsibility of IT and security teams. In reality, effective incident response testing necessitates the participation of a diverse range of stakeholders across the organization, including:

Executive leadership: To ensure top-level support and decision-making.
IT and cybersecurity teams: To manage the technical aspects of the response.
Privacy Representatives: To manage compliance with privacy laws and regulations and to facilitate accurate and timely reporting of data breaches.
Legal and compliance teams: To navigate legal obligations and reporting requirements.
Public relations and communications: To handle internal and external communications.
HR and employee representatives: To address any personnel-related issues.

Tailoring Scenarios to Organizational Processes and Infrastructure

Organizations should tailor scenarios used in incident response testing its unique processes and infrastructure. This approach ensures that the testing is realistic and relevant, addressing the organization's specific threats and vulnerabilities. Custom scenarios help to:

Identify unique risks: Highlighting specific threats that the organization is most likely to encounter.
Test real-world response: Ensuring the team can effectively handle incidents that could realistically occur.
Enhance readiness: Preparing the organization for actual incidents, leading to more effective and confident responses.

Why Incident Response Testing is Necessary: The Regulatory and Compliance Landscape in Australia

Australia has a robust regulatory framework that can require certain types of organizations to conduct incident response training or to report data breaches.

Key regulations, controls, standards, and recommendations relating to incident response include:

The Privacy Act (Cth) 1988: Requires some organizations to protect personal information and report data breaches that are likely to result in serious harm.
The Federal Notifiable Data Breaches (NDB) scheme: Part of the Privacy Act, mandates that some organizations must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach.
Security of Critical Infrastructure Act 2018 (SOCI Act): Regulated entities under the SOCI Act may be required to report cyber incidents to the Australian Cyber Security Centre (ACSC). For assets declared as Systems of National Significance (SoNS), there are Enhanced Cyber Security Obligations (ECSO) that are relevant to incident response. These additional obligations that may apply to a SoNS include obligations to:
- Develop Cyber Security Incident Response Plans: Develop and maintain a cyber security incident response plan for potential cyber security incidents.
- Undertake Cyber Security Exercises: Conduct regular cyber security exercises to build and enhance preparedness for cyber incidents. These exercises help identify weaknesses and improve the overall effectiveness of the incident response plans.

New South Wales agencies under the Privacy and Personal Information Protection Act 1998 (PPIP Act): Agencies are required to notify and provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act.
The Victorian Protective Data Security Standards (VPDSS): Applicable to all Victoria public sector agencies that handle Victorian government data or provide services to Victorian public sector bodies. These are required to have incident response plans in place and conduct regular tests to ensure their effectiveness.
The Australian Securities and Investments Commission (ASIC).In November 2023, ASIC released the Spotlight on cyber: Findings and insights from the cyber pulse survey 2023. The survey invited participation from public, large proprietary companies, and entities that hold licences or authorizations from ASIC. Within this voluntary survey, ASIC noted from 697 participants 33% admitted to not having a cyber incident response plan, and 35% had not tested their response plan. As part of the ‘best practice’ guidance offered, ASIC has advised that organizations should conduct tabletop exercises or simulated incident scenarios regularly and include the creation of different incident scenarios to test the organization’s ability to respond effectively.
The Australian Prudential Regulation Authority (APRA): APRA-regulated entities are required to follow the 234 prudential standards and have an obligation for annual incident response testing to ensure readiness. As part of their obligations, an APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours after becoming aware of a material information security incident or that has been notified to other regulators.
The Tertiary Education Quality and Standards Agency (TEQSA).TEQSA is Australia's independent national regulator of the higher education sector. TEQSA provides the Higher Education Standard (HES) Framework that covers Universities, Non-University higher education providers and Technical and further Education (TAFE) Institutes. Under the framework, providers must have a critical incident policy and readily accessible procedures (standard 2.3.5). Additionally, a cybersecurity incident or significant data breach would trigger a Material Change Notification (MCN), as there is a heightened risk to students and staff, academic and research integrity, and possible reputational damage.
The Australian Cyber Security Centres (ACSC)’s Essential Eight: Although there is no requirement to perform annual incident response exercises, organizations that need to meet maturity level two of the Essential Eight are required to activate incident response plans.
The Australian Government Information Security Manual (ISM): As part of the ISM Guidance for Cyber Security Incidents, organizations have an annual requirement for exercising their policy and plan. Control: ISM-1784 states: The cyber security incident management policy, including the associated cyber security incident response plan, is exercised at least annually.
ISO/IEC 27001:2022: Control 5.24 – Information Security Incident Management Planning and Preparation. This control outlines the necessity for planning and preparation in incident management, including regular incident response plan testing to ensure its effectiveness.
PCI DSS v4.0: As part of requirement 12.10, organizations must maintain an incident response plan, perform regular testing at least annually, and ensure reporting of incidents where cardholder data has been impacted.

Potential Upcoming Regulatory Changes

The regulatory landscape continually evolves, with several proposed changes to strengthen cybersecurity requirements. Some anticipated changes include:

Enhancements to the Privacy Act: The Australian government is undergoing amendments to the Privacy Act and has already increased potential penalties for data breaches. There are 116 recommendations being considered for a review of the privacy act, expected to be tabled as a bill in August 2024, including the removal of the small business and employee data exemptions.
The Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act) for Queensland: Mandatory Notification of Data Breach (MNDB) scheme for government agencies introduced as recommended by the Coaldrake Review. The anticipated commencement of the IPOLA Act is slated for July 2025, and the local government MNDB will be in July 2026.
In Western Australia, Privacy and Responsible Information Sharing Bill and the proposed Information Commissioner Bill. Of relevance to incident response, the legislation introduces reforms that provide a mandatory information breach notification scheme, requiring agencies to notify the Information Commissioner and affected individuals of serious information breaches involving personal information.
Cybersecurity legislation updates: As part of the Australian Cyber Security Strategy 2023-2030, new laws are being proposed to enhance cybersecurity resilience. Changes proposed relevant to incident response include:
- Measure 2 - Further understanding cyber incidents – Ransomware reporting for businesses. While the exact scope and applicability for organizations is yet to be determined, it will likely apply to businesses with an annual turnover exceeding $10 million. This threshold, which is consistent with the small business threshold used by the Australian Tax Office, would capture approximately 42,000 businesses or 1.7% of all Australian businesses; and
- Measure 3 - Encouraging engagement during cyber incidents – Limited use obligation on the Australian Signals Directorate and the National Cyber Security Coordinator. Timely incident reporting is vital for ASD and the Cyber Coordinator to perform their functions and help manage the consequences of a cyber-attack. The Australian government has observed that the industry is increasingly reluctant to quickly share detailed cyber incident information, and this measure is aimed at helping to reduce the barrier to reporting.

Conclusion

Incident response testing is an essential practice for organizations to ensure they are prepared to handle cybersecurity incidents effectively. By involving key stakeholders, tailoring scenarios to organizational processes, and staying abreast of regulatory requirements, organizations can strengthen their incident response capabilities and mitigate the impact of cyber threats. In the Australian context, adherence to regulatory requirements and proactive incident response testing may be crucial for maintaining compliance and protecting sensitive data.

By tailoring our services to your organization's specific needs and context, Trustwave ensures that the incident response tabletop exercises are not only in line with best practices but also practical and actionable.

For further details on how our tailored tabletop exercises can benefit your organization, please contact us to schedule a consultation. Let's work together to build a more resilient and secure digital future.

Disclaimer: The information contained in this document is general in nature and does not constitute legal advice. Advice should be sought for the reader’s particular circumstances. Trustwave does not guarantee the accuracy, currency, or completeness of any information in this document.

This document contains links to other third-party websites. Such links are only for the convenience of the reader and Trustwave does not recommend or endorse the contents of the third-party site.

View full post