SecureState Blog

Read SecureState's award winning blog.

We here at SecureState receive a lot of calls from companies seeking a penetration test. The majority of the time this is due to PCI requirements. Let’s face it though—there are a lot of companies that offer them. While not all of them are actual penetration tests (see here), there are a lot of options to choose from. So what do you base your decision on? One question you should be asking your penetration testing company is, “Do you also test my incident response?” Incident response is an important piece of PCI compliance. As stated by section 12.9 of the PCI DSS v2, a company must implement an Incident Response Plan (IRP) and be prepared to immediately respond to an incident.


Incident Response: What Does it Take?

An IRP should be implemented in the event of a system breach, and ensure the following are defined and verified:

  • Roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of the payment brands
  • Specific incident response procedure
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and response of all critical system component
  • Reference or inclusion of incident response procedures from the payment brands.

We have found that responding to incidents without a defined IRP increases costs and overall time for remediation. Because of this, we have created the following chart to detail the difference between having a defined IRP and not having one.

I Don’t Have Anything… Now What?

At this point you may be thinking to yourself, “I don’t currently have any of this in place.”<span >  Well, SecureState is not solely a penetration testing company.<span >  We have a practice solely dedicated to Incident Response.<span >  Our Incident Response group can assist your organization in mitigating risks from computer security incidents by providing guidelines on how to respond to incidents effectively and efficiently (see here).


Alright, I Have A Plan… Now What?

The rest of you at this point may be thinking, “I have a plan in place and it includes all of this.” Many times companies will just leave it at that, believing they are compliant with PCI DSS v2 standards. The truth is, however, that this IRP needs to be tested annually. Below are the actual PCI DSS requirements regarding Incident Response:

12.9.2 – Test the plan at least annually

12.9.3 – Designate specific personnel to be available on a 24/7 basis to respond to alerts

12.9.4 – Provide appropriate training to staff with security breach response responsibilities

12.9.5 – Include alerts from intrusion-detection, intrusion-prevention, and file-integrity monitoring systems

12.9.6 – Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

In addition to following these guidelines, they must also be verified. We help test a company’s IRP during an actual penetration test (see here). This way the client will receive hands on training with regards to responding to an incident, and an advisor will be there to review actions you take. After the completion of the test, the advisor is available to provide training and discuss the lessons learned. Next time you go through the process of trying to determine which company to use to verify your compliance, ask the right questions to ensure that all required PCI DSS guidelines are being met.