Incident Handling Continuous Improvement Retainer

IHCI Retainer Includes:

• Initial review and analysis of all incident policies, procedures, runbooks, and incident reports for P3 or higher (as defined in this generic classification matrix) in the past 24 months

  • This can include, at the customer’s option, an EPS review and analysis of cloud configuration enumeration from the output of cloud security assessment tools such as (but not limited to) ScoutSuite, Prowler, CloudFox, etc.

• Review of penetration testing and code testing program results from the past 24 months (including fix reviews and re-test results), capability assessment, and recommendations to improve internal testing fabric

• Quarterly meetings with customer executive in charge of incident handling (typically a CISO) along with the information security team; and such technical / engineering / IT staff as they deem appropriate. These meetings will highlight:

  • Observations from policies, procedures, runbooks, and test results

  • Recommendations for incident handling improvement to be accomplished in the next quarter

  • People: the IR Team

  • Process: the Incident Handling and BC/DR processes

  • Technology: gap review and risk assessment

  • Review of incident handling improvements since the previous quarterly session

  • Review of third-party risk/supply chain risk approach.

• Discussions related to customer’s information security fabric, IT and security culture, feedback in budgetary and capability choices (Advisory CISO work)

• At least one annual four-hour tabletop exercise, followed by a report on the results of the TTX and recommendations for improvement

• EPSD strongly recommends that executives from marketing/communications, legal, and executive leadership participate in these TTXs

Incident Response

• In the event of a P1/P2 incident during the retainer period, the retainer includes the first four hours of incident response and the first four hours of breach coaching and advisory

• The remainder of the annual retainer (see Retainer Terms, below) may be applied to incident response services from EPSD at a 10% discount below rack rates

  • Note: A pro-rata replenishment of the retainer will be required in this event

IR Services

EPSD can provide incident response services, including:

• IR Management: Provide an external Incident Response Commander to gather and work with internal resources to scope and manage the project, and work on the incident until it is resolved

• This is followed by reporting on root-cause and proximate-cause analyses of incidents, identifying vulnerabilities and issues that contributed to the incident, and recommendations for mitigation

• Machine and network forensics are available at extra charges

• Threat intelligence and data intelligence services are available at extra charges

  • For example, is this a nation-state attack, has access or breached data been offered for sale on the Dark Web, etc.?

Incident Orchestration

EPSD orchestrates incident handling, acting as incident commander and liaison, marshaling (and augmenting) customer resources to manage and contain incidents.

EPSD does not escalate incidents but does make recommendations to the Customer regarding the appropriate classification and severity for the Customer to escalate where necessary and with EPSD support.

Retainer Terms

Incident Handling Continuous Improvement retainer contracts are three years: Y1 is mandatory, Y2 and Y3 are by mutual agreement (you commit to one year and retain the rate for each year you renew).

Retainer fees are consumed by 12ths for service applications (see below); each month consumes 1/12th of the retainer.