Incident Response Training

Agenda

1. Introduction to Incident Response & PCI DSS

   • What is an Incident Response Plan (IRP)?
   • Why IRP is critical under PCI DSS v4.0
   • Overview of Requirement 12 and its sub-requirements

2. Key Components of an IRP

   • Roles and responsibilities
   • Communication and contact strategies (including acquirers/payment brands)
   • Containment and mitigation procedures
   • Business continuity and recovery
   • Legal and regulatory reporting obligations
   • Reference to payment brand-specific procedures

3. Monitoring & Detection Systems

   • Tools required for real-time monitoring
   • IDS/IPS
   • File integrity monitoring
   • Anti-malware, EDR, UBA
   • Email security (DMARC, SPF, DKIM)
   • Wireless IDS/IPS
   • Tamper detection for payment pages
   • Responding to alerts and suspected incidents

4. Response Procedures for PAN Discovery

   • What to do when Primary Account Numbers (PANs) are found outside the CDE
   • Secure deletion and migration
   • Identifying root causes and fixing process gaps
   • Preventing future data leaks

5. Preparing for a Forensic Investigation

   • Importance of having a pre-approved forensic investigator (PFI) list
   • Establishing relationships with forensic experts ahead of time
   • Ensuring logging and monitoring systems are properly configured and retained
   • Maintaining an up-to-date data flow diagram and asset inventory

6. Evidence Handling & Chain of Custody

   • Principles of digital evidence handling:
     • Do not alter original data
     • Use write-blockers when imaging drives
     • Document every step taken
   • Chain of custody documentation:
     • Who accessed the evidence
     • When and why it was accessed
     • How it was stored and transferred
   • Secure storage of evidence (physical and digital)

7. Conducting the Investigation

   • Initial triage and scoping
   • Imaging and analysis of affected systems
   • Identifying indicators of compromise (IOCs)
   • Timeline reconstruction and root cause analysis
   • Reporting findings to relevant stakeholders (including acquirers/payment brands)

8. Post-Investigation Actions

   • Remediation planning and execution
   • Updating security controls and policies
   • Lessons learned and process improvement
   • Communicating outcomes to internal and external parties
   • Regulatory and legal follow-up (if applicable)

9. Training & Testing Requirements

   • Role-specific training expectations
   • Frequency based on risk analysis
   • Tabletop exercises: how to conduct and document
   • Post-mortem reviews and continuous improvement

10. Availability & Escalation Protocols

    • 24/7 availability of incident response personnel
    • Escalation paths and decision-making authority
    • Coordination across departments (IT, Legal, HR, PR)

11. Knowledge Check & Acknowledgment

    • Short quiz or scenario-based exercise
    • Employee acknowledgment of IRP understanding

Course Details

• Course Duration: approximately 45–60 minutes
• Delivery: Course is delivered via our LMS platform
• Access Period: Upon registration, participants have two weeks to complete the course
• Target Audience: Personnel involved in the incident response plan (IRP)