Incident Response Plan

What is an Incident Response Plan? 

An Incident Response Plan is a structured and documented plan of action for how an organization will respond to security incidents. A good Incident Response Plan establishes the organization, actions, and procedures needed to identify and respond to an incident, perform the appropriate escalation and notification and ultimately resolve the incident.

The plan should include classifying the various types of physical security incidents and the types of notifications. The decision-makers are for additional escalation and action. This document will consist of procedures for each escalation, decision-making criteria, and next steps in some organizations. Because not all incidents are created equal, it is essential to have the requirements ahead of time to impact your response and who the escalation point or decision-maker is in different situations. The plan should include identifying any changes that should be made to protection, detection, or response in the future.

Incident Response Plan Frameworks

There are two primary frameworks for incident response processes, NIST and SANS. While there are some minor differences, they both cover the same basic steps: 

  • Preparation, Detection, and Analysis (Identification)
  • Containment Eradication and Recovery
  • Post-Incident Activity/Lessons Learned

There are many templates available from security vendors on the internet.

An Incident Response Plan should outline:

  • Decision-makers in the different situations
  • Who to notify and when to escalate
  • Who/what skills are needed for resolution, research, and to inform decisions
  • How to define the incident and criteria for decision making
  • Steps to be taken to evaluate and resolve the incident
  • Contact information those that may need to be involved
  • Lessons learned activity structure

Potential partners should be listed in a plan in the event they are needed; those that provide forensics or other specialized services, legal and communications resources may be necessary to determine some next steps. There may also be impacted partners that should be considered. 

Not all Incidents are created equal; an Incident Response Plan must differentiate between response to minor, low impact incidents and more extensive, higher impact ones. It should help the Incident Response Team correctly evaluate the incident and help direct them to take the correct steps. 

Incident Response Plans also need to be accessible. There is no good time for an incident to be identified, so key individuals should have a copy at home that they can reference, not just one on a corporate network that may be compromised or not available.

Why Do I Need an Incident Response Plan? 

None of us can make the best decisions in a stressful situation. Having a solid and tested incident response plan ensures that everyone understands the decisions that need to be made, who needs to be involved, and the criteria for those decisions. It also helps alleviate the stress in a complicated situation.

Every company should have an Incident Response Plan, that way; they are not making it up as they go along. They can focus on resolving the incident rather than figuring out the following steps to take, who should be notified, or what resources have the skills needed.

Reviewing and Testing the Incident Response Plan

Plans should be updated at least annually (or when an extensive reorganization is done) to ensure the correct stakeholders, decision-makers, and resources are identified. Also, plans should be tested annually.

Testing the plan can be led by internal resources or external ones. Many cybersecurity companies provide these services. In the “table-top” plan test, a scenario is derived, the leader will have a “script” of events that could happen along the way. And the team that is generally in the room should follow the plan and work to respond to the incident.

This will point out things that need updating, missing resources, or gaps in the plan. It also helps the Incident Response Team be more prepared for an actual breach, understanding roles and responsibilities, impacts, and the criticality of responding correctly.