What Is An Incident Response Plan?
An Incident Response Plan (IRP) is a document that covers exactly what an organisation should do in the case of security attacks, data breaches, or other cyber threat events that necessitate prompt action and a cool head.
Depending on the sector in which your organisation operates, the demands of your clients and contracts, or the stipulations of your cyber security insurance policy, an IRP may not only be beneficial, but necessary.
What Should an Incident Response Plan Include?
How You Will Define an Incident
A clearly defined checklist of attributes for an attack should be included in your IRP. Not all cyber threats or data loss events will necessarily warrant the implementation of your IRP, and by defining an “incident” based on the parameters important to your business and external regulators, it will clear up the need for any guesswork or delay should an attack take place. Within this section, you should also include criteria for when the IRP will no longer be sufficient, and the DRP and BC plans should be implemented.
Roles and Responsibilities
In the case of a cyber incident, it’s crucial that the pertinent parties are involved from the offset. There are multiple departments to consider here, and you should look beyond IT operations and technical teams to ensure that decisions can be made quickly and across the breadth of your organisation without delay. Human resources, legal, PR, and communications teams may be necessary to deal with an ongoing incident and its immediate aftermath, as should those with high enough business authority to be able to action difficult and high-impact decisions.
Your list should not only include the title of the individual and their department, but also their role with regards to an incident. This is of particular importance for those who may only have a high-level understanding of the specifics of cyber threats while still needing to take swift action.
Appropriate Reporting Procedure
During an incident, proper communication is vital. This may be internal, external, or a combination of the two. Ensure it is agreed in the preparation stage: which details of an incident will be reported, to whom, by whom, and in what order. This helps to prevent unnecessary confusion, delays in reporting to the necessary authorities, misunderstandings, and further potential damages should sensitive data or an inaccurate version of events be publicised.
Policy on PR, Media, and Outside Parties
In some instances, those outside the organisation but not directly related to operations will need to be made aware of incidents. Should the attack be significant enough, or have ramifications for the public or customers, this may need to be the press and media. You should anticipate these eventualities and establish what may be revealed, to what timescale, and by whom. It can even be useful to draft stock templates to be amended around the incident in question so as to streamline the process when time is short, and a response is required quickly.
Collated Lessons Learned
Gathering information, documenting exactly what happened, and implementing lessons learned are steps just as important as the processes enacted during a cyber incident. In the planning stages, agree what data and information should be collected, how it will be organised, and how it will form the basis of an ultimate debrief to apprise relevant parties of the necessary elements of the incident, as well as how the incident’s data can be used to proactively guard against similar incidents going forward.
An Incident Response Plan is a crucial element of any organisation’s path towards cyber security optimisation. The better prepared you are for an attack or emerging threat, the better you are able to tackle its consequences and implement the necessary lessons learned to guard yourself going forward.
