Analecta Cyber Company Blog: Creating an Incident Response Plan

2018-05-22

Creating an Incident Response Plan

creating an incident response plan - spilled coffee on keyboard graphic
twitter logo - Analecta LLC Creating an Incident Response Plan
"We have a cyber incident. This is not a drill.” Although this is not a declaration any business hopes to utter, the fact is we live in an era of nearly continuous data compromises. It is important for businesses to develop a comprehensive incident response plan to be better postured for when the eventual happens. Without a response plan, an incident may be costly and in the most severe cases, detrimental to a company’s survival. It is no longer a matter of if an incident will occur. Will your company be ready when it does occur?

Preparing the depth of a response plan


The incident response plan should be high-level enough to cover the entire organization. It will be important to know your data and understand how it is protected. You will also want to make sure you have the most up-to-date industry-specific data management rules or applicable laws. There may also be government controls at both the state and federal level that you may be required to put in place. These will shape how your organization reacts to a data breach.

creating an incident response plan - spilled coffee on keyboard graphic
It is no longer a matter of if an incident will occur.
Will your company be ready when it does occur?

 

Getting input from key stakeholders


An incident response plan is similar in scope to a disaster response or continuity of operations plan, and will require input from business leaders and security experts alike. National Institute of Standards and Technology (NIST) guidance suggests that you may need to include the following personnel when defining incident response:
  • mission/business owners
  • information system owners
  • authorizing officials
  • human resources offices
  • physical and personnel security offices
  • legal departments
  • operations personnel
  • procurement offices
  • other leaders specific to your business

 

Action steps for an initial incident response plan


While there are many ways to go about planning for incident response, the following steps are common to most models.
  • Assembling a response team: An incident response team may be composed of internal employees, external contractors or a blend of both. Form security and incident management teams to get the right people together to create the plan. All members must understand 1) the organization’s posture on risk, 2) what factors delineate whether an incident is considered major or minor, and 3) to not panic in the midst of a crisis. It will also be useful if you have an out-of-band, secure method of communication for use during an incident response. Don’t plan on internal email or instant messaging to be up if there is a need to take the entire system down.
  • Defining incident thresholds: Decide how your organization will determine incident thresholds. A multitude of responses are available and may be appropriate given the severity of the data breach. Documenting this will make your incident response plan more efficient.
  • Reporting and external notification: Plan on reporting breaches to internal and external parties. When the time comes to warn customers of the data breach, especially compromised personal information, have the mechanism in place to notify them directly and to distribute press releases to get the information out quickly. Include recommended or mandatory action items for them to minimize the risk.
  • Communicate incident response plan to employees: The incident response plan needs to be shared with individual employees to review and understand. Everyone should be aware of their role if an incident were to occur. In the event of a large scale attack, for example, employees might be instructed in advance to work from home. Having an alternate way to contact employees is also a smart preemptive measure.
  • Prepare and practice the plan: The organization should set aside time to conduct a full rehearsal of the incident response plan. Although pulling employees away from work duties to train, this is your opportunity to fine-tune the plan and keep it effective. As the company grows or changes, periodic training and rehearsals will be necessary.

twitter logo - Analecta LLC
The news is full of examples of major corporations that failed to communicate with their customers after a major data breach. Twitter, on the other hand, recently urged all of its nearly 330 million users to immediately change their login credentials in response to a compromising software bug that may have exposed users’ passwords in early May 2018. The speed of the disclosure has generated praise for the social media company, and is seen as an example of looking out for the interests of its users.
Bottom line: Include in your incident response plan a scenario for reporting the effects of the breach to major stakeholders, employees and customers/clients. Withholding vital information from those at risk was never a good business practice.

 

Learning from a practice run


All of these steps are important and will provide valuable data for reevaluating your incident response plan and making updates. During your rehearsals, capture feedback from individual users as well as incident response team members on their ability to execute the plan. Incorporate observations that may improve the overall process.  As mentioned in the March 2018 Ponemon Institute Study on the Cyber Resilient Organization, “Preparedness, agility and strong security posture are the most important factors to achieving a high level of cyber resilience.”

 

Building a complete cybersecurity plan


Analecta can help guide your incident response and incident threshold planning with a comprehensive look at all security practices within your organization and around high-risk assets. We have devised a 96-point Cyber Risk Assessment that asks tough, realistic questions that can identify the most critical next steps in your firm’s cybersecurity program to maximize protection. The Cyber Risk Assessment is designed to enable small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact.

Email us at info@analecta-llc.com or visit our Cyber Security website. We are here to help!

Further Resources