December 4, 2020

5 Keys to Writing Your Incident Response Plan

Regardless of the size of your organization, having a Computer Security Incident Response Plan (CSIRP) is crucial. Whether handled by a dedicated cybersecurity team or a select few IT professionals who respond when the need arises, the need for a plan is non-negotiable. This detailed document is your clear roadmap for responding to and recovering from potential, and unfortunately what many experts would argue, inevitable security incidents.

Reviewing the large-scale cyber-attacks that occurred in 2020 on businesses and governments worldwide is staggering, and this list doesn’t include smaller organizations that can become entirely crippled by a hacking or ransomware incident. 

As we look to 2021 and the changing landscape of our work environments, especially as it has become more remote, the risks are predicted to drastically increase. The reality is that the likeliness of being attacked is more probable than possible. To be prepared to protect your organization and the customers you support, let’s look at five keys to writing your own incident response plan. 

If you’re in the market for security software, use our Product Selection Tool. Our Technology Advisors will recommend software that is tailored to your needs.

Preparation for writing an incident response plan

Before writing your response plan you will need to define, analyze, identify, and prepare for a security incident. First, how do you define an incident? For some organizations, an incident is an attempt, whereas for others an attacker needs to be successful for the incident to qualify as such. 

The next critical decision is analyzing and determining which of your system components, services, and applications are most crucial to maintaining the operations of the business. These items will be prioritized if a security incident, as you have defined it, should occur. Additionally, identify what critical data needs to be protected, where it is stored, and how valuable it is both to you and to your attacker. This is essential as you are writing a response plan, so you are better positioned to recover data more quickly.

Be honest about where you know there may be weak points in your systems and address anything with the potential for failure. Doing this preemptively will protect and maintain those systems while also qualifying necessary resources like building a response team and budgeting for tools and equipment.

Read also: 4 Smishing Attacks to Watch for in 2021

Outline Response Requirements and Resolution Times

Your response team will build the framework that outlines their roles as well as how they will detect, respond, mitigate damage, resolve an incident, and determine a set time frame dependent upon the type of incident they’re addressing. It is important to establish a time frame in advance, so the response team knows what expectations they are working against when an occurrence arises. The key here is to determine what it will take to contain the incident and how long you can be “down”.

It may be a good idea to write guidelines into your response plan that outline required actions, the subsequent steps, and associated response times necessary to react quickly. Clearly document what steps will be taken to repair the damage and have your systems fully operational again. 

Create a Disaster Recovery Strategy

Write up your strategy. Once you’re satisfied that the plan covers the investigation, analysis, and rehabilitation of your services following the incident, you need to publish your plan internally. Make sure that all stakeholders have access and are familiar with their parts of the response.

It can be scary to adopt the “it’s not a matter of if—but when” scenario, however, it is a good idea to operate with enough caution that you build in a disaster recovery backup and storage solution when writing the CSIRP. This improves your chances of surviving a breach by conducting frequent backups and recovery processes to mitigate a loss of data and potential future damage.

Planning for disaster recovery as you write your incident response plan can safeguard your organization with a quick and more ideal recovery point, while giving the response team allowance to troubleshoot what happened and put additional preventative measures in place. Rest assured that not every attack will be severe enough to warrant disaster recovery but having that solution in place ensures that you have lowered your risk when it does.

Test Your Response Plan

Now that you have written your plan, you need to test it. This is critical because it is going to help identify which parts of the plan will work, and where you have gaps and will need to re-work and further optimize the plan in case of an actual attack or breach.

Have the response team go through a virtual scenario wherein they notify the proper departments such as marketing communications, executive leadership, security, or the legal team that an attack has occurred. As the scenario plays out, the incident response manager should regularly report on how notifications are proceeding to those affected. Here is also where you may determine how you will communicate to customers, patients, or partners, and in some cases law enforcement. In case of an actual breach, keep in mind that if you are, or work for, a Department of Defense (DoD) contractor, notifying authorities is a legal requirement.

Plan to Debrief

Set the expectation early that your plan will include debriefing. Should a real security incident occur, debriefing should focus on handling the aftermath and identifying what went well and what areas could use improvement. You will want to identify your process for completing incident reports, and analyzing your team’s skill set for potential gaps, as well as any other post-incident action items that should be addressed. 

The best-case scenario is that you never experience a security incident, however, it is imperative that you plan for one. Having a CSIRP written and implemented means that your organization is well prepared to handle it should you be faced with an event.

If you’re in the market for security software, use our Product Selection Tool. Our Technology Advisors will recommend software that is tailored to your needs.