Office meeting

6 elements of an incident response plan

Every organisation should have an incident response plan in place in the event of a cyber-attack or data breach. Here’s what you need to develop yours.

Every organisation should have an incident response plan (IRP) in place should they come under a cyber-attack or data breach. There are six elements that every IRP should have in order to be fully effective.

This is a living document that is updated regularly and is the basis of incident response training. In the event of an attack, your team needs to be able to quickly assemble and move into action to address, contain, and recover.

Keith Marchiano, a Philadelphia IT solutions professionals shares what you need to know to develop and execute an incident response plan.

How do you prepare your organisation to put a response plan into action?

This part of the plan involves preparing your team with proper training and knowledge sharing. Every member should know their own roles and responsibilities if there is an attack. Staging mock data breaches and running drill scenarios will keep your team sharp and ready to respond. This is also the time to make sure that each phase is approved, employees have been trained, and funding has been finalised.

What do you put in place to determine if your organisation has had a data breach or cyber attack?

The second phase of the IRP is activated at the first threat of a breach. It involves the process of determining if there was a cyber attack or breach and assesses the damage. Areas to examine include:

  • When and where did the breach take place?
  • Who discovered the breach and how did they do it?
  • What areas of the organisation are impacted (production, accounting, etc.)?
  • What is the scope of the breach regarding employees, clients, partners, customers, etc.?
  • Has the source of the breach been identified?

What do you need to know to contain a data breach?

The knee jerk reaction for many people after a data breach is to do a sweeping delete in an effort to get rid of the offender. That isn’t the best course of action and is one of the main reasons that an incident response plan is so important.

A systematic approach is needed here to determine what steps have been taken to contain the breach over both the long term and the short term. Any malware discovered must be quarantined and backups initiated while access credentials must be changed and upgraded. The next step is to look for possible “leaky spots” or weak areas such as a failure to apply the most current updates and security patches.

What is necessary to eradicate the root cause of a data breach?

Once the breach has been contained, eliminating the cause of the breach is vital. Applying updates and patches are a good place to start once all malware has been safely removed. Next, a review of the system is in order, increasing security protocols.

This may be done in house, but some organisations opt to hire a third party so that they have the assurance that no trace of any of the security issues is left anywhere in the system.

What is involved in the recovery phase of an incident response plan?

Once the threat is contained and removed, it is time to get everything back up and running at its normal state. While you want your systems functioning at optimal capacity, you also want to make sure that any fear of another data breach is allayed.

Creating a checklist and a timeline can help. Include patching and testing systems, making access more difficult, restoring from a backup, and when production is restored. You also need a timeline for monitoring.

How do you assemble and utilise lessons learned from a data breach?

Once all protocols have been carried out and the investigation has concluded, all incident response team members should assemble to discuss lessons learned. This includes identifying challenges and finding solutions. The purpose is to strengthen the system further and it should be an ongoing endeavour for your organisation.

Data breaches and cyber attacks can happen to any organisation at any time. Planning and preparing will make response and recovery much faster and more efficient. Your organisation needs an incident response plan. You can’t afford to be vulnerable.

Photograph by Free-Photos