What goes in an incident response plan?

If you’ve been reading our blog recently, you’ll know that incident response plans (IRPs) are crucial for mitigating the damage of security incidents. But how exactly do they achieve this? The answer is in what IRPs contain: an effective plan will help organisations identify potential incidents and guide them through each step of the process, from how to anticipate an incident to the full recovery of business operations. This is a six-step process.

1. Preparation

This primarily consists of the policies, procedures, governance, communication plans and technological controls you need in order to continue operations after an incident has been discovered.

Experience is crucial, as you’ll be able to use past incidents to inform your preparations for the future. Something that you thought was necessary might turn out not to be, or you might realise that you’ve overlooked a crucial process or control.

2. Detection

This is the way you identify an incident. Sometimes the disruption will hit suddenly (such as when a power line is cut), so in those cases detection is more or less self-evident. Other instances (such as data breaches) can go undetected indefinitely, and require organisations to implement additional identification measures. Your IRP should detail the organisational and technical measures you’re using to identify certain threats.

As part of the detection process, you will have to classify the incident and inform staff of its presence.

3. Containment

Once you’ve identified the problem, you need to contain the damage. Your plan should include containment measures for each type of disruption within your IRP’s scope. Be warned: incidents can unfold in any number of ways, so there won’t be a set way to handle them. It’s therefore imperative that your containment measures are flexible enough to allow for surprises. However, some measures, such as isolating the affected areas, will apply universally.

4. Investigation

After the incident is contained, relevant personnel should investigate the incident to identify its root cause. They should also review the damage to assess its scope and how big of a priority the threat of future, similar attacks should be.

5. Remediation

This is the process of returning to business as usual. As with the containment process, how you remediate an incident depends on the type of disruption. Nonetheless, the basic outline will be the same. Your investigation will have revealed any parts of your organisation that were affected, and you should address each of them and confirm with relevant staff that any problems have been resolved.

6. Review

This is the incident analysis. You should include processes for assessing procedural and policy implications, gathering metrics and identifying what lessons need to be learned. The findings will inform the preparation process.

Learn how to implement an IRP

For practical guidance on how to create an IRP, you should consider enrolling on our Incident Response Management Foundation Training Course.

This one-day course teaches you how to manage and respond to disruptive incidents effectively, and explains how to develop an incident response programme according to the requirements of the EU General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Regulations.

Find out more >>