Interview with Eric Vanderburg - Vice President, Cybersecurity
How to Write an Effective Cyber Incident Response Plan
Having an Incident Response Plan (IRP) is a non-negotiable part of any cybersecurity strategy. You must have one in place. But how can you be sure that you’re putting together the best IRP for your business? Answering the question, “what should an incident response plan include” is the first step. Then all you need to do is customize it to the specifics of your organization.
Writing an Effective Incident Response Plan
Doing a quick Google search on Incident Response Plan Templates will return an overwhelming number of results. While these templates can serve as a reference point, they should not make up the entirety of your plan.
While the thought of a plug-and-play type document seems appealing, each organization is unique and will need to address potential incidents proportionally. This is done by customizing your IRP to the specifics of your organization.
Whether you’re updating or starting from scratch, customizing the following sections can help put you on the right track to writing an effective incident response plan.
Define an Incident
So what should an incident response plan include? One of the first steps in creating an incident response plan is defining what constitutes an incident. Events happen every day, but not every event is an incident requiring a full response. By clearly defining the difference, your team can investigate the event and determine whether or not to “sound the alarm.”
When it comes to differentiating an incident from an event, multiple factors come into play. This may include compliance and regulatory requirements, contractual obligations, or client expectations. What may be an event for one company may constitute an incident for another.
A sample definition of each is provided below.
Do You Know the Difference?
What is an Event?
An observable occurrence of a computer or network activity causing a negative impact.
A system is running slow or has gone down.
What is an Incident?
An event that can potentially lead to loss of data, reputation, intellectual property (IP), funds, or an outage affecting the ability of the firm to do business.
Malware identified on a computer.
Assign Roles and Responsibilities
Once you’ve defined what an incident entails, the next step is to determine who to contact and when. This section will vary greatly depending on the size of your organization. One person may be responsible for multiple roles.
Each stage in the incident response lifecycle will require different members of your team. These may include:
- Internal Communications
- Public Relations
- Technical teams to identify and coordinate resources
- A Digital Forensics Incident Response (DFIR) team to contain and remediate the threat
- Legal Counsel
- Law Enforcement, if necessary
Clearly defining these roles and responsibilities will help coordinate efforts in the event of an emergency. This ensures your team can work quickly and efficiently to get your business back up and running. After all, when faced with an incident, time is of the essence.
Outline Common Cybersecurity Threats
So you’ve defined an incident. You know who to contact and when they need to be involved. Now you need to know how to respond.
Depending on the threat, your response strategy may vary. The way you respond to ransomware may be different than how you react to an employee data theft situation, for example. By describing these scenarios and the appropriate response in your incident response plan, you can limit the amount of time it takes to identify and remediate the issue.
The most common cybersecurity threats that could result in an incident include:
- Phishing, Business Email Compromise (BEC), and Compromised Credentials
- Cloud and Network Misconfigurations
- Third-Party Software Vulnerabilities
- Malicious Insiders
So what should an incident response plan include? At a minimum, be sure to address what defines an incident, assign responsibilities, and dictate how your organization will react to common cybersecurity threats. Customization is key to minimizing downtime and getting your business back up and running as soon as possible.
No matter how customized your incident response plan is, tabletop exercises must be performed regularly. This helps your team practice in a calm environment and allows for potential issues to arise that may otherwise be overlooked.
To learn more about how to customize your incident response plan, download the guide How to Write an Effective Cyber Incident Response Plan. As always, our team of experts are available to help answer questions you may have. Reach out today to get started.