The Incident Response Plan
It is natural for all organisations to encounter difficulties in their activities. When something unexpected happens, such as a cyber-incident, it can be difficult to know how to react. Having an incident response plan in place is an essential part of a successful security program.
Its purpose is to establish and test clear measures that an organization could and probably should take to reduce the impact of a breach due to external and internal threats, restore operations, correct vulnerabilities quickly, and enhance security to prevent future incidents.
Contents of an Incident Response Plan
Step 1: Prevention
Describe the steps your organization will take to protect against a cyberattack, both from a technical and non-technical perspective.
Step 2: Planning
List the people involved in your incident response team and their roles. Ensure that the roles, responsibilities and structure of your team meet the requirements of your organizational context. A cyber crisis communication plan is developed during this phase (see Step 7: Communication).
Step 3: Preparation
Develop reporting mechanisms, preparation of checklists and spare equipment and software, and audit procedures.
Step 4: Detection
List the tools your organization would use to detect an attack.
Step 5: Analysis
Explain how your organization would analyze whether an incident is a cyber attack. After an incident has been detected, it is essential to collect all available information and artefacts about activities around the time of the incident. Centralized collection and archiving of security information (e.g., list of affected systems, system logs, firewall logs) allows the analyst to easily access this information. The next step in determining whether an incident is a cyber attack is to correlate the events.
Step 6: Containment
Describe how your organization would prevent a cyber attack from spreading further.
It is important that during the analysis phase, the type of attack has been identified as some attacks can cause additional damage when contained. The use of a sandbox to redirect traffic could be a solution to prevent the attacker from causing additional damage.
It is also important that during the containment phase, the collection and processing of evidence are always carried out and that all forensic activities are more thorough. Forensic analysis, in the field of cybersecurity, should be documented and recorded. A backup of the infected system must be made for analysis.
During an incident, the pressure will be high to act quickly. To avoid unnecessary errors, it is however very important to take a step back and think before acting!
Once the source and type of cyber-attack have been identified, we can start securing the network and prevent further data theft or damage.
Step 7: Communication
Develop a cyber crisis communications plan detailing the internal and external stakeholders that your organization should communicate to in the event of a breach. Describe the communication channels that would be used to communicate with these stakeholders.
Step 8: Eradication
Provide an overview of the approaches and decisions the team will take to eliminate the threat from your organization’s internal system.
Step 9: Service Recovery/Restore
Describe the steps your organization will take to return to normal operations. The type of recovery will depend not only on time and financial resources but also on the damage the incident has caused to infrastructure and data.
Step 10: Post-event analysis
List the processes to be followed to ensure the implementation of lessons learned. Once the security incident has been stabilized, we must complete an incident report to document the incident. This will enhance the incident response plan and reinforce additional security measures to prevent such security incidents in the future. On the basis of lessons learned, the risks need to be reassessed and the security roadmap needs to be updated. New controls may need to be put in place to prevent future incidents.
The incident response plan and the crisis communication plan should also be updated to take into account lessons learned. Appropriate changes to security policies with staff and employee training should also be planned.
Cyber attack communication plan
A key element of any recovery from a cyber attack is to ensure that communications with internal and external stakeholders are coordinated and effective. A cyber attack crisis communications plan can mitigate many legal, operational and reputational risks if planned appropriately. For example, it helps ensure that the necessary stakeholders receive the right information at the right time. It also ensures that the necessary notification processes are followed. In doing so, internal stakeholders are informed of any actions to be taken during the recovery phase. Similarly, external stakeholders are regularly informed of any new developments and their impact.
Elements of the crisis communication plan
The plan should describe the main communication procedures that will be followed during an attack. The plan shall include :
- Communication objectives
- Roles and Responsibilities
- Stakeholder information and contact details
- Internal and external communication considerations
- Criteria for information sharing
- Upward internal communication process
- Top-down internal communication processes
- Stakeholder Notification Process
Do not forget to regularly test your incident response plan: https://digisoter.com/cybersecurity_response_plan/
Do you need help to develop your Incident response plan?
Contact us today!