Incident Response Plan - How Great it is!

Incident Response Plan – How Great It Is!
By Susan Carter  
  

An incident response plan (IRP) should take its place right beside the business continuity and disaster recovery plans. It is that important! This plan should be considered a key corporate document that helps improve the chances that your company would survive the unexpected.The plan should be designed to contain broad procedural guidelines that can be applied to the majority of security incidents. The bulleted list below can be used to evaluate your company’s IRP. Your IRP should include:

  • Senior management approval/buy-in (very important)

  • Team structure (Include appropriate technical subject matter experts, identified by their areas.)

  • Team roles

  • Complete on-call information including home phones and alternates

  • Organizational approach to incident response

  • Incident severity rating guidelines to help determine if the IR team needs to be activated

  • Steps on how an incident is declared and the IR team is activated

  • Authority of IR team to confiscate or disconnect equipment/services

  • Communication channels and alternatives

  • Collection of forms to help with gathering information, documenting communications and steps taken, and to assist in report creation

  • Technical processes, techniques, checklists and forms for incidents your company/industry is prone to such as: intrusions, malicious code infection, cyber-theft, DDoS attack, web defacement, SQL injection, cross-site scripting, etc.  (These individual response actions can be referenced as sub-documents and each should contain the six phases of IR: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned)

  • Forensic analysis systems, or contracts for vendor with appropriately skilled and equipped staff to help determine if the incident involved illegal or unauthorized activity that may need to be acted on in a legal proceeding

  • External communication and information sharing procedures with ISP, vendors, law enforcement, media and other incident response teams (This info sharing needs to be discussed with public affairs office, legal and management ahead of time, and have any required NDAs ready beforehand.)

  • Requirements for reporting incidents involving data protected by statute or regulation (This data should have already been identified during the business impact analysis phase of your business continuity plan.)

  • Steps on how to determine, announce and return to normal processing

  • IRP review and testing requirements

An up-to-date, “as-built”, network diagram is an invaluable resource to keep with your IRP. Also include a list of the location of all your logs, approximate duration available for each log set and a proven tool to efficiently review those logs will prove itself invaluable. Test your plan at least annually, if not bi-annually, especially if you have not had the opportunity to put the plan into action for an active incident.

The IRP needs a safe and accessible home. This plan will contain detailed, proprietary corporate information along with personal contact information.  It should to be stored in a secured area on your network, but if the network is not accessible, it is a good idea to give an encrypted copy on a thumb drive to key team members. Have another copy stored somewhere in an undisclosed location outside the company.

Your IRP is never done! It is a living document and should be revisited and revised as needed after every incident, after significant changes to your environment, after changes in key staff, or at least once a year. Your organization changes over time, new threats emerge and team members change, and your IRP needs to be kept current to be effective and valuable.

To learn more about creating an Incident Response Plan for your organization contact NCA at info@ncanet.com or call 1.800.604.6536