Critical Components For An Incident Response Plan
By Bruce Nelson
As a managed services provider, we know that effective response to a security incident is a complex undertaking. Establishing a successful response capability requires substantial planning and resources. The categories and task below are what we believe to be critical components of the plan but certainly not a comprehensive list.
Incidents can be triggered in any number of ways including outsider hacking, insider sabotage, inadvertent sharing of sensitive information and natural disaster. Regardless of the source, every incident response plan should have the following sections and high-level tasks.
Fail to plan and you plan to fail. Proper planning and preparation are key to successful incident response.
Develop a detailed communication plan for key stakeholders inside and outside the organization. The plan should include:
- Who is authorized to communicate information with various stakeholders
- Statement of the current status so all interactions are up to date and consistent
- Staff training for handling the media if or when necessary
- Solid documentation on the environment
- List of contacts (internal & external) and current contact information – can be response team, ISP, legal, insurance and more
It’s happened, you got the call. Ransomware, unauthorized access to sensitive data, theft of data or natural disaster. Regardless of the triggering event it’s time to but the plan to work. First confirm the triggering event is a true event. Is it truly ransomware or has something else triggered an outage. Validation is important because it keeps efforts focused on important issues. Next step is to declare an incident and assemble the response team. They should focus their efforts on determining the scope of the incident:
- Networks, applications, locations, users impacted
- Potential damage to and theft of resources
- Need for evidence preservation
- Estimated duration of downtime
- Does the bad actor still have access
- Plan and duration to remediate (restore backup, bring up hot site, etc)
- Document and communication stakeholder tasks
- User password resets
- IT to update firewall policies
- Marketing draft public communications
The job is not done once the threat has been mitigated and user access has been restored. Response teams should consider the following after the event:
- Review, document and debrief with team and partners
- Develop communications for team and outside parties
- Contact insurance carriers
- Prepare media response (as needed)
- Prepare estimates of current and future financial impact of the incident
As I’ve said this is a high level overview of an incident response plan.