Creating an Incident Response Plan
Creating an Incident Response Plan
Disruptions to business operations occur frequently and vary greatly in terms of scope and scale. Organizations should establish formal policies and procedures in order to minimize the impact of disruptions. Incident response is part of the incident management process, and can be defined as the process of detecting, analyzing, responding to, and improving from disruptive events. The goal of an incident response plan is to mitigate the impact of a disruptive event and restore normal operations.
General principles of Enterprise Incident Response:
An incident response plan establishes processes that accomplish the following:
- Detect and identify events
- Triage and analyze events to determine whether an incident is underway
- Respond and recover from an incident
- Improve the organization’s capabilities for responding to a future incident.
Additionally, an effective Incident response program will accomplish the following:
- Establishment of a formal incident response plan
- Development of procedures for performing incident handling and reporting
- Establishment of guidelines for communication with outside parties
- Establishment of a team structure and staffing model
- Establishment of relationships and communication channels between the incident response team and other relevant groups
- Identification of what resources the incident response team should be provisioned with
- Staffing and training of the incident response team
Incident Response Planning Phases:
1.) Create the Incident Response Plan:
- Obtain support for Incident Response (IR) planning
- Establish event detection process
- Establish an event analysis process
- Establish and incident declaration process
- Establish incident response and recovery process
- Establish IR communication process
- Establish post IR improvement process
- Assign IR roles and responsibilities
- Review and update IR plan
2.) Test the Incident Response Plan:
- Establish the testing process
- Test the incident management plan
- Report and record the results
3.) Refine the Incident Response Pan:
- Identify criteria for revision and improvement
- Conduct post-action analysis of IR plan activities
Events and Incidents:
An event can be defined as one or more occurrences of something that affect an organization’s assets and have the potential to disrupt its operations. An incident is a high-magnitude event (or series of events) that significantly effects an enterprise’s assets and requires the organization to respond to prevent (or limit) the scope of the disruption.
Information Sharing & Communication:
Incident response planning requires the establishment of formal information sharing and communication protocols.
Communication procedures and the chain-of-custody should be established between the incident response team and the organization’s relevant stakeholders as determined by management.
These procedures should also include any external parties that might need to become involved in the incident response process (e.g., law enforcement, etc.).
Organizations should dedicate specific personnel to the Incident Response team. This team structure should also recognize organizational dependencies and ensure that the team has the adequate resources and authority to accomplish their stated duties
Establishing and supporting an ongoing incident management program enables your organization to evaluate the impact of significant events that may adversely affect employees, assets, or customers. The incident management program helps to ensure that your organization can recover its mission-critical functions and meet its responsibility to its stakeholders.
References
- https://www.cisa.gov/uscert/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-IM.pdf (CERT-RMM IM)
- https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final (SP-800-61_R2)
- https://www.fema.gov/sites/default/files/2020-07/fema_nims_doctrine-2017.pdf (FEMA NIMS)
- https://resources.sei.cmu.edu/asset_files/Handbook/2016_002_001_514462.pdf (CERT-RMM)
Related Blog Posts
What Is a Risk Assessment and Why Is It Necessary?
What Is A Risk Assessment? A Risk Assessment is a comprehensive and exhaustive examination of an organization’s current security controls and information systems. A senior risk assessor works to identify any existing threats or areas of concern, and...
What Is Penetration Testing and Why Is It Necessary?
What Is Penetration Testing? Penetration Testing is when an organization hires professional hackers, also known as “ethical hackers”, to identify vulnerabilities in an organization’s security architecture. Penetration Testing takes an offensive...
Information Security Tips
TOP SECURITY TIPS Creating an effective information security policy is critical to the survival of any organization. We’ve compiled a helpful list of all our best information security tips to help protect businesses against growing cyber threats. Be...
The Rising Need for Digital Forensics
What is Digital Forensics? According to US-CERT, Digital (Computer) Forensics can be defined “as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications,...
Want to learn more? Our Security Experts Are Here For You
Newsletter
Subscribe To Our Newsletter
We've been creating some excellent webinars and local events. Join our mailing list for the latest on industry trends and strategies for cyber defense.
Need Immediate Assistance?
Give us a call (405) 771-6399
Headquarters
3841 E Danforth Rd, Ste 106, Edmond, OK 73034
110 E. Houston St, 7th Floor, San Antonio, TX 78205
Copyright 2024 - Critical Fault, LLC. | Privacy Policy
