The Importance of a Cyber Incident Response Plan
What is it first of all? Basically, it is a laid-out plan that helps companies of any size to determine how to detect breaches and security, respond to them, and then the steps on how to recover anything that was lost.
To be clear most incident response plans are tied to technology in one way or another. Some examples might be service outages, malware detection, data theft, and more. The goal of every plan should be able to fit into all the categories like connected outside entities, HR, communications, finance, public relations, suppliers, regulators, partners, insurance, legal, and local authorities.
It might sound like quite the assignment to be able to cover all of these territories, but it is well worth it. Once you come up with a foundational incidence response for one territory, then you can tweak it for the rest of the departments.
What should you put in a cyber incident response plan?
This type of project is not one and done. It is one of those operations that should be like a living document where things can change or be added to as needed. As one performs regular detection activities it is important to alter the plans according to what is found in the way of potential data breaches, unknown threats, and hidden hackers.
Here are some benchmarks to consider putting in your plan:
- Measure if you have enough resources to detect and respond to an attack. IT resources can be in-house or third party.
- All stakeholders should have responsibilities and roles. Stakeholders can be in the form of advisors PR, IT, internal communications, and support.
- Determine the level of value in all your information to figure out what needs to be protected. Then nail down the sensitivity level and the exact location of where it all needs to be.
- Hash out what the chain of command should look like. Is there an incident leader you want to put in charge of? Does the chain of command include corporate leaders and their specialists? Who is the one that should launch the incident response plan, and who should they report to? Who will you give the authority to shut things down in an emergency?
- Create a map flow so that all the stakeholders can understand the process and who it goes to next. For example, when does the legal team get involved? When does HR step in? When is it okay to go to the media? At what point do we invite authorities to get involved?
- What are the cybersecurity regulatory requirements in the organization? Those should definitely be included and considered in the plan and how it functions across all departments. There should also be instruction on how to facilitate interaction with law fencing and governmental agents if necessary.
- Research and develop a list of your favorite technology support in hardware replacement, forensics, and other services that would be complementary during or after an event.
- If there are high-level credentials that include SSH keys and passwords you will want them to be in a secured centralized storage area.
- Have employees involved with the process by requiring them to report any suspicious emails that come through that could potentially be of danger to network security?
- When it comes to privilege credentials make sure they can be automatically rotated for temporary employees. Periodically, make sure to search out orphan accounts of past employees to make sure that they don’t have unauthorized access.
- Firmly establish your integrative and comprehensive communication system that swiftly forms external and internal participants of the incident.
- Included in the plan should also be the process for detection and analysis, with response protocol. The last component is nailing down what the recovery process will look like.
The follow-up process is also quite important here are some thoughts to consider when delving into that plan.
- Swiftly complete an incident response report. Be detailed by including every department of the business that was impacted by the incident.
- Get input from the management as to whether or not the response, process, and report were satisfactory or not. The feedback should include more technology training and investment in people if necessary.
- From time to time employ a compromise assessment or a general security scan that lets you see the health of devices, networks, and systems.
- Include leadership and employees in the lessons learned. Discuss what didn’t go well and what did. Investigate the procedures to see how to make things stronger in the future.
- Be sure that all stakeholders are up to date on any plans and new trends. Even seek out their advice for protecting further breaches. Keep them involved to make sure that they know that security requires everyone’s involvement.
As we wrap up here, the goal of developing a cyber incidence response plan is to help your technology and IT security team have a plan that is effective, comprehensive, coordinated, simple, and easy to repeat.
The best way to approach a cybersecurity incident response plan is to remember that it is a living document. To see it as a one-and-done plan, can actually be detrimental to your company. Things are changing all the time, and new threats are developed almost on a daily basis. So, scans and checks should be done at least on an annual basis to make sure that your plan stands up to the level of threats that are current.
To make things easier on your team that would be involved consider creating a checklist of everything that needs to happen. So that way people can follow a protocol and do their checks without missing any key components. This will be more effective and thorough, allowing the team to do a good job without any guesswork.
Above all remember to set your leadership team in order of incident reporting steps to abolish confusion or unnecessary delays in the detection and the response part of the process.