A cybersecurity incident response plan (or IR plan) is a written action-plan that is documented for the IT Teams responding to computer information security incidents.
NIST (National Institute of Standards and Technology, USA) has created the Computer Security Incident Handling Guide that outlines 4 key phases of the Incident response plan and process.
Another institute with Standard Incident Response Framework is SANS whose 6 incident response steps have similar components of NIST incident response process.
An effective cyber incident response plan has 6 phases:
Incident Response Phase #1: Preparation
What is the preparation phase of incident response?
Incident response Preparation phase for a security incident is about incident preparedness.
As the name indicates, the incident response preparation step is about preparing for incidents – with the keen motive of lessening the probability of an incident occurring. Keeping cyber risk on sensitive data protection and network security becomes a collective effort within an organization.
Incident response capabilities in preparation stage has following:
- Incident response policy
- Incident response plan
- incident response effective communication plan
- incident response documentation
- The Computer Security Incident Response Team (CSIRT)
- Incident Response access control – for resource allocation and quick responses
- Incident response tools – to provide more power to toolset
- Incident response training – to deal with a cyber crisis
How to plan and reduce recovery time to detect and respond to a disruptive security incident is what makes the preparation phase so important in incident response lifecycle.
Addressing key considerations involve before, during and after a security incident or data breach, tools, policies and procedures, and cyber security awareness.
The importance of an effective incident response plan lies in the ‘health’ of IT assets e.g. systems, networks, servers, endpoints and applications are sufficiently secure
The preparation phase in incidence response process is the step which determines:
- Security policies and procedures for incident response management
- Incident response communication plan for effective incident management communications
Based around both internal and external stakeholders, a procedure is the quick response to identify, document and categorize an organization’s ‘vitals ‘which could be:
- Criticality of key assets
- Cyber threats to key information and data assets
- Controls to level of protections
Are the employees trained on security policies?
A security awareness training program is for educating employees about the internet and computer security allocating staff and resources. The NIST 800-53 incident response training clearly throws light on AT – Awareness and Training.
Incident Response Phase #2: Identification
9 key questions to ask during Identification stage of Incident response
- How was the security event discovered?
- Who discovered the incident?
- What is the scope of the security breach?
- Is it affecting operations?
- What could be the attack vectors?
- What is the source of the compromise?
- How does the security incident affect business operations?
- Does it affect operations?
- What was the first sign of an incident?
Incident Response Phase #3: Containment
Incident Response Phase #4: Eradication
Incident Response Phase #5: Recovery
Incident Response Phase #6: Lessons Learned.
Throwing light on computer security incident response capabilities might involve defined members of the Incident Response team.
Incident Response team member audience could have:
- Computer security incident response teams (CSIRTs)
- incident response manage
- Director of IT
- System administrators
- IT security staff
- C-suite executive
- human resources representative
In an organized way, the incident response process, on a moment’s notice, ensures that the IT team is ready with tools and procedures to identify, eliminate, and recover in the event of potential cyber attack scenarios.
What is the purpose of the incident response plan?
Need of An incident response plan for IT has 3 specific goals to:
· Lessen security damage caused by a cyber-attack
· Safeguard CIA of information and
· Get an organization back on its feet, by recovering from the security incident asap.
Computer security incident response plan broadens the mission of an organization when it boosts successful incident response capability through effective procedures.
A consistent incident handling methodology paves way for business and technical assistance to align the organizational policies.
An IR plan should be updated from time to time with continuing failure to notice and metrics to remain contextual in the modern ecosystem of security events.
Gone are the days when cyber incidents were looked at from the IT optics. When organizations lose $11.7 million per year, because of cyber-attacks, the cross section of business and technical experts has become aware of IR plan and its collective role in safeguarding business data.
An IR plan phase activities ensures business processes; Operational Strategies & Best Practices for Responding to a Data Breach is on the same page to protect the Confidentiality, Integrity and Availability of the information and data.
