Cybersecurity professionals around the world work to prevent security incidents that would undermine the confidentiality, integrity or availability of their organization's information assets. Unfortunately, the stark reality we face is that these incidents are virtually inevitable. Incidents will occur, and organizations should understand the incident response steps that they will take in the event of a cyberattack or other adverse event that has an impact on business operations.
Security incidents are extremely stressful times that place business and IT leaders under enormous pressure to react quickly to minimize damage. This fast-paced, high-pressure environment is not conducive to sound decision-making. Developing an incident response and management plan enables organizations to make many of these important, strategic decisions in advance of an incident. Instead of creating plans in the pressure cooker environment of a security breach, they can carefully think through their decisions in the calm pre-incident environment.
Fortunately, organizations don't need to develop these plans in isolation. Instead, they may follow frameworks developed by thought leaders in the field. The "NIST Computer Security Incident Handling Guide" is widely considered to be the authoritative source for incident response planning efforts. Organizations can begin with this widely adopted approach and tailor it to meet the specific business needs of their environment. For example, the NIST guide outlines a four-step incident response cycle:
- Detection and analysis
- Containment, eradication and recovery
- Post-incident activity
Organizations developing their own incident response plans can work within this framework to create the policies and procedures that guide their own actions.
This article is part of
Let's take a look at six critical steps that organizations can take when developing their own incident response plans.
Step 1: Create a policy
The first step in creating an incident response plan is to develop or update the organization's incident remediation and response policy. This foundational document serves as the basis for all incident handling activities and provides incident responders with the authority they need to make crucial decisions. The policy should be approved by as senior an executive as possible and should outline the organization's high-level priorities for incident response.
Importantly, the policy should designate a senior leader as having primary authority and responsibility for incident handling. This person may delegate some or all of their authority to others involved in the incident handling process, but the policy should clearly designate a specific position as bearing primary responsibility for incident response.
When creating a policy, organizations should strive to keep the language high-level and generalized. The policy should serve as a guiding force for incident response but not dive into the granular details. Procedures and playbooks will fill out those details. The objective is to develop a policy that will be long-lasting.
Step 2: Form an incident response team and define responsibilities
While a single leader should bear primary responsibility for the incident response process, this person leads a team of experts who carry out the many tasks required to effectively handle an information security incident. The size and structure of an incident response team will vary based upon the nature of the organization and the number of incidents that take place. For example, a large global company may have different incident response teams that handle specific geographic areas using dedicated personnel. A smaller organization may use a single centralized team that draws on team members from elsewhere in the organization on a part-time basis. Other organizations may choose to outsource some or all of their incident response efforts.
Whatever team model an organization chooses, team members should be trained on their responsibilities at the various stages of incident handling and conduct regular exercises to ensure that they are ready to respond to future incidents.
Step 3: Develop playbooks
Playbooks are the lifeblood of a mature incident response team. While every security incident differs in some ways, the reality is that most incidents follow standard patterns of activity and would benefit from standardized responses. For example, when an employee's smartphone is stolen, the organization may follow some standard steps:
- Issue a remote wipe command to the device.
- Verify that the device was encrypted.
- File a stolen device report with law enforcement and the service provider.
- Issue the employee a replacement device.
This sequence of steps forms a basic procedure template for responding to lost or stolen devices -- it's a playbook for handling a device theft. The incident response team does not need to figure out what steps to take every time a device is lost or stolen because they can simply refer to the playbook.
As organizations build out their incident response teams, they should develop a series of playbooks that address their most common incident types.
Step 4: Create a communication plan
Incident response efforts involve a significant level of communication between different groups within the organization, as well as external stakeholders. The incident response communication plan should address how these groups will work together during an active incident and the types of information that may be shared with internal and external responders.
One crucial issue that should be addressed by the communication plan is the involvement of law enforcement. Who in the organization is authorized to call in law enforcement, and when is it appropriate to do so? Involving law enforcement often generates adverse publicity, and organizations should make this decision deliberately.
Step 5: Identify lessons learned
Each incident that occurs is a learning opportunity for the organization. The incident response plan should require a formal lessons-learned session at the conclusion of every major security incident. These sessions should include all team members who played a substantial role in the response and provide an opportunity to identify both security control gaps that contributed to the incident and places where the incident response plan itself can be adjusted. This enables the organization to reduce the likelihood of future incidents and improve its ability to handle those incidents that do occur.
Security incidents occur in every organization. Well-designed incident response plans are often the crucial differentiator that enables organizations to quickly contain the damage from an incident and rapidly recover normal business operations.