...

Incident Response Plan

Creating an Incident Response Plan (IRP) is crucial to maintaining control and minimizing the impact of cyber incidents, using a well-prepared response team, structured processes and regular risk assessments.
NFIR beeldmerk kleur
NFIR beeldmerk kleur

Incident Response Plan

Creating an Incident Response Plan (IRP) is crucial to maintaining control and minimizing the impact of cyber incidents, using a well-prepared response team, structured processes and regular risk assessments.

What is an Incident Response Plan?

An Incident Response Plan (IRP) describes the process a company or organization follows when faced with a data breach or cyber attack. This plan endeavors to achieve effective execution of Incident Response. For example, the Incident Response Plan addresses the elaboration of the process steps, the required resources and the required communication and escalation paths.

In addition to the description of procedures, the Incident Response Plan also determines which persons within the organization should follow them. This group of persons is referred to as the Incident Response Team (IRT). The aim of the IRT is to get the incident under control as quickly as possible and to minimise the impact of the cyber incident so that the continuity of the organisation is no longer threatened.

Which aspects are indispensable in an Incident Response Plan?

1. Proper preparation.

Before you start drawing up an Incident Response Plan, good preparation is essential. After all, good preparation is half the job. The preparation phase is therefore the most important phase within the Incident Response Plan. During this phase, employees are trained in recognising an incident and made aware of the role they play and the responsibilities that go with it. In order to prevent gross errors from occurring at a later stage, dry runs are developed to practice different scenarios in advance. Finally, during the preparation phase, all parts of the Incident Response Plan are approved and secured.

2. Identify information assets

An information asset refers to any system within your organisation where business information can be found. Think of a cloud environment or a backup. Identifying your information assets helps you understand what information must be protected, where the information is located, and the legal obligations you must comply with in the event of a data breach. In addition to information assets, your organisation has various systems and resources at its disposal. Once you have made an inventory of your assets, define how you would use them in different types of incidents. With careful management of the security risks of these resources, you can minimize affected systems and potential losses.

3. Identify potential risks

Carry out a risk assessment to find out what the probability is of a risk occurring and what the severity of that risk is.
The specific risks faced by your organisation depend on the current systems. The systems you use change, and so do the risks
for your organization. It is therefore important to adapt the risk assessment to the current state of affairs. An example of high risk is the
breach the security of a privileged account with access to sensitive data. If the probability of such a breach is high, a specific contingency plan must be drawn up when developing an Incident Response Plan.

4. Composition of an Incident Response Team and other key stakeholders

The key stakeholders are the persons responsible for implementing and maintaining the Incident Response Plan. The most important stakeholders are the members of the Incident Response Team. In addition, you can think of the senior manager or the IT department within your organisation. In compiling these key stakeholders, you can also investigate what educational needs they have in order to better perform their task.

5. Develop and ensure appropriate procedures

Haphazard actions lead to unstructured work. As an organization, it is important to determine the framework from which you will work. A framework is a concept that brings structure to the implementation of the Incident Response Plan and is based on standards. One of the frequently used
standards come from the International Organization for Standardization (ISO). Standards help define, design and manage the Incident Response Plan.

6. Secure the plan within the organization including approval of decision making

For the most effective implementation of the Incident Response Plan, a good understanding of business processes, technical processes and security processes is essential.
of great importance. This will ultimately lead to reduced costs in the event of an incident.

Why is an Incident Response Plan important?

The number of cyber incidents is increasing and hackers carry out 2244 attacks every day. The average cost associated with an incident has been estimated at 3.3 million in 2020. These attacks are not exclusively aimed at large companies. Namely, 43% of the victims of cyber security incidents in 2020 were small businesses. Nevertheless, it appears that a significant proportion of IT and security professionals do not have an Incident Response Plan. The absence or ineffectiveness of an Incident Response Plan can seriously increase the impact of an incident. It slows down the identification of the incident and this delay is associated with higher costs. Finally, financial damage is often followed by reputational damage. Implementing an Incident Response Plan minimizes both types of damage.

Tips for drawing up an Incident Response Plan

  • Outsource the design and execution of an Incident Response Plan to professionals. Every organization is sensitive to a cyber security incident and therefore also benefits from an Incident Response Plan. At the same time, it is quite understandable that this is a time-consuming and complicated operation for many organizations. It is therefore highly advisable to engage a professional party for this important task. To write an effective and efficient Incident Response Plan adapted to your organization and your risks, you can contact Legian. They are specialized in this field and have gained extensive experience within the cyber security world. The NFIR can be consulted for the deployment of its Incident Response Team, which is available 24/7 to be at your location within three hours. After all, in the event of an incident it is very important to act quickly and skilfully in order to limit the increasing damage as much as possible.
  • Work with a concrete plan. Practical experience has shown that many Incident Response plans have a general description and are insufficiently specific with regard to the incident that is taking place. As an organisation it is good to have insight into the top risks and to anticipate them. Keep the Incident Response Plan and all supporting documentation up to date. Policies, contact lists and basic items such as CMDB of the assets become outdated over time. Especially if, for example, reorganisations have taken place in the meantime. For this reason, it is important to always keep the Incident Response Plan up to date.
  • Testing-Testing-Testing. The use of an Incident Response Plan involves more than meeting the above requirements. You will need to test this plan regularly with the actual players in the organization and then test it in practice. An untested Incident Response Plan is merely a form of false security.
  • Lessons learned: fine-tune your Incident Response Plan based on evaluation. After an incident where the Incident Response Plan has been applied, evaluation is an important follow-up step. The points from this evaluation form the basis for changes in subsequent incidents and should be included in test runs.

Security incident? Meet Incident Response

Our Incident Response team is available 24/7 to identify and resolve any cyber incident.

Frequently asked questions

  1. Proper preparation
  2. Identify information assets
  3. Identify potential risks
  4. Assemble an Incident Response Team and other key stakeholders
  5. Develop and secure appropriate procedures
  6. Secure the plan within the organization including approval of decision making

Cyber attacks are becoming more frequent: hackers carry out 2244 attacks every day. The average cost of an incident is estimated to be 3.3 million in 2020. Although hacking attacks do not exclusively target large companies, 43% of victims of cybersecurity incidents in 2020 were small businesses, according to a study by the National Cyber Security Alliance . Not having or being ineffective in an Incident Response Plan can seriously increase the impact of an incident; it delays the identification of the incident and this delay is accompanied by increased costs. Financial damage is often followed by reputational damage when companies fall victim to a cyber attack. Implementing an Incident Response Plan minimizes both types of damage, as well as the delays associated with identifying an attack.

  1. Outsource the design and execution of an Incident Response Plan to professionals.
  2. Work with a concrete plan.
  3. Testing-Testing-Testing.
  4. Lessons learned: fine-tune your Incident Response Plan based on evaluation.
  • Triage: the aim of this step is to identify the source(s) and affected devices and/or systems, set priorities based on these and determine the plan of approach for further research. At the same time, data is safeguarded in a forensic way for possible further investigation.
  • Containment:this process involves restoring affected devices and/or systems and verifying security so normal operations can resume.
  • Post incident activities: When the incident is resolved, a forensic investigation report is prepared. The report proposes solutions to prevent a similar event from occurring in the future. NFIR can also support and/or advise in the communication towards the Data Protection Authority, attorney at law and other parties involved.

SECURITY INCIDENT BIJ UW ORGANISATIE?

De volgende 30 minuten zijn van cruciaal belang​!

De eerste 30 minuten na een cyber security incident zijn cruciaal, omdat een snelle en adequate reactie de schade kan beperken. Daarnaast kan verdere verspreiding van de aanval worden voorkomen en kan essentieel bewijsmateriaal veiliggesteld worden voor nader onderzoek.

Ons Computer Emergency Response Team (CERT) staat 24/7 klaar om bedrijven en organisaties te ondersteunen bij IT-beveiligingsincidenten.

Heeft uw bedrijf professionele hulp nodig bij een beveiligingsincident? 

* LET OP: Wij werken uitsluiten voor bedrijven en organisaties.

SECURITY INCIDENT AT YOUR ORGANIZATION?

The next 30 minutes are crucial!

The first 30 minutes after a cyber security incident are crucial because a quick and adequate response can limit the damage.
In addition, further spread of the attack can be prevented and essential evidence can be secured for further investigation.

Our Computer Emergency Response Team (CERT) is available 24/7 to support businesses and organizations during IT security incidents.

Does your company need professional help with a security incident?

* NOTE: We work exclusively for companies and organizations.