Incident Response Plan
Incident Response Plan
What is an Incident Response Plan?
An Incident Response Plan (IRP) describes the process a company or organization follows when faced with a data breach or cyber attack. This plan endeavors to achieve effective execution of Incident Response. For example, the Incident Response Plan addresses the elaboration of the process steps, the required resources and the required communication and escalation paths.
In addition to the description of procedures, the Incident Response Plan also determines which persons within the organization should follow them. This group of persons is referred to as the Incident Response Team (IRT). The aim of the IRT is to get the incident under control as quickly as possible and to minimise the impact of the cyber incident so that the continuity of the organisation is no longer threatened.
Which aspects are indispensable in an Incident Response Plan?
1. Proper preparation.
Before you start drawing up an Incident Response Plan, good preparation is essential. After all, good preparation is half the job. The preparation phase is therefore the most important phase within the Incident Response Plan. During this phase, employees are trained in recognising an incident and made aware of the role they play and the responsibilities that go with it. In order to prevent gross errors from occurring at a later stage, dry runs are developed to practice different scenarios in advance. Finally, during the preparation phase, all parts of the Incident Response Plan are approved and secured.
2. Identify information assets
An information asset refers to any system within your organisation where business information can be found. Think of a cloud environment or a backup. Identifying your information assets helps you understand what information must be protected, where the information is located, and the legal obligations you must comply with in the event of a data breach. In addition to information assets, your organisation has various systems and resources at its disposal. Once you have made an inventory of your assets, define how you would use them in different types of incidents. With careful management of the security risks of these resources, you can minimize affected systems and potential losses.
3. Identify potential risks
Carry out a risk assessment to find out what the probability is of a risk occurring and what the severity of that risk is.
The specific risks faced by your organisation depend on the current systems. The systems you use change, and so do the risks
for your organization. It is therefore important to adapt the risk assessment to the current state of affairs. An example of high risk is the
breach the security of a privileged account with access to sensitive data. If the probability of such a breach is high, a specific contingency plan must be drawn up when developing an Incident Response Plan.
4. Composition of an Incident Response Team and other key stakeholders
The key stakeholders are the persons responsible for implementing and maintaining the Incident Response Plan. The most important stakeholders are the members of the Incident Response Team. In addition, you can think of the senior manager or the IT department within your organisation. In compiling these key stakeholders, you can also investigate what educational needs they have in order to better perform their task.
5. Develop and ensure appropriate procedures
Haphazard actions lead to unstructured work. As an organization, it is important to determine the framework from which you will work. A framework is a concept that brings structure to the implementation of the Incident Response Plan and is based on standards. One of the frequently used
standards come from the International Organization for Standardization (ISO). Standards help define, design and manage the Incident Response Plan.
6. Secure the plan within the organization including approval of decision making
For the most effective implementation of the Incident Response Plan, a good understanding of business processes, technical processes and security processes is essential.
of great importance. This will ultimately lead to reduced costs in the event of an incident.
Why is an Incident Response Plan important?
The number of cyber incidents is increasing and hackers carry out 2244 attacks every day. The average cost associated with an incident has been estimated at 3.3 million in 2020. These attacks are not exclusively aimed at large companies. Namely, 43% of the victims of cyber security incidents in 2020 were small businesses. Nevertheless, it appears that a significant proportion of IT and security professionals do not have an Incident Response Plan. The absence or ineffectiveness of an Incident Response Plan can seriously increase the impact of an incident. It slows down the identification of the incident and this delay is associated with higher costs. Finally, financial damage is often followed by reputational damage. Implementing an Incident Response Plan minimizes both types of damage.
Tips for drawing up an Incident Response Plan
- Outsource the design and execution of an Incident Response Plan to professionals. Every organization is sensitive to a cyber security incident and therefore also benefits from an Incident Response Plan. At the same time, it is quite understandable that this is a time-consuming and complicated operation for many organizations. It is therefore highly advisable to engage a professional party for this important task. To write an effective and efficient Incident Response Plan adapted to your organization and your risks, you can contact Legian. They are specialized in this field and have gained extensive experience within the cyber security world. The NFIR can be consulted for the deployment of its Incident Response Team, which is available 24/7 to be at your location within three hours. After all, in the event of an incident it is very important to act quickly and skilfully in order to limit the increasing damage as much as possible.
- Work with a concrete plan. Practical experience has shown that many Incident Response plans have a general description and are insufficiently specific with regard to the incident that is taking place. As an organisation it is good to have insight into the top risks and to anticipate them. Keep the Incident Response Plan and all supporting documentation up to date. Policies, contact lists and basic items such as CMDB of the assets become outdated over time. Especially if, for example, reorganisations have taken place in the meantime. For this reason, it is important to always keep the Incident Response Plan up to date.
- Testing-Testing-Testing. The use of an Incident Response Plan involves more than meeting the above requirements. You will need to test this plan regularly with the actual players in the organization and then test it in practice. An untested Incident Response Plan is merely a form of false security.
- Lessons learned: fine-tune your Incident Response Plan based on evaluation. After an incident where the Incident Response Plan has been applied, evaluation is an important follow-up step. The points from this evaluation form the basis for changes in subsequent incidents and should be included in test runs.
Security incident? Meet Incident Response
Our Incident Response team is available 24/7 to identify and resolve any cyber incident.
Frequently asked questions
Which aspects are indispensable in an Incident Response Plan?
- Proper preparation
- Identify information assets
- Identify potential risks
- Assemble an Incident Response Team and other key stakeholders
- Develop and secure appropriate procedures
- Secure the plan within the organization including approval of decision making
Why is an Incident Response Plan important?
Cyber attacks are becoming more frequent: hackers carry out 2244 attacks every day. The average cost of an incident is estimated to be 3.3 million in 2020. Although hacking attacks do not exclusively target large companies, 43% of victims of cybersecurity incidents in 2020 were small businesses, according to a study by the National Cyber Security Alliance . Not having or being ineffective in an Incident Response Plan can seriously increase the impact of an incident; it delays the identification of the incident and this delay is accompanied by increased costs. Financial damage is often followed by reputational damage when companies fall victim to a cyber attack. Implementing an Incident Response Plan minimizes both types of damage, as well as the delays associated with identifying an attack.
Tips for drawing up an Incident Response Plan
- Outsource the design and execution of an Incident Response Plan to professionals.
- Work with a concrete plan.
- Testing-Testing-Testing.
- Lessons learned: fine-tune your Incident Response Plan based on evaluation.
What is NFIR's working method for Incident Response?
- Triage: the aim of this step is to identify the source(s) and affected devices and/or systems, set priorities based on these and determine the plan of approach for further research. At the same time, data is safeguarded in a forensic way for possible further investigation.
- Containment:this process involves restoring affected devices and/or systems and verifying security so normal operations can resume.
- Post incident activities: When the incident is resolved, a forensic investigation report is prepared. The report proposes solutions to prevent a similar event from occurring in the future. NFIR can also support and/or advise in the communication towards the Data Protection Authority, attorney at law and other parties involved.