Incident Response Plan

Make a plan now; Save time when it counts.

At a Glance:

An incident response plan delineates what steps need to be taken, and by whom, when a breach or security crisis occurs in an organization. A robust response plan should empower teams to leap into action and mitigate damage as quickly as possible. Emergency responders go through regular training simulations and process checks, so when a situation arises they know how to act almost by muscle memory. Information security teams would be wise to follow their example: When an emergency occurs, you don’t want to waste time figuring out incident response processes and procedures while precious minutes are ticking away. Having a plan in place becomes paramount.

No one enjoys a crisis, but when it comes to incident response it pays to be prepared. Minutes count when a network has been infiltrated or data has been breached, and waiting to figure out processes in the heat of the moment will likely result in confusion, and worse still, slower overall response times to the incident itself.

To prevent this from happening to your organization, your incident response team should have a carefully mapped incident response plan, rehearsed regularly for a variety of possible scenarios with all stakeholders included across a variety of roles. After all, when a security incident occurs, it’s not just technical teams that need to act; non-technical resources—such as legal and communications—as well as outside parties will need to be involved, especially if you partner with a security service provider.

What’s In a Robust Incident Response Plan?

There’s a great deal of groundwork that can be done ahead of time to reduce complexity and risk during an emergency. An incident response plan should include:

  • Buy-in from key organizational stakeholders: When a crisis hits, your team needs to know they have the support from key stakeholders to act quickly. Make sure C-level executives and other stakeholders fully buy in to the response plan, give it their support, and empower the incident response team to act quickly and confidently during a crisis.
  • Clearly defined roles, responsibilities, and processes: The last thing your team needs is to be figuring out who owns what and trying to track that person down. Every element of incident response, from the technical to the non-technical, should have a named stakeholder attached to it with clear responsibilities outlined. People in these roles should have the expertise to carry out what’s expected of them (this is not the time to test your most junior team members). In addition, each incident response role should know exactly what processes they’re accountable for and what’s expected of them when an incident occurs, from determining the initial scope of the breach all the way to crisis communications. If there’s any ambiguity in the plan about who owns what, it may well be forgotten during a crisis.  
  • Technologies and partnerships to enable quick action: When running your incident response drills, make sure you have every tool in the toolbox you need to respond quickly and effectively. You will likely find some areas have large gaps, and others have some wiggle room to improve; where possible, make sure you have the internal technologies and tools available to your teams to do their jobs efficiently, making the most of automation where possible.

The key here is “quick.” If you don’t have the internal expertise or resources to conduct a quick response, or your toolset isn’t giving you the information as quickly as you need it, then you may want to look into external incident response services to help address these gaps and speed up your incident response times. (Make sure to include this external team in any drills you conduct!)

External Incident Response Services

If you need some support with your incident response plan, external providers can help address strategic and tactical gaps by:

  • Developing robust security programs: If you’re unsure whether your incident detection program covers all possible contingencies relevant to your organization, an incident response service can help you improve your readiness to incidents and breaches.
  • Conducting tabletop exercises: Put your internal incident response team through their paces with threat simulation exercises conducted by an outside service to verify your team’s readiness.
  • Conducting compromise and/or breach readiness assessments: An external incident response team can assess the current state of your organization’s environment and security processes, and identify any potential risks or gaps.
  • Providing immediate breach remediation: If you suspect you’re being breached and need immediate help, an external incident response service can jump into action to help stop further damage.
  • Offering incident response retainers: A retainer with an incident response service makes sure that your teams are as aligned as possible and that the external team is ready to go should the worst occur. Many retainers will include several of the services named above, and they will often guarantee a certain service level agreement on their response times.

It may sound repetitive, but the worst time to prepare for a breach really is after one has occurred. Having a robust incident response plan in place—and ensuring it has been communicated to all stakeholders—is the best way to prepare for this worst-case scenario.