6 steps to build an incident response plan

Updated at: Oct 01, 2019
By Gatefy

6 steps to build an incident response plan

An incident response (IR) plan is a playbook that allows companies to act quickly in the event of cyberattacks and data breaches. The main purpose of an IR plan is to reduce losses and damages by effectively combating threats, which means responding to a threat in the shortest possible time and in the best way. Without despair and without being taken by surprise.

To be effective, an incident response plan should integrate different areas of the company and should not treat all employees and machines the same way. It's necessary to differentiate which areas are the most important within the organization so that certain people and machines are isolated more quickly and have greater protection.

The importance of incident response

We believe that the importance of a business incident response plan lies in one word: security. From the moment the company becomes the target of an attack, an IR plan can ensure that the damage is as minor as possible and that no one is caught unprepared. Besides that, conscientious and trained employees ensure more protection for the company.

Faced with this, the question is: would your company's employees know what to do in the event of a security incident?

How to create an incident response plan

Today, in general, only enterprises (or large companies) have or are concerned about maintaining an IR plan. This scenario should change gradually as small and medium-sized businesses are frequent targets of cyberattacks. Creating an incident response plan requires dedication and at least one qualified person with knowledge in information technology and information security.

To make it easier, we've created a list of 6 questions that can help you build an effective incident response plan.

1. Who is the IR team and what are the company's critical points?

The first step in building your playbook is to define who or which people will be responsible for creating and maintaining the incident response plan. Obviously, whoever is in the IT area is the one that will work more. Then it's necessary to map the company's structure (departments, employees, tools used, types of data stored, etc) and define the critical sectors, in other words, the areas and people that must be better protected.

2. What are the detailed tasks of the IR team?

A good incident response plan should be able to document in a clear and lean way all the tasks that the IR team needs to perform and what the expected results are. In this sense, the playbook needs to answer questions such as "what?", "who?", "how?", "why" and "what is the result?”.

3. What are the worst incidents?

One of the biggest challenges when creating an incident response plan is precisely to determine what the threats are and which ones require the most attention. A good starting point are the categories of incidents created by the US National Institute of Standards and Technology (NIST) based on attack vectors: external/removable media, attrition, web, email, impersonation, improper usage and loss of equipment.

It's important that there's a general recommendation for incidents and a specific one for more common and dangerous threats, including detailed information on possible damage to the organization and prevention methods and tips.

4. What protection tools should be used?

A complete IR plan should also take into account monitoring, analysis and threat detection tools that allow the IR team to have visibility and understanding of what has happened or is happening. Protection solutions against virus, malware, ransomware, BEC and phishing are just a few examples.

It's these tools that will provide the information that will be used to fight the attacks and even prevent future infections. They are data about the type of threat, the moment of the infection, the speed of propagation and which machines were affected. These are invaluable information so that the defense can be quick and effective.

5. In case of an attack, who should be notified?

In addition to the IR team, who else should be reported in the event of an incident? It's important to think about this issue and have a strategy ready, since, depending on the type of threat, it can affect different areas of the company and even partners and customers. An incident may even have legal implications. That's why every business sector needs to be aware of the incident response plan. Better: everyone needs to have access to the IR plan. Work for it.

6. Have you already established a disaster recovery strategy and tested your IR plan?

To finish, two tips. The first one is: if you already have your IR plan ready, test it. Put your IR team to work and test it in practice. The second tip is: always have a disaster recovery strategy at your disposal. In the case of a threat that cannot be easily eliminated, having an up-to-date backup is reassuring. Believe it.