Back To The Blog

Know the Components of an Incident Response Plan

Incident Response / May 24 , 2023

IRP Steps to Keep Your Organization Cyber Ready

The proliferation of cyber attacks and security breaches is old news. Yet the ongoing “cyberpandemic” hasn’t spurred all organizations to adopt cyber incident response plan best practices.

In November 2022, for example, 74% of companies responding to a Wall Street Journal survey had a cyber incident management framework in place—but only 23% test it at least twice a year.

Worse, many organizations may not know the components of an incident response plan, because they haven’t created one.

For instance, IBM finds only 32% of organizations have IRPs ready for supply chain attacks, though those attacks have increased. Risk consulting firm Kroll reports “more than a third (36%) of organizations don’t have a response plan” for any type of cyber incident.

Taking time to create an incident response plan (IRP) is something every 21st-century business, no matter its sector or size, must do.

The benefits of an incident response plan are several, and significant.

A strong IRP equips and empowers your organization to:

  • Prevent orgnizational chaos when a breach occurs. Establish and document clear action steps, roles, and responsibilities in the event of a breach.
  • Mitigate the damage a cyber incident causes more quickly, so your business operations aren’t interrupted any longer than necessary. Help minimize the cost of data breach recovery.
  • Respond in a comprehensive and organized way, avoiding a scattershot and ineffective approach. Help limit the severity of business interruption.
  • Ensure compliance with increasingly stringent cyber security regulations.
  • Build or rebuild trust with customers, corporate partners, and others so your reputation and revenue don’t take catastrophic hits.
  • Strengthen your overall security posture in a cyber landscape where malicious activities are only multiplying. Meet your regulatory duties and help defend against a charge of negligence and reduce the risk of litigation and regulatory exposures.

Creating an IRP for every conceivable threat is impossible; but detailing a command structure and set of processes that will enable your organization to react in a strategic, measured manner can minimize the damage any incident causes.

At NetDiligence, we want to see more businesses know how to create an incident response plan, and do so as quickly and effectively as possible.

Read on for an introduction to the four key components of an incident response plan.

What Should Be Included in an Incident Response Plan

The National Institute of Standards and Technology and the International Organization for Standardization outline four important incident response plan components.

1. Preparation

Advance preparation includes using risk assessments to bolster resiliency in your networks, systems, applications, and devices.

To avoid chaos when an attack happens, you must have previously defined the roles and responsibilities of individuals on your incident response team. Even if you hire an external incident response team, your own team members will be key to the communication needed to deal with a crisis.

Prepare your incident response communication channels so information flows swiftly and smoothly. In your communication plan, don’t overlook:

  • Contact information for all internal and external incident responders
  • On-call information for incident escalation
  • Incident reporting channels (phone numbers, email addresses, online forms, secure instant messaging)
  • “War room” for central communication and coordination
  • Backup storage facilities and networks for communication, evidence, and sensitive material

2. Detection and Analysis

Cyber events can go undetected for weeks or months. To minimize damage and maximize response, your organization must verify an incident has actually occurred, and appraise its impact.

Various warning systems may alert your team to a potential incident:

  • Automated alerts from network and host-based Intrusion Detection and Prevention System (IDPSs), antivirus software, or log analyzers
  • Alerts from network intrusion sensors or file integrity checking software
  • Alerts from third-party monitoring services
  • Manual discovery from user-reported problems

Once an event is verified, you must follow predetermined procedures to analyze its scope and impact. This analysis should define:

  • Functional Impact

To what extent has the incident disrupted your organization’s ability to provide services?

  • Information Impact

How much sensitive data, if any, was changed, deleted, or extracted?

  • Recoverability

How fully can your organization recover? What resources will it need to do so?

3. Containment, Eradication, and Recovery

The containment component of your incident response plan involves a mitigation decision to stop the bleeding.

You may shut down a system, disconnect it from a network, or disable certain functions. Your IRP should guide the choices you make.

Factors that could influence your decision include:

  • The potential damage or theft of resources
  • The need to collect or preserve evidence
  • The need to maintain services
  • The need for extra time and resources
  • The duration of the proposed solution

How you achieve eradication will vary by the nature of the incident, but you must remove all traces of the threat. Measures may include:

  • Disabling breached user accounts
  • Deleting malware
  • Identifying and purging remaining vulnerabilities

Recovery of normal operations may require restoration from uncorrupted backups or rebuilding systems. Compromised files will need to be replaced, passwords changed, and network security tightened.

4. Post-Incident Improvement

The last of the incident response plan steps is taking stock of lessons learned and using that knowledge to help prevent similar events going forward.

Your incident response team should meet to explore what happened, how it happened, and what corrective actions, tools, or resources are needed to guard against future incidents.

Post-incident analysis should also assess the attack’s monetary and non-monetary impact. This data can help justify increased cybersecurity funding.

NetDiligence Can Help Build Your Incident Management Framework

These four components of an incident response plan are basic recommendations for building a general response framework. Your IRP’s specific steps must reflect your organization’s unique operations and risks.

Independently crafting an effective incident response plan can prove costly and time-intensive.

NetDiligence can help.

We have nearly 20 years’ experience helping clients improve their cyber readiness and build IRPs.

Using our Breach Plan Connect® tool, companies can customize step-by-step plans that adhere to best practices, withstand regulatory scrutiny, and address the vulnerabilities of unique risk profiles.

NetDiligence resources guide users through a response process that includes:

  • Notifying law enforcement as needed
  • Contacting legal professionals who specialize in data breaches
  • Engaging forensic investigation experts
  • Setting up credit monitoring operations
  • Hiring a PR firm or breach notification service

Lodging insurance claims for cost reimbursement

Additionally, NetDiligence Incident Response Plans are cloud-hosted and mobile-friendly,so teams can readily access them in crisis moments.

If your company needs help knowing how to create an incident response plan, fill out the form below to download our 4 Steps to Build Your Incident Response Plan tip sheet. It offers practical, immediately actionable advice about putting incident response plan steps in place.

Complete the form below to download the 4 Steps to Build Your Incident Response Plan tip sheet from NetDiligence.


Related Blog Posts

Download 2023 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.


© 2024 NetDiligence All Rights Reserved.