The proliferation of cyber attacks and security breaches is old news, yet even now not all organizations have adopted cyber incident response plan best practices. Across all sectors, less than half of companies (42.7%) have cybersecurity incident response plans and test them annually or more. One in five have no plan or procedure at all. In the realm of the twenty-first century, every business needs to know the components of an incident response plan (IRP) and put one in place. A strong IRP equips and empowers your organization to:

• Prevent organizational chaos when a breach occurs. Establish and document clear action steps, roles, and responsibilities in the event of a breach.

• Mitigate the damage a cyber incident causes faster, so business operations don’t suffer more interruption than necessary. Help minimize the cost of data breach recovery.

• Respond in a comprehensive and organized way, avoiding a scattershot and ineffective approach. Help limit the severity of business interruption.

• Ensure compliance with increasingly stringent cybersecurity regulations.

• Build or rebuild trust with customers, corporate partners, and others so your reputation and revenue don’t take catastrophic hits.

• Strengthen your overall security posture in a cyber landscape where malicious activities are only multiplying. Meet your regulatory obligations, help defend against charges of negligence, and reduce the risk of litigation and liability exposures.

Creating an IRP for every conceivable threat is impossible, but detailing a command structure and processes that will enable your organization to react in a strategic, measured manner can minimize the damage an incident causes.

At NetDiligence, we want to help more businesses improve their cybersecurity incident management. Read on for an introduction to the four key components of an incident response plan.

What Are the Four Steps of the Incident Response Process?

The National Institute of Standards and Technology and the International Organization for Standardization outline four key components of an incident response plan:

1. Preparation

Advance preparation includes using risk assessments to bolster resiliency in your networks, systems, applications, and devices. To avoid chaos when an attack happens, you must have previously defined your incident response team roles and responsibilities. Even if you hire an external response team, your team members will be key to the communication needed to deal with a crisis.

Prepare your incident response communication channels so information flows swiftly and smoothly. In your preparation, don’t overlook:

• Contact information for all internal and external incident responders
• On-call information for incident escalation
• Incident reporting channels (phone numbers, email addresses, online forms, secure instant messaging)
• “War room” for central communication and coordination
• Backup storage facilities and networks for communication, evidence, and sensitive material

2. Detection and Analysis

Cyber events can go undetected for weeks or months. Your incident response plan steps must include processes for verifying an incident has occurred and assessing its impact.

Various warning systems may alert your team to a potential incident:

• Automated alerts from network and host-based Intrusion Detection and Prevention Systems (IDPSs), antivirus software, or log analyzers
• Alerts from network intrusion sensors or file integrity-checking software
• Alerts from third-party monitoring services
• Manual discovery via problems reported by users

Once an event is verified, you must follow predetermined procedures to analyze its scope and impact. Your analysis should define:

• Functional Impact: To what extent has the incident disrupted your organization’s ability to provide services?

• Information Impact: How much sensitive data, if any, was changed, deleted, or extracted?

• Recoverability: How fully can your organization recover? What resources will it need to do so?

3. Containment, Eradication, and Recovery

The containment component of your IRP involves a mitigation decision to “stop the bleeding.” You may shut down a system, disconnect it from a network, or disable certain functions.

Factors that could influence your decision include:

• The potential damage or theft of resources
• The need to collect or preserve evidence
• The need to maintain services
• The need for extra time and resources
• The duration of the proposed solution

How you achieve eradication will vary by the nature of the incident, but you must remove all traces of the threat. Measures may include:

• Disabling breached user accounts
• Deleting malware
• Identifying and purging remaining vulnerabilities

Recovery of normal operations may require restoration from uncorrupted backups or rebuilding systems. You’ll need to replace compromised files, change passwords, and tighten network security.

4. Post-Incident Improvement

The final component of an incident response plan is taking stock of lessons learned and using that knowledge to help prevent future events.

Your incident response team should meet to explore what happened, how it happened, and what corrective actions, tools, or resources will help guard against future incidents.

Post-incident analysis should also assess the attack’s monetary and non-monetary impact. This data can help justify increased cybersecurity funding.

NetDiligence Can Help Build Your Incident Management Framework

The four cyber incident response plan components above are basic recommendations for building a general response framework. Your IRP’s specific steps must reflect your organization’s unique operations and risks.

Independently crafting an effective incident response plan can prove costly and time-intensive.

NetDiligence can help.

We have over 20 years of experience helping clients improve their cyber risk management strategies.

Using our Breach Plan Connect® tool, companies can customize step-by-step plans that adhere to best practices, withstand regulatory scrutiny, and address the vulnerabilities of unique risk profiles. With Breach Plan Connect, your incident response plan is cloud-hosted and accessible 24/7/365 via our convenient mobile app to ensure your team can access your plan and communicate in a crisis.

If your company needs help knowing how to create an incident response plan, fill out the form below to download our free tip sheet, 4 Steps to Build Your Incident Response Plan!