Incident Response 101
Having a strong incident response plan in place for your organization is critical, but building and maintaining your plan can be a daunting task. In this blog, we’ll walk through some of the basics surrounding incident response plans.
What is Incident Response?
The National Institute of Standards and Technology (NIST), describes an incident asan event that has had an impact on an organization’s network requiring response and recovery actions to be taken. An event, on the other hand, is an observed incident of an attempt at a breach. Incident response is the detection of an incident and the actions taken to respond to attacks to a network in order to regain operations and restore security. This can be managed in-house or through third-party agencies.
Why do I need an incident response plan?
Having an incident response plan in place gives you an easily repeatable action list when a breach happens – and it will happen. Your team will be able to respond and recover quickly and efficiently, minimize disruption and downtime, and better prepare for future incidents. Additionally, many regulated industries are required to have documented incident response plans. A well thought out and practiced incident response plan also avoids surprises when a real event happens by ensuring that the people, processes and technology relevant to the given event know their role and are ready to act.
Who owns an incident response plan?
While this may vary between organizations, the IR policy may be owned by your senior leadership team, specifically the CISO. The incident response plan itself might be the responsibility of a VP or director that reports to the CISO. Procedures specific to individual sites and business units may fall under the responsible parties for the given area.
What should an IR plan cover?
An IR plan should be specific to your organization and should outline policies and procedures to be used in the event of an incident. The policies should outline the scope and define responsibilities for the team. The plans and procedures should outline specific actions to be taken as well as key metrics. Depending on your organization, you may have multiple policies in place for different types of events, business units, or geographic locations.
How often do I need to update the plan?
It’s important to make sure that the plan grows with your organization – so it can be helpful to run tabletop exercises and review the plan periodically to ensure that it is working. While generic incident response plans do exist, ideally they are tailored to the realities and resources of your particular organization. Just as business operations change, incident response plans should be updated to keep pace with changes within your organization.
As you can see, incident response planning is critical for your business. In our next blog, we’ll dive further into the elements of a plan and customizing it for your organization.
Want to learn more? Check out some of our other resources about incident response planning.
IR Plan, Policy & Procedures Part 1: How To Write a Cybersecurity Incident Response Plan
IR Plan, Policy & Procedures Part 2: How To Write a Cybersecurity Incident Response Policy
