Five Best Practices for an Incident Response Plan

March 14, 2023
Data Protection, IT Security

Five Best Practices for an Incident Response Plan


When we hear or read about a data breach at a big-name company, we typically want to know two things: what caused it, and what are the damages? What we should be trying to learn from these situations, however, is how did the company that suffered the breach detect it in the first place and how did it deal with it from there?

In other words, what was its incident response plan, and how did the company execute it?


What is an Incident Response Plan

When it comes to cyberattacks, how an organization responds when one occurs can make a huge difference in terms of its impact. That’s why having a comprehensive, frequently tested, and updated incident response plan is essential ─ and why the lessons learned regarding how an incident response plan worked when a security incident occurred are crucial.

An incident response plan outlines the roles and responsibilities of an incident response team. It specifies the actions that must be taken when a cyber-attack occurs, starting with the detection of the threat. It requires access to real-time notifications or alerts that signal an active threat, followed by a pre-planned set of steps to minimize the impact of the breach, protect data, and secure the network again.

Every second counts when a breach occurs. The sooner an attack can be stopped, the smaller the fallout. It’s critical that an incident response plan is in place ─ and tested to ensure it works as expected ─ well before a threat.


The Incident Response Team

The incident response plan is typically the responsibility of a pre-defined incident response team. They’re responsible for developing, testing, updating, executing, and communicating to the rest of the company, as appropriate.

The team doesn’t have to be limited to IT staff. Depending on the company, it may be appropriate to include security professionals, compliance professionals, risk manager advisors, legal representatives, public relations staff, external or third-party security experts, etc.

The incident response plan should clearly establish the roles and responsibilities of each team member. It’s important to assign roles based on availability so that the right people can take action no matter when an attack occurs. It should also include contact information (primary and secondary) for the team and any individuals or service providers outside the company that may need to participate in incident response.


Incident Response Plan Frameworks

The specifics of the incident response plan will vary by company. There are numerous templates and other information available to provide guidance in terms of the recommended plan components. The NIST and SANS are good places to start.

  • NIST, a branch of the U.S. Department of Commerce, offers a cybersecurity framework that organizations can use to mitigate risk and use the latest advances in cybersecurity. It provides accessible guidance based on existing standards and best practices and can be adapted to various technologies, lifecycle phases, and sectors. It consists of a cycle of five steps: identity, protect, detect, respond, and recover.
  • SANS, a private cooperative with the goal of educating cybersecurity professionals, offers a framework similar to NIST framework. However, it consists of six phases: preparation, identification, containment, eradication, recovery, and lessons learned.


Incident Response Plan Best Practices

Whether you choose to use one of the frameworks cited or any of the many incident response plan templates available, there are some general best practices to keep in mind. Here are five of them.

1. Know the potential threats and plan for them.

    List out all possible cyber threats and potential vulnerabilities. Ask for input from others throughout your organization and seek advice from peers. Look to IT security specialists, publications, forums, and other channels used by IT security professionals. New threats are constantly emerging. It’s challenging to stay on top of them alone, so reach out broadly.

    While you may similarly respond to most security incidents, you must be prepared to address the specifics associated with the various types of attacks.

    2. Make threat identification a priority.

      The longer it takes to identify an active threat, the more potential damage can be done. Ensure you incorporate robust threat detection monitoring and identification methodologies into your plan. There are lots of great software and detection/identification services available, but you’ll also need to ensure that the detection sensitivity levels are balanced. You want to avoid false alarms as much as possible, as staff can easily start overlooking or not respond as quickly due to false alarm overload.

      3. Contain and eradicate threats.

        You don’t want to have to shut down your systems and disrupt operations, but that may be required if an attack occurs. Be prepared for that. Your plan should enable you to employ rapid triage to assess the severity of an incident and determine the best course of action to contain and eradicate the threats. If that means shutting things down, know what communication will be required, how data is backed up, and what the recovery process will be.

        Once the threat is contained, the incident response team can focus on eradicating it. This may entail identifying and removing the threat, applying updates and patches, deploying a more restrictive and secure configuration, and closing any holes or back doors.

        4. Be prepared to get back to business as usual.

          Once the threat is eliminated, you want to get things up and running as quickly as possible. Assess the damage. Make sure the system is now safe. Follow your incident response plan’s recovery process. This is one of the most critical areas to ensure you’ve tested. You don’t want to wait until a security incident occurs to find out that you can’t recover your IT assets.

          Your plan should also consider security incidents that result in data being stolen or hijacked. In these situations, recovery may take longer, and there could be compliance and financial issues to address. Work with compliance, disaster recovery, and legal professionals to ensure your plan covers these scenarios.

          In addition, communication with the rest of the company will be necessary. You’ll need to let them know what happened and that things are back to normal. Depending on the nature of the breach, you may also want to use this communication as one of the opportunities to help everyone throughout the company know the role they play in preventing cyber threats in the first place.

          5. Learn from every incident.

            Every security incident represents an opportunity to learn and be better prepared if another threat occurs. It doesn’t matter if you caught the threat early or if it caused significant damage. It’s a learning opportunity. Take the time to study the incident. Walk through how it was handled. What worked? What didn’t work? What could have been handled differently or better?

            Use the information to update the incident response plan and implement tactics to help improve responses or avoid similar threats in the future. For example, if a security incident happened because an employee clicked on a suspicious link which led to malware entering your systems, you may need to implement a different kind of employee security training.


            Create an Incident Response Plan

            If you don’t have a formal plan in place, now is the time to get one. Take advantage of any of the many resources available to help, such as the NIST and SANS frameworks noted earlier. The following templates and eBook from US Signal can also help.