A few weeks ago, we talked about the need to create an open culture in your organisation; one in which people are actively encouraged to report cyber concerns. In this blog, we revisit the topic and detail how to create an effective incident response plan.

Your incident response plan has a symbiotic relationship with your positive reporting culture: each enhances the other.

A positive incident reporting culture can act as an early warning system – helping you to respond to incidents faster.

In its turn, an incident response plan shows everyone how to respond when something is reported. It also feeds into your positive incident reporting culture by establishing clear rules of engagement that everyone can refer to, even before there is an issue.

So how should you create your incident response plan? And what should it look like?

What should an incident response plan look like?

According to the SANS Institute, there are six key phases of an incident that any incident response should address:

• Preparation – how are you preparing key staff to respond?

• Identification – how do you decide which incidents require a response?

• Containment – how are you going to limit the damage when an incident happens?

• Eradication – how will you identify the cause of the incident and remove any threats from the production environment?

• Recovery – once you are sure no threats remain, how do you restore systems to normal operation?

• Lessons learnt – how will you feed learnings back into your organisation and processes so that you avoid similar incidents in the future?

In terms of preparation, developing an incident response plan is a key step forward. For the best preparation, your plan should cover each of the other five phases in as much detail as possible.

How to create a basic incident response plan

The UK’s National Cyber Security Centre (NCSC)(1) offers some helpful resources on its website for organisations that need to develop a cyber-security incident response plan.

It outlines the essentials of a basic plan:

• Identification of key contacts: IR team/provider, IT, Senior Management, Legal, PR, HR, Insurance. Always consider the risk of people being unavailable.

• Escalation criteria: to include the definition of the process for making critical decisions.

• A basic flowchart or process that covers a full incident lifecycle.

• At least one conference number that is always available for urgent incident calls (and/or the creation of a dedicated Incident Response team on Microsoft Teams)

• Basic guidance on legal or regulatory requirements (when to engage legal support, HR and careful evidence capture guidelines)

While this is a good start, the more detail you can add to your incident response plan, the better prepared you will be to act when an incident is reported.

How to create a detailed incident response plan

To add more detail to your incident response plan, the NCSC suggests that you also develop:

• Simple checklists that can be used easily during an emergency.

• Clear steps for incident triage, including the development of a severity matrix.

• Clear explanations about how to categorise an incident, e.g. malicious code, phishing, denial of service, etc.

• Defined escalation plans which specify the different escalation activities for incidents of different types and severities.

• Playbooks that detail how to respond to specific types of incidents. At a minimum, says the NCSC, these should cover the first few hours of each type of incident as this period will be the most critical and time pressured.

• Forms for documenting and tracking an incident, including for post-incident review. An overview of these (and where to find them) needs to be clearly communicated to all staff, so they understand reporting is everyone’s responsibility and know how to act quickly.

• Technical guidance on the incident response stages and how to contain, analyse, remediate and recover from an incident, as well as how know when to close down an incident and how to do that.

• A guide covering all legal and regulatory requirements, including what constitutes a reportable incident, what evidence needs to be captured and reporting responsibilities.

The production of such documentation sounds onerous, but it is worth investing the time to formulate your responses in advance. Knowing in advance who needs to do what and when will help to ease the stress and pressure felt when your plans are needed.

Furthermore, developing these plans makes a clear statement to all employees about the importance your organisation places on incident response – something which will help in your development of a positive incident reporting culture.

Tips for improved incident response planning

Before you get started, make use of the wealth of materials available online.

• TechTarget offers a free, downloadable incident response plan template on its website(2).

• The NCSC offers advice on how to work with the NCSC in the event of a serious incident(3).

• To get started with your incident response playbooks, read through the NCSC’s timelines for responding to different types of incidents(4).

• And review the NCSC guidance about who should be part of your incident response team(5).

• Read our article about the importance of developing an incident reporting culture.

• Learn what makes IT Pro with MDM an effective SIEM solution for small and mid-size businesses.

Need help getting started?

Get in touch: if you have specific questions about developing an incident response plan, or would like help and advice developing or enhancing what you currently have in place, our team is on hand to help.

You can book a chat with us below:

Sources:

1. https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes

2. https://searchdisasterrecovery.techtarget.com/Free-incident-response-plan-template-for-disaster-recovery-planners

3. https://www.ncsc.gov.uk/files/NCSC_Incident_brochure.pdf

4. https://www.ncsc.gov.uk/collection/incident-management/appendix-incident-timelines

5. https://www.ncsc.gov.uk/collection/incident-management/creating-incident-response-team