Three Best Practices for Creating and Implementing an Incident Response Plan

A cyber incident can have serious consequences. When a potential incident occurs that could negatively impact the confidentiality, integrity and authenticity of your company’s data, fear and confusion can consume the organization. In the military, we refer to this as “the fog of war.” To avoid a misstep during the critical post-incident response time, the organization should immediately consult its Incident Response Plan (IRP) and use it as a guide to navigate through the incident response and reporting process.

To ensure your Incident Response Plan is effective, follow these three best practices:

Establish a chain of command: Establishing a clear leadership hierarchy in the event of a cybersecurity incident will keep key personnel organized and focused on quickly returning the organization to operational status. The IRP should specify who is on the incident response team and what their roles and responsibilities are during a cyber security incident, key decisions and decision makers, how they relate to other team members in the leadership hierarchy and have clear procedures for how to perform their responsibilities.

Determine procedures and timelines for handling and reporting suspected incidents: Each member of the incident response team plays an important role in detecting an incident, responding to it and resolving it within a specific timeframe. The response and resolution time as well as specific reporting requirements can vary depending on the industry, the type of incident and its level of severity. The IRP should contain response guidelines that outline the team’s required actions and associated response times. Document what steps need to be taken to correct the damage and to restore your organization’s systems to full operation in a timely manner.

Practice, Practice, Practice: You know the saying, “Practice makes perfect.” You won’t know if your Incident Response Plan is effective unless you test it. Run incident response drills periodically to discover any issues, such as missing steps or incorrect information. These drills help identify needed updates to your organization’s Incident Response Plan and will help the leadership hierarchy learn the process, which will lead to a faster response time in the event of an actual breach.

Finally, print hard copies of the Incident Response Plan and give them to the members of the leadership team in case of a complete network or systems failure. It’s pointless to have an IRP if you can’t access it.

Having an Incident Response Plan in place takes the guesswork out of responding to a potential cyber security incident within an organization. It’s important to follow the IRP because sometimes it’s not apparent an incident occurred until months later.