5 Steps to Creating an Incident Response Plan

What is an Incident Response Plan?

No matter how robust your cyber defenses are, there is a high likelihood that your organization will experience a cybersecurity incident—either directly or as a result of a supply chain attack.

Implementing a cybersecurity incident response plan can help you effectively address a cyber event, reduce disruptions to your business operations, and ensure compliance with regulations.

What is an incident response plan?

An incident response plan outlines the actionable steps required to prepare for, respond to, and recover from a cyberattack.

It can be a crucial differentiator in how your organization contains an attack, limits damage, responds to regulatory oversight, and ensures employee and customer trust. Incident response also plays into your wider risk management strategy and informs decision-making about security performance improvements, investments in controls, and other steps needed to improve your overall security posture.

A cybersecurity incident response plan typically includes the following details:

  • An overview of why cybersecurity incident response is important.
  • How your organization approaches incident response—also known as your incident response framework. NIST defines an incident response framework as having four stages:
    • Preparation and prevention
    • Detection and analysis
    • Containment, eradication, and recovery
    • Post-incident activity
  • What happens during each phase of incident response.
  • Roles and responsibilities.
  • A communication plan.
  • KPIs to measure the effectiveness of your cybersecurity incident response.

5 steps to building an effective incident response plan

There are several resources that can help you develop your incident response plan. In addition to NIST, there is SANS Incident Management, which emphasizes preparation, identification, containment, eradication, recovery, and lessons learned. CISA also offers a useful cheat sheet of Incident Response Plan (IRP) Basics.

Whatever method you choose, below are five important steps your cybersecurity incident response plan should cover:

Step 1: Preparation

Preparation is key to an effective response. Start by developing a policy for how you will manage your incident response, what actions must be prioritized, and who will lead incident handling. Keep the plan simple and not too detailed because you'll need to share it with business executives to get their agreement and support.

Next, assemble your incident response team. Because cyberattacks have far reaching business, operational, customer, and regulatory impacts, include stakeholders from various disciplines including IT, management, legal, HR, and communications/public relations. To ensure buy-in, explain why cybersecurity incident response matters, each individual’s role and responsibilities in the event of an incident, and how an effective plan can help everyone prepare to handle any cyber threats or data breaches.

If you have a global team, you may want to create decentralized teams for each region, each reporting to a single incident response leader.

It’s also a best practice to assign a specific person to be in charge of communicating with your management team. This may be a CISO or other business leader. The key is to have someone who can convey updates about incident response in language the C-suite and board will understand.

Revisit your policy and procedures frequently and ensure that your incident response team is regularly trained and prepared to respond.

Step 2: Detection and analysis

Take steps to put security safeguards in place. This way, you can quickly determine if your organization is vulnerable or has already been attacked, so you can take action to prevent further harm.

For example, attack surface analytics and continuous monitoring can pinpoint vulnerabilities in your network that attackers look to exploit and help prioritize the most critical risks for proactive remediation. To detect and analyze a potential breach, layer in endpoint monitoring, firewalls, intrusion detection, and security incident event management (SIEM) tools.

Step 3: Containment, eradication, and recovery

During this phase, the incident response team is focused on mitigating the effects of an incident. To understand what systems are affected, look to your security management tools for intelligence and indicators of compromise, then shut down or isolate these devices, address the root cause, and restore systems.

This phase is guided by how critical the data or assets are, how severe the incident is, and business continuity imperatives. Here, you can score incidents (also known as incident classification) based on the impact they may have on your operations, the systems or data at risk, and the ability to recover.

Don’t forget to include a process for documenting the actions you take and any evidence of compromise collected. This will be instrumental in the next step of your incident response plan and future incident response process planning.

Step 4: Post-incident activity

After any cybersecurity incident, hold a post mortem meeting to discuss what happened and your organization’s response, including what worked, what didn’t, and what can be improved. Position it as an open and blameless forum for sharing lessons learned with senior leaders and stakeholders. Invite input and feedback on how the organization can be better prepared if or when another incident occurs.

The incident response team leader will use this setting to report the following:

  • Incident timeline
  • Response metrics, such as mean time to discovery (MTTD) and mean time to repair (MTTR)
  • Impacts (data, systems, business disruption, customers and employees, etc.)
  • Containment and remediation measures

If your organization is subject to regulations that require reporting of cyber incidents, such as the U.S. Security and Exchange Commission’s (SEC) new cybersecurity disclosure requirements, factor this into your post-incident activity. SEC rules require publicly traded companies to disclose any “material” cybersecurity incident within four business days. Read more about what a “material” cybersecurity incident is and best practices for incident disclosure.

Step 5: Test your incident response process

Don’t wait until an incident occurs to test your incident response plan. Conduct regular drills and simulation exercises. For instance, one month you can have your incident response team simulate their response to a ransomware attack, and in the following month, shift your focus to another security event, such as a supply chain cybersecurity attack.

Strengthen your cyber resilience with Bitsight

As your attack surface expands—on-premise, to the cloud, and across geographies—achieving cyber resilience is challenging. It requires a comprehensive security program and continual efforts to respond to and mitigate risks.

However, incident response and recovery is also about ensuring that similar incidents don’t happen again.

To do this you must determine the root cause of a breach and remediate the issue. Using actionable data from Bitsight, you can get to the root cause of a vulnerability—such as outdated software or a misconfigured system—and where risk continues to exist. From there you can implement a targeted mitigation strategy that helps you achieve cyber resilience. You can also use Bitsight to measure security performance improvement over time and show executives how cyber resilient your organization is.

Learn more about how Bitsight can help you build a cyber resilient framework.