What is it?
A comprehensive, step-by-step series of actions to be followed by an organization’s computer security incident response team (CSIRT) and business operations personnel following a verified cybersecurity incident to reduce the overall impact of the incident.
Why is it important?
When properly implemented, an incident response plan can help ensure an effective response to security incidents and help mitigate the effects of a potentially serious event. The presence of a well-rehearsed plan has proven to reduce the financial impact of security incidents.
Why does a business professional need to know this?
An incident response plan serves as a cornerstone to effective mitigation and remediation following a breach or other information security (InfoSec) incident. Full implementation, practice, and awareness of the plan helps reduce response and recovery times following an incident. The plan provides for pre-breach practice or table-top sessions and outlines the roles and responsibilities of incident handlers and business operations personnel in responding to a security incident.
An incident response plan serves as a major component of the preparation, identification, containment, eradication, recovery, and lessons-learned cycle of incident handling procedures. It can also serve as a vital component of business continuity and disaster response planning. And because the plan is a living document, it can be updated to ensure proper response and alignment with the changing needs of the business.
The incident response plan complements the business continuity plan. The business continuity plan focuses on keeping the business running, while the incident response plan focuses on the attack itself and the company’s response. Both are critical to building a resilient organization.
In addition to InfoSec units, others within non-technical business units have responsibilities following an incident. These departments include business operations, human resources, legal, communications/PR, and finance. Responsibility for developing the incident response plan falls under the Chief Information Security Officer (CISO) or a duly nominated representative, most likely the leader of the CSIRT.
Failure to develop and implement a plan has historically resulted in high-profile security failures in both the private and public sectors. An inadequate response to a high-profile breach or incident usually indicates that there was a poorly executed or ill-conceived incident response plan.
- (Cichonski 2012) Computer Security Incident Handling Guide (NIST SP 800-61): Cichonski, Paul, et al. (2012). National Institute of Standards and Technology (NIST). PDF. Guidelines from the Information Technology Laboratory (ITL) at NIST for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.
- (Kral 2011) SANS Incident Handlers Handbook: Kral, Patrick (2011). Sans Institute (aka Escal Institute of Advanced Technologies). PDF. Report that provides the basic foundation for IT professionals and managers to be able to create their own incident response policies, standards, and teams. Includes an incident handler’s checklist (template) designed to help ensure that each of the incident response steps is followed during an incident.
- (US DHS 2009) Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability: US Dept. of Homeland Security (2009). PDF. Recommendations to help companies that use industrial control systems prepare for and respond to a cybersecurity incident.