A cybersecurity incident response plan is a predetermined team, process, and workflow for how a company will respond to a cyber attack.
In the field of cybersecurity, data breaches are considered inevitable. It’s not a matter of if, but when. When a data breach happens, it’s important to have a plan in place for how to deal with it — both from a technological perspective and from a customer relations and public relations point of view. The plan for such an event is known as an incident response plan, and it’s an important part of every cybersecurity model.Some compliance frameworks, like the NIST framework, require an incident response plan. Further, some regulators, such as GDPR, have data breach reporting requirements, which an incident response plan is intended to expedite and support.
Incident response plans offer organizations the following benefits:
Additionally, the documentation and reporting following an incident can be important for legal and compliance needs.
The first consideration in building an incident response plan is the people who are going to be responsible for following and implementing it. An incident response team might include incident managers, security analysts, threat researchers, as well as stakeholders in senior management, HR, PR, and senior security staff. Third parties, such as legal teams or law enforcement agencies may also be included.
Once the team is established, a series of workflows, processes, and playbooks should be created to help the team triage and prioritize potential breaches. The plan should document clearly what to do and who to contact. This preparation phase should also include scenarios and exercises for a variety of different kinds of cyber attacks.
When a data breach occurs, having a comprehensive IT asset inventory for cybersecurity is critical to ensure that all at-risk devices, programs, and teams are isolated and contained quickly and efficiently. This helps the team investigate other possible areas where the compromise may have occurred, and increases the rate at which employees are able to get back to work.
After the threat has been eliminated and patch management is in place, recovering normal services and communicating within the company — and with customers — is critical.
The last step of a solid incident response plan is to review what happened, identify ways to prevent it from happening again, and to adapt the plan given new information. A mature incident response plan includes automated vulnerability scanning and proactive threat hunting.
41 Madison Avenue, 37th Floor
New York, NY 10010