Critical Control: Develop and Test an Incident Response Plan

This week, we'll discuss how to plan for cybersecurity emergencies. We discussed how to identify the right cybersecurity strategy last week, so click here to go read all about it if you missed it. Every business needs a plan to deal with emergencies, and this week we'll cover how to build a cybersecurity incident response plan.

No one plans to fail; however, failing to plan will often lead to a disaster when it comes to cybersecurity risk management. Depending on a business's size and stakeholders (regulators, shareholders, etc.), having a bad plan can actually cost the business even more than if it had no plan at all! We've seen many different versions of breach victims with no plan, good plans, bad plans, and half a plan or less, and our experience is that having the right plan can mean the difference between resolving a serious problem with little to no impact or having a minor issue balloon into shareholder lawsuits, regulatory fines, and other nightmares. Let's discuss how you can prepare for successfully managing a cybersecurity crisis by having the right Incident Response Plan.

The Basics of an Incident Response Plan

Some of the first things to consider when developing an Incident Response Plan (or "IRP") include identifying who, what, when, and how the business will go about handling a cybersecurity incident:

• What is a cybersecurity incident?
• The business should define what a cybersecurity incident is in the plan so that it is properly scoped. Issues that lead to disaster recovery or business continuity plan execution can include cybersecurity incidents, but not necessarily the other way around.
  
  
• When will the business declare an incident?
• Typically, an IRP will include a statement that provides guidance around what thresholds must be crossed before an incident is declared and the plan is put into action. Things like being notified by law enforcement or if your company is on the news because of a breach are reasons to declare an incident and invoke the plan.
• Who will be responsible for managing, responding to, communicating, and resolving an incident?
• One of the most important parts of an Incident Response plan is defining the Incident Response Team (IRT). The team should consist of various business unit leadership (e.g. Human Resources, Legal, Operations, IT, and the Executive Leadership Team), and a contact list with phone numbers and other contact information should be provided. Establishing who's in charge in the event of a cybersecurity emergency ensures that things happen smoothly, and the team works together to get it resolved.
  
  
• How will the incident be managed?
• The plan should include a communications plan that includes both in-person meeting spaces such as conference rooms, as well as teleconference capabilities that are dedicated for the duration of any incident. "War rooms" and conference bridges will be needed to coordinate the various work efforts that will be ongoing during an incident.
  
  
• What resource lists and ways to gain access to critical data is needed?
• Network diagrams, hardware/software/data inventories, and third-party contracts related to cybersecurity should all be referenced by the plan. A repository that is frequently updated should also be referenced so that the Incident Response Team can access up-to-date information.

Once the business has answered the questions above in a narrative form, the basics of a plan can be laid out in a business document that is stored in electronic and paper form, in a secure location that is accessible by the Incident Response Team.

Rules of Thumb for Use and Testing of the Incident Response Plan

The Incident Response Plan is a living document that should be updated at least annually. Many things change in a business over the course of a year, such as Internet service providers, employee positions, and technical information. Relying on information that is out of date is a sure-fire way to create bigger problems, so keeping the Plan up to date is very important.

Make sure that the businesses legal counsel is included in the Incident Response Plan and is also involved in testing the plan. Some organizations may go the extra step of retaining outside counsel that specializes in cybersecurity legal counsel; these firms are invaluable when dealing with regulatory and other legal compliance issues, including notification requirements that vary based on what region the business and its stakeholders exist in.

An Incident Response Plan is only as good as the testing that it is subject to; testing an IRP should be done at least annually. Most of the time, this will involve an Incident Response Tabletop exercise that runs through different scenarios with the Incident Response Team following the Plan so that it is exercised and the Team gains familiarity of the process and outcomes that are likely. Every test will result in lessons learned and potential changes to the plan, as well as experience for the Team members that will pay off in the event that the Plan must be invoked.

Many businesses retain specialized cybersecurity services companies to provide guidance during Incident Response Plan development, testing, and review. Ingalls Information Security provides IRP development, tabletop testing, and reviews to help ensure that the Plan is a functional, living document that can adequately address a crisis in the event that a cybersecurity incident is declared. Contact us today to find out how we can help your organization prepare for a cybersecurity crisis!

Join us next week when we discuss Penetration Testing and why it's a good idea for businesses to get tested at least once a year for holes in their cybersecurity technical controls. Thanks for reading! This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!