The Importance of an Incident Response Plan

The Importance of an Incident Response Plan

An Incident Response Plan (IRP) Outlines The Process

An Incident Response Plan (IRP) should outline the process that everyone will follow in response to different security incidents. The plan should outline the different types of incidents that may occur: data leaks, ransomware, phishing attacks, etc. and what the response will be to each. How will communications be handled and with whom? Does law enforcement need to be contacted? How about the legal team or cyber insurance broker?

A Comic-Con Perspective

Are you a Comic-Con nerd? If you have never been to a convention, it truly is a great experience. The amount of time, effort and planning these folks put into their costumes is a sight to behold.

Our team member, Mike Oster, looked on in awe as his daughter was getting ready for a Comic‑Con Convention. Planning every part of the 3‑day convention: what to wear each day, who she would be meeting and when, what exhibits and events she would be attending, etc. He watched as she started putting all her friends’ names and numbers on a piece of paper along with what times/places they would meet up and what they would wear each day…she just wanted to be prepared. Apparently, cell service is spotty at best in the convention hall, and she wanted to be able to find her friends if she needed to. Why would she need to find her friends? There are lots of reasons… she might want to leave early, there might be a change in the schedule or, heaven forbid, a real emergency of some sort. They all agree, in advance, on where/when they will meet and what they will do if anything changes. Unbeknownst to her, his daughter was making an Incident Response Plan!

Back to the Business World

Of course, in the business world, an IRP would be put together for much different reasons than maximizing their experience at a convention. In the real world, a business puts together an IRP so everyone in the organization knows exactly what their response will be to a potential cybersecurity incident.

But do all companies, large or small, really need an IRP? Absolutely! It does not need to be lengthy or overly complicated, but it is necessary and important. Most companies will likely be relying on outside vendors or tech experts to help them through but they still need a plan. Who will make the call? Who is their backup? How will contact be made? What if email is down? Having a plan in place will answer all these questions if or when the worst happens.

It can start with a simple checklist:

  • Have (and drill) a customized Incident Response Plan.
  • Identify who should be on the Response Team and what their responsibilities are.
  • Gauge whether there are sufficient IT resources to respond to an incident or whether third-party support would be required.
  • Document and practice lockdown procedures (for both internal systems and clients).
  • Have cybersecurity insurance and/or lawyer(s).
  • Ensure that a clean system is ready for restore, perhaps involving a complete reimage of a system or a full restore from a clean backup.
  • Audit backups and practice backup restoration.
  • Know how to retrieve/request access to relevant event and activity logs.
  • Prepare a communication strategy and lawyer-approved scripts/templates for quick use.

Of course, a full Incident Response Plan needs to be tailored to a business’ team and specific needs.

Don’t know where to start? Contact IT Radix and we can help get you as prepared as a fan heading off to Comic‑Con!

First published in our September 2022 IT Radix Resource newsletter