Will Your Company Survive The Unexpected? Make Sure With an Incident Response Plan

By Susan Carter   

An incident response plan (IRP) should take its place right beside business-continuity and disaster-recovery plans. It is that important!

This plan should be considered a key corporate document that helps improve the chances that your company would survive the unexpected. The plan should be designed to contain broad procedural guidelines that can be applied to the majority of security incidents.

Your IRP should include:

  • Senior management approval/buy-in (very important)
  • Team structure (Include appropriate technical subject matter experts, identified by their areas.)
  • Team roles
  • Complete on-call information including home phones and alternates
  • Organizational approach to incident response
  • Incident severity-rating guidelines to help determine if the Incident Response team needs to be activated
  • Steps on how an incident is declared and the Incident Response team is activated
  • Authority of the Incident Response team to confiscate or disconnect equipment/services
  • Communication channels and alternatives
  • Collection of forms to help with gathering information, documenting communications and steps taken, and to assist in report creation
  • Technical processes, techniques, checklists and forms for incidents your company/industry is prone to, such as: intrusions, malicious code infection, cyber-theft, DDoS attack, web defacement, SQL injection, cross-site scripting, etc. (These individual response actions can be referenced as sub-documents and each should contain the six phases of Incident Response: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned)
  • Forensic analysis systems, or contracts for a vendor with appropriately skilled and equipped staff to help determine if the incident involved illegal or unauthorized activity that may need to be acted on in a legal proceeding
  • External communication and information-sharing procedures with ISP, vendors, law enforcement, media and other incident response teams (This info sharing needs to be discussed with public affairs, legal and management staff ahead of time, and have any required NDAs ready beforehand.)
  • Requirements for reporting incidents involving data protected by statute or regulation (This data should have already been identified during the business-impact analysis phase of your business continuity plan.)
  • Steps on how to determine, announce and return to normal processing
  • IRP review and testing requirements

An up-to-date, “as-built” network diagram is an invaluable resource to keep with your IRP. A list of the location of all your logs, approximate duration available for each log set and a proven tool to efficiently review those logs will prove itself invaluable. Test your plan at least annually, if not bi-annually, especially if you have not had the opportunity to put the plan into action for an active incident.

The IRP needs a safe and accessible home. This plan will contain detailed, proprietary corporate information along with personal contact information. It should to be stored in a secured area on your network, but if the network is not accessible, it is a good idea to give an encrypted copy on a thumb drive to key team members. Have another copy stored somewhere in an undisclosed location outside the company.

Your IRP is never done! It is a living document and should be revisited and revised as needed after every incident, after significant changes to your environment, after changes in key staff, or at least once a year. Your organization changes over time, new threats emerge and team members change, and your IRP needs to be kept current to be effective and valuable.


Susan Carter offers her Industry Insights for Network Computing Architects, Inc. To learn more about creating an Incident Response Plan for your organization, contact NCA at info@ncanet.com, 1.800.604.6536 or www.ncanet.com.

Strategic Link is the NWCUA’s wholly-owned service corporation, using the power of aggregation to provide the Association’s member credit unions with exclusive high-quality, competitively-priced products and discounted services. Contact Director of Strategic Partnerships Craig Reed today to find out how Strategic Link can help your credit union save money while meeting its goals in 2013 and beyond: creed@nwcua.org.

Posted in Article Post.