Cyber Incident Response Plan: Guidelines & Template
Get Prepared Now, Before a Cyber Event Occurs
An Incident Response Plan (IRP) explains the overall response process for data privacy, information security, and cybersecurity incidents. It defines each stakeholder’s roles and responsibilities, incident types, execution steps, and reporting requirements. This plan aims to prepare, identify, and respond effectively to incidents. The plan should also include determining the scope of an incident and risks presented, tactics for communicating results to stakeholders, and calculating the likelihood of an incident recurring.
Here you will find guidelines for creating an IRP, followed by a downloadable template to use as a starting point.
Incident Reponse Plan Requirements
- The draft template IRP provided here should be modified and tailored to the pertinent legal, regulatory, and operational frameworks following consultation with legal counsel.
- The Incident Response Team (IRT) must be trained on the IRP.
- IRP should be reviewed, tested, and updated frequently (at a minimum annually) to account for organisational changes, new threats, new regulatory requirements, and new technology.
- IRP should cover coordination with breach coach/outside legal counsel, technological vendors, and other strategic response partners.
- IRP should address how to respond to a data security incident or other cyber incident.
Incident Response Process
The incident response process should generally include the following six phases:
This template plan highlights the phases from a governance standpoint so that they may be applied to respond to various incident types. The Recovery phases should entail re-evaluating the preparation procedure’s effectiveness and modifying it if necessary.
Preparation
Prepare and establish a written organisational security policy, initiate a risk assessment protocol, and require that assessments occur at least annually, identify sensitive assets, define critical security incidents the response team should focus on, and build the Incident Response Team (IRT), and test the IRT’s knowledge of the IRP via tabletop exercises designed to simulate a disruption to your organisation’s daily operations.
Identification and Detection
The IT team (internal or external), in conjunction with your Security Operations Centre, if applicable, should monitor IT systems, detect abnormalities and unusual traffic from normal operations, and determine whether it indicates a security incident. When an incident is confirmed, collect and preserve evidence, establish incident type and severity, and document this process.
Containment
Once the intruder or threat is identified, containing the threat is the top priority. Steps should be implemented to ensure evidence is properly preserved and not tampered with, including restricting access to hardware and software. Depending on the type of incident, devices and systems may need to be shut down, segregated to a local VLAN, or left running to perform an investigation. The primary reason for gathering and preserving evidence during an incident is to determine the nature and scope of the incident. However, the collection and preservation of evidence may also become crucial to your organisation’s ability to validate the incident response process during future legal or regulatory proceedings. Document how all evidence is collected and preserved.
Investigation
Once your organisation has contained the threat and collected evidence, the next step should be to remove malware from the affected systems, identify the root cause of the cyberattack, if possible, and implement controls to prevent similar attacks.
Remediation
Start bringing affected systems back online in a safe environment to decrease the likelihood of further attacks. Start testing, verifying, and monitoring (through trusted EDR tools) affected systems to ensure they are functioning properly without any unusual activity. Apply any necessary patches and updates to systems found to be vulnerable. Be proactive with the recovery process, including the preparation of backups of critical systems, databases, and data, as well as images that preserve the settings of operating systems and applications.
Recovery
Recovery is the analysis step that gathers the metrics of the incident (downtime, response time, indicator of compromise, etc.). The Incident Response team should then coordinate lessons learnt under the direction of counsel. Perform a retrospective overview of the incident. Have the complete incident documented under the direction of counsel, continue to investigate the occurrence, try to understand what was done to mitigate the attack, and how the organisation can improve the incident response process in the future.