Creating an Incident Response Plan

Karen Scarfone
Latest posts by Karen Scarfone (see all)

At most organizations, incident response plans are written…and then forgotten. The processes and technologies implemented for the plan are maintained over the years, but not the plan itself. That’s a huge missed opportunity. An incident response plan is the core of an organization’s approach to detecting, responding to, and recovering from every kind of cyber incident imaginable. If that plan isn’t regularly updated to reflect changes in technology and risk, as well as lessons learned from previous incidents, the effectiveness of incident response activities will decline. That means more damage, disruption, and cost for your organization.

It’s time to review and update your incident response plan—and if your organization doesn’t have a plan, today is the day to start working on one! Here are examples of important topics your incident response plan should address:

  • The importance of incident response to your organization
  • The steps in your incident response life cycle and the approach to be taken for implementing and performing each step
  • The relationships between your incident response program and other programs and plans, such as business continuity and disaster recovery
  • The long-term plan for improving and maturing your incident response program

For more information on incident response plan contents, check out this summary from NIST and a more detailed guide also from NIST.

Refining Your Incident Response Plan

You should avoid making your plan too detailed; it’s not the best place for defining processes and procedures, for example, because they’ll need updated frequently. It’s also prudent to avoid being overly specific with terminology, such as referencing a particular threat or attack technique instead of a broader class of threats or attacks. The more specific and detailed the plan is, the sooner it’s going to become outdated and need revised. Striking a balance is important.

Incident response risk mitigation. Like any other plan, your incident response plan needs to be maintained over time. Basic maintenance involves periodically reviewing the existing incident response plan, updating any outdated material, and adding new content if needed. Once you complete your updates and release the new plan, you’ll need to update your plan implementation accordingly. Doing such a review at least once a year is generally prudent.

It’s incredibly important to take into account lessons learned during incident responses as you review and revise your plan. What sounds great in a plan might not work as well as expected in practice, and a plan might omit one or more topics that have become important to your organization since the last plan update happened. There are two major aspects to lessons learned:

  • Do periodic reviews of the handling of recent incidents by reviewing incident reports, and hold a review shortly after any major incident, such as a large data breach or major ransomware infection.
  • Conduct exercises and tests of the incident response plan periodically. This has two purposes: to find any issues with the plan and plan implementation, and to help train staff on their incident response roles and responsibilities. NIST has a free guide on test, training, and exercise programs for incident response plans and other plans.

In addition to training your incident responders to implement your plan, you also need to train your users so they understand their roles and responsibilities, from identifying the latest attacks and reporting incidents to cooperating with incident responders.

I’ve been collaborating with the fine folks at ELC Information Security on creating such a course based on my decades of experience. For more information, click on the Role-Based Training link below. You can try a demo of the course and get more details on what it covers and how it works. ELC can also customize the course to reflect your company’s policies, procedures, and lingo so it is tailor-made for your users and a great companion to general security awareness training.