Eisenhower famously said, “Plans are worthless, but planning is everything.” This means that going through details from the beginning is a useful exercise even if the plan evolves and changes when it’s time to act.
The purpose of the incident response (IR) plan is to have some sort of playbook so that all players know their theoretical role and what steps should take place. The plan should include definitions of various incidents (such as: data breach, loss of access/DDoS, ransomware infection), team member roles and responsibilities (legal team, PR team, network team, customer service team, business owner) and steps each players would take.
NIST describes an IR plan thusly:
The instructions and procedures an organization can use to identify, respond to, and mitigate the effects of a cyber incident.
What goes in the Incident Response Plan?
Make sure your plan includes the following:
- Definitions. What is an “incident”, for example?
- Teams - define who your various team members are, and…
- Responsibilities - what do your team members need to do? There will be two categories here - ongoing responsibilties (“must check logs every day”) and acute responsibilties in the event of a breach (“shut down port 1337”)
- Instructions on how to report incidents
- Instructions on how to respond to incidents
- List of relevant regulatory requirements that you may need to meet (PCI? HIPAA? GDPR? ISO27001?)
- Relevant SOPs (“how to restore from backup”)
In the end your IR team will have to do the following things, again borrowing from NIST:
- Be prepared to handle incidents
- Be preventing incidents
- Detect incidents
- Contain, eradicate, and recover from incidents
- Post-mortem: learn lessons and use collected data
- Is it IT’s job to develop the whole plan or plans? Not exclusively! There are many stakeholders here: legal, PR, IT, customer service, physical security, marketing, etc. You will need feedback from all these groups.
- Is the plan useful if I just write it and never test or practice going through it? This is not a common question but I kinda wish it were because the answer is NO, you have to test your plan on a regular basis (let’s say annually).
- All my data is in the cloud so I don’t need an IR plan, right? Wrong. You still need a plan - your plan is just different. Sure you’re not gonna be restoring files from tape like you were fifteen years ago but you’ll
*Sample incident response plan checklist from NIST. Another good resource: SANS Incident Handler’s Handbook.
Cover photo by wagrati photo from Pexels