Every company needs a cybersecurity incident response plan. Without one, you may waste time deciding how to respond to an incident, resulting in more damage to your organization. Here’s more information on how CISOs can develop an effective incident response plan.
Some cybersecurity insurance policies require an incident response plan, but every company should have one ready so everyone immediately knows what steps to take in case of a cybersecurity incident.
Even if you outsource your cybersecurity management, it’s still essential to document your internal response plan. It should state how to reach your managed security services provider (MSSP) and outline any responsibilities for your team.
What to Include in an Incident Response Plan
Creating a comprehensive incident response plan requires a lot of detail. If you’re creating one for your organization, here is some of the most important information to include:
Incident definition
An “incident” can mean different things to different organizations. Spell out what constitutes an incident, how it will be identified, and the potential impacts. It’s also useful to define other terms that you reference in your document.
Roles and responsibilities
Identify who is part of the incident response team and who will make the call about when the incident response plan should be activated. It’s also important to note who needs to be notified of an incident. Include when and how to contact them, as well as how often to update them.
Preparation and reporting
Outline your preparation strategies, including documentation, procedures, workflows, software handling, network diagrams, and asset inventories. Review reports and credentials necessary for the investigation.
Identification and assessment
Determine how you will identify and verify an incident. This often involves a notification via an employee or detection tool, then a preliminary investigation by the incident response team leader.
Containment and intelligence
Your containment strategy will depend on the type of incident, so you may need multiple plans for how to contain the threat and limit any damage.
Eradication
This phase should eliminate and clean up the threat. It includes updating software, installing patches, and changing passwords. The phase may also include a full removal and re-installation of systems.
Recovery
Plan how you will restore systems and data so that they’re functional again. It’s often useful to work with a managed security services provider in this phase to ensure a full recovery and help prevent future attacks.
Lessons learned
Make a plan to look back on what happened before, during, and after the incident. Determine how you can protect your organization against that kind of incident occurring again.
WHITE PAPER DOWNLOAD
How Cybersecurity Management Pros Craft Incident Response Plans
You can create an incident response plan internally, work together with a cybersecurity services consultant, or hire a managed security services provider to create it for your company.
However you decide to create yours, it’s important to get input from across your organization. An incident is likely to impact many departments and even critical business processes.
As an MSSP, Corsica is experienced in creating incident response plans and customizing them for each organization’s environment. We can do everything from reviewing an existing plan to developing the plan in its entirety.
Be Prepared for Cyber Incidents
If you’d like your organization to be better prepared with an incident response plan or other cybersecurity protections, schedule a security assessment with a Corsica security consultant today.
