fbpx
Search
Close this search box.

A CISO’s Guide to Developing an Incident Response Plan

Hand holding digital lock surrounded by icons.
Hand holding digital lock surrounded by icons.

Every company needs a cybersecurity incident response plan. Without one, you may waste time deciding how to respond to an incident, resulting in more damage to your organization. Here’s more information on how CISOs can develop an effective incident response plan.

Some cybersecurity insurance policies require an incident response plan, but every company should have one ready so everyone immediately knows what steps to take in case of a cybersecurity incident.

Even if you outsource your cybersecurity management, it’s still essential to document your internal response plan. It should state how to reach your managed security services provider (MSSP) and outline any responsibilities for your team.


What to Include in an Incident Response Plan

Creating a comprehensive incident response plan requires a lot of detail. If you’re creating one for your organization, here is some of the most important information to include:

Incident definition

An “incident” can mean different things to different organizations. Spell out what constitutes an incident, how it will be identified, and the potential impacts. It’s also useful to define other terms that you reference in your document.  

Roles and responsibilities

Identify who is part of the incident response team and who will make the call about when the incident response plan should be activated. It’s also important to note who needs to be notified of an incident. Include when and how to contact them, as well as how often to update them.

Preparation and reporting

Outline your preparation strategies, including documentation, procedures, workflows, software handling, network diagrams, and asset inventories. Review reports and credentials necessary for the investigation. 

Identification and assessment

Determine how you will identify and verify an incident. This often involves a notification via an employee or detection tool, then a preliminary investigation by the incident response team leader. 

Containment and intelligence

Your containment strategy will depend on the type of incident, so you may need multiple plans for how to contain the threat and limit any damage. 

Eradication

This phase should eliminate and clean up the threat. It includes updating software, installing patches, and changing passwords. The phase may also include a full removal and re-installation of systems. 

Recovery

Plan how you will restore systems and data so that they’re functional again. It’s often useful to work with a managed security services provider in this phase to ensure a full recovery and help prevent future attacks. 

Lessons learned

Make a plan to look back on what happened before, during, and after the incident. Determine how you can protect your organization against that kind of incident occurring again.

How Cybersecurity Management Pros Craft Incident Response Plans

You can create an incident response plan internally, work together with a cybersecurity services consultant, or hire a managed security services provider to create it for your company.

However you decide to create yours, it’s important to get input from across your organization. An incident is likely to impact many departments and even critical business processes.

As an MSSP, Corsica is experienced in creating incident response plans and customizing them for each organization’s environment. We can do everything from reviewing an existing plan to developing the plan in its entirety.

Be Prepared for Cyber Incidents

If you’d like your organization to be better prepared with an incident response plan or other cybersecurity protections, schedule a security assessment with a Corsica security consultant today.

Ross Filipek
Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the cybersecurity industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Related Reads

Business IT Support - 17 real-life examples - Corsica Technologies

Business IT Support: 17 Real-Life Examples

Who’s going to support your business’s IT systems? If you don’t have people on staff, or if your existing staff can’t cover all your needs, you may choose to work with an MSP (managed IT services provider). This type of

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.

Ready to talk to an expert?

We’ll respond within 1 business day, or you can grab time on our calendar.