There is no foolproof security system anywhere in the world yet. Despite the best of security measures and best of the teams, breaches do occur. There is no point living in a make-believe world where implementation of the top of the line tools and processes ensures that the organization is 100% safe from cyber threats. All organizations must prepare for the eventuality of a breach with an Incident Response plan (IR Plan). Incident response plan helps organizations to respond to an incident in an organized, coordinated manner. A well-designed incident response plan will help to mitigate the incident quickly and minimize loss instead of creating more chaos. A good IR plan must be well documented, well tested and validated to ensure that it meets the organization’s requirements. At the least, the below five points must be a part of every incident plan.
1. Incident Identification
The plan must include a clear criteria or guidelines on when and how a security incident is declared. It may be a single massive incidence or a bunch of individual set of indicators which may indicate an incident (e.g. sudden deletion of x number of records, network speed reduction beyond a certain point, despite no apparent increase in genuine traffic etc). The IR plan should include the following:
- Standard guidelines to identify and declare occurrence of an incident
- Criteria to define major and minor incident
- Criteria to define the severity of the incident
- Response time for an incident of each severity
- A dispute resolution process, to avoid conflict at the time of an incident
Often, different teams will have a different view of the same incident. They will give different severity and impact and thus resolution times for the same incident. In such cases, a dispute resolution mechanism is imperative so that incident gets the correct attention.
2. Incident Response Roles and Responsibilities
Everyone in the organization must know what they are supposed to do and who they are supposed to contact when an incident occurs. The IR plan should have the following:
- First point of contact to inform about the incident (incident help line)
- Notification matrix which identifies the individuals who must be notified when an incident occurs
- Contact details for each area (networks, servers, individual systems, individual departments etc) for incident management
- Steps to be carried out by each team/department/individual during the incident along with time lines (Response times)
- Interdependency and communication matrix
- Escalation matrix
- Incident closure criteria
The closure of the incident occurs when all impact teams give the clearance that their areas are working as expected. Until all teams give a green signal, the incident should stay open.
3. Incident Response Communication Plan
While we touched upon the topic of communication, it is imperative that there is a detailed communication plan with following details at the minimum:
- Emergency help desk contact for the incident
- Notification list
- Primary emergency contact for each area
- A secondary emergency contact for each area
- Emergency contact from vendors (which are connected to the organization’s network)
- Communication protocol for interdepartmental communication during the incident
- Escalation protocol during the incident
- Regular incident update communication protocol and frequency
- Incident closure approval and communication protocol
- Designated communications manager during the incident
During an incident, there is a high probability of chaos. Thus, it is important to have a well-defined communication protocol which should be followed. The communication plan must be practiced at regular intervals to ensure a smooth flow of information in case of an incident.
4. Validation and Improvisation of IR Plan
Cyber threats keep changing in their nature and intensity; hence, the incident plan must also not be static. It must be frequently reviewed and updated to reflect the contemporary threat scenario. IR plan must be published, tested and validated regularly to ensure impactful execution of the same during an incident. After every incident, there must be a review of the actual response to the incident and the learnings must be incorporated into the fresh plan for improved effectiveness.
5. Impact of the Incident
Organizations hold immense consumer data and the impact of theft or loss of this data is very high both on consumers and companies. Enterprises are forced to protect their consumer’s data due to many regulations and related penalties and also to avoid loss of credibility. Every incident plan must identify the incidents that can occur and assess their impact on the organization. In an event of an incident, the impact analysis must be carried out as soon as possible so that organization understands the full repercussions of the breach.
Cyber attacks and breaches are a reality of life today. It is estimated that every organization will suffer a data breach at least once. Just like a well-planned first aid kit in the house, a good, well-tested incident response plan helps in responding to an incident with minimum surprises and least losses.