An incident response plan, or IRP, is a collection of procedures which gauge a company’s capability to counter a security emergency. They are set out with the purpose of minimizing detrimental effects, save costs, and speed up recovery time. IRP’s come in handy in various instances, such as malware and virus surges, firewalls and rifts, or dismissal of distributed service or service attacks.
Many companies have incident response plans these days, but surveys show these plans do not always live up to expectations. This is due to poor planning, and the company’s failure to incorporate all LOBs - lines of business - during the preparation phase. In addition, many of these IRPs have not undergone trials. This renders them incompetent in the event of a real emergency.
This article looks at the steps involved in coming up with an effective Incident Response Plan.
The incident response plan generally revolves around a company’s IT department, but it is important to involve all other departments, especially when it comes to planning and training employees on the best strategies to apply in an emergency. Any kind of threat is bound to affect all departments, which is why companies should listen to every department’s input before developing an IRP.
To show how important this involvement is, imagine a scenario where a breach hits a banking system. This will require the public relations department to explain the situation to their clients. Depending on the magnitude of the breach, the design and development department may have to assess the situation, and identify ways to prevent further damage. In the quest to ensure employee’s private information is not vulnerable, the human resources department will need to scrutinize the situation. These few examples clearly indicate the need to involve all departments when coming up with an IRP.
An effective IRP should include what to disclose to key department heads in the event of an emergency. It should also contain details on how to pass that information to the system admin, and other departmental heads. In order to enhance an IRP’s performance, it is important to incorporate contact details and a communication schedule in the plan.
2. Establish the origin of the event
An effective incident response plan should indicate the KPIs - key performance indicators - which determine success. KPIs can indicate an incident report, detection time, investigate, triage and response time. Various other components of KPIs include establishing whether the attack is malware or not, the quantity of untrue positives, and the security gadget responsible for identifying the incident.
According to Steve Armstrong, an instructor at SANS institute, KPIs play a role in evaluating management. Employees should not be afraid of them, but they should take time to know how they operate, in order to enhance communication with their bosses. Choosing effective KPIs enables businesses to get better support, and additional resources from various organizations.
3. Test, and test some more
Businesses should carry out sufficient IRP tests just to be sure of its functionality. They can do this through holding security breach drills to test staff preparedness. It helps to establish the company’s risk factors, weak areas and helps them identify what actions to take to seal such loopholes. As a matter of principle and enhancing the performance of an incident response, companies should review them annually, subject to the availability of funds and the magnitude of the company’s development stage.
Businesses should not assume the IR can work effectively. Evaluating it reassures the company that the plan is suitable for its role. Testing also helps companies to establish the IRP’s ability to detect and seal any possible loopholes. While this process may increase a company’s security budget, the benefits supersede the expenditure.
Perhaps the reason why many companies develop IRPs, but find it difficult to test them, is because they are time consuming. It will take the company an entire day or even more to carry out a comprehensive IRP evaluation. Several other factors can be commitment, coordination, and time constraints of departmental heads. When planning for the evaluation, it is important to factor in the company regulations to ensure everybody takes part in the activity.
4. Establish the nature of the incident
Threats may not always be security related. However, the system admin should handle every kind of threat with utmost care in order to rule out the possibility of a detrimental attack. Technicians should make sure simple signs, such as a slow computer, are not unwarranted attempts to compromise the system. A company should train its users not to click on suspicious links. This saves the company a great deal. Again, the IT department should move with speed to investigate reported security breaches.
5. Develop a centralized archive for data
Companies use different ways to uncover threats. It is important to store all of them in a centralized archive. This provides the response team with a comprehensive view of past attacks, so they can monitor, investigate, and come up with solutions and strategies for an enhanced response.
Are you looking for an experienced and professional IT expert to create a data archive for your business? Find one here.
6. Be wary when handling industrial systems
Various industrial companies assume that attackers cannot target their operations. This explains why many of them may be lacking in the IT department, or have the responsibilities of the security team delegated to other departments. Remember that non-IT and security compliant staff may not fully understand how to detect potential security breaches.
7. Containing and alleviating the problem
Experts should endeavor to control and alleviate the root problem, rather than dealing with the symptoms. The process of containing and alleviating a problem can be futile if security teams handle it using a specified remedy. While many businesses rely on preliminary reports to solve a security breach, an effective incident response plan should rely on the investigating team’s report and findings. Only then can they come up with an appropriate remedy for eradicating the problem, as well as finding an effective way to prevent further attacks.
8. Set aside finances for the purpose of follow-up
One of the reasons many companies do not follow up is the extra expense. However, this process plays an important role in making sure security incidents do not recur. Companies should plan a follow-up budget to avoid financial constraints. They can take advantage of the follow-up stage to evaluate the functionality of KPIs. It gives the security team a chance to establish the need to change them, or upgrade detection systems to enhance performance.
9. Carry out a follow-up procedure in all departments
Security threats affect a company’s operations in a big way. There is a need for companies to invest in training in order to understand how to prevent possible occurrences in future. Such training should not be a preserve of the IT and security departments. Despite the fact that this process involves various activities that the two departments handle, involving all other departments spreads awareness and instills detection skills in every user or member of staff.
10. Set up a communication plan
Having an appropriate communication plan is paramount for successful incident response. Companies should come up with a workable strategy on how to notify both the internal and external experts in the event of an emergency. Every member of staff should understand the operations of the company’s incident response plan.
Incident response plans are critical to every company. As much as the process can be time consuming and costly, it is worth the investment as it saves the company from suffering grave losses which may occur as a result of security attacks.
This article will help companies develop effective incidence response plans, as well as understand the importance of ensuring all departments collaborate to make it successful.
Have you got any comments or questions to share? Leave them in the comments section below.