Preparing an Effective Incident Response (IR) Plan

In the event of a targeted cyber threat, anything goes – data breach, DOS attacks, Zero-days. It is in these dire scenarios where the usefulness of an IR plan is prevalent. The difference between the smaller and larger organisations are made clear through their adoption of an IR plan to combat and mitigate these cyber threats.

What is Incident Response?

IR is defined as a process rather than an isolated event and it is the steps used to prepare for, detect, contain, and recover from a data breach.

Often, IR planning includes the following details:

  • How IR supports the organisation’s broader mission
  • The organisations approach to IR
  • Roles and responsibilities performed by team members
  • Communication between the security team and the rest of the company
  • Monitoring tools to capture incidents i.e., SIEM platform, NIDS

Why is an IR plan important?

The need for an IR plan is a source of business continuity. The plan must be designed to align with the organisations goals and priorities.

The information obtained through an IR plan can be used to feed back into the risk assessment procedures, disaster recovery plans, and the IR activity itself. Ultimately ensuring better handling of future incidents and an overall improved security posture.

Investing in a well sought IR plan would allow first responders to understand the steps to remediate threats and the tools needed to do so.

What are the appropriate IR steps?

Certain prerequisites must be met before preparing an IR plan. These can include gathering a collection of IR tools and coming to terms with an organization’s own capabilities. Further, the preparation phase must establish communication protocols in the event of a targeted cyber threat.

Find out more of the appropriate steps. CREST documentation – https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement-Guide.pdf

Best Practices for IR

The best practices to adopt for an IR plan include;

  • Assessing internal platforms (a list of assets, networking diagrams, valued resources, and support services) is crucial
  • Policy-granting authority is needed to fulfill the roles of team members
  • A well-developed communication network.
  • The IR process must be defined at a corporate level

Internal barriers hindering effective IR

Security is frequently viewed as a cost centre rather than a revenue source.

Consequently, security teams often lack appropriate resources when dealing with targeted cyber threats. This can pose a challenge as they must be able to position their findings in terms of business risk and choose what is worth protecting rather than providing full protection across all company infrastructure.

An organization’s risk management and IR programs are an enterprise-wide effort with participation expected at all levels.  Get in touch with Intrix Cyber Security to sharpen your organisations Incident Response Plan.

Scroll to top