Developing your incident response plan (ITSAP.40.003)

Your incident response plan (IRP) includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from a specific incident. Cyber threats, natural disasters, and unplanned outages are examples of incidents that can impact your network, systems, and devices. With a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly. While this publication is written in the context of cyber incidents, its guidance can assist your organization in developing an incident response plan for various types of incidents.

On this page

• Before creating an incident response plan
• Types of incidents
• Main steps in your incident response plan
• In-house or professional services
• Learn more

Before creating an incident response plan

Before you create an IRP, identify the information and systems of value to your organization. Determine the types of incidents you might face, such as ransomware or distributed denial of service attacks, and the appropriate responses. Consider who is best qualified to be a member of your response team. You should also determine how you will inform your organization of the plan and the associated policies and procedures.

Conduct a threat and risk assessment

A threat and risk assessment (TRA) is a process that helps you identify your critical assets and how these assets can be compromised. Your TRA will assess the level of risk these threats pose to your assets so that you can develop and prioritize your response efforts. Some questions to answer during the TRA include:

• what data is valuable to your organization?
• which business areas handle sensitive data?
• what controls do you currently have in place?
• can this lead to a privacy breach for your organization?

For more information on TRAs, read Harmonized TRA Methodology (TRA-1).

Create your response team

The purpose of your team is to assess, document, and respond quickly to incidents. The goal is to restore your systems, recover information, and reduce the risk of the incident reoccurring.

Your team should include employees with various qualifications and have cross-functional support from other business lines.

Roles to consider for your incident response team include:

• critical path personnel
• security practitioners
• IT or cyber security specialists
• project engineers for operational technology (OT) environments
• legal
• management

Cyber incidents in particular are unpredictable and require immediate response. Ensure your response team has alternate means of contact, such as mobile phones or out of band email. Each member of your team should also have a backup contact in case they cannot be reached or are unavailable.

Develop your policies and procedures

Your incident response activities need to align with your organization's policy and compliance requirements.

Write an incident response policy that establishes the authorities, roles, and responsibilities for your incident response procedures and processes. This policy should be approved by your organization's senior management.

Educate your employees

Provide training to employees that explains your incident response plan, policies, and procedures. Tailor your training programs to your organization's business needs and requirements, and to your employees' roles and responsibilities.

Update your employees on current incident response planning and execution. A well-trained and informed workforce can defend against incidents.

Create your communications plan

Your communications plan should detail how, when, and with whom your team communicates. This plan should include a central point of contact for employees to report suspected or known incidents.

Your notification procedures are critical to the success of your incident response. Identify the key internal and external stakeholders who will be notified during an incident. You may have to alert third parties, such as clients and managed service providers. Depending on the incident, you may need to contact law enforcement or consider engaging a lawyer for advice. You may also need to contact your media team.

Types of incidents

Your organization can face many different incidents. Some examples include:

Ransomware

Ransomware is a type of malware that locks you out of files or systems until you pay a ransom to a threat actor. Payment does not guarantee that you will regain access to your information.

Data theft

Data theft occurs when threat actors steal information stored on servers and devices. The data is most commonly accessed using stolen user credentials. Advanced persistent threats (APTs) refer to threat actors that are highly sophisticated and skilled. APTs are able to use advanced techniques to conduct complex and protracted campaigns in pursuit of their goals. The APT designator is usually reserved for nation states or very proficient organized crime groups.

Active exploitation

Active exploitation takes advantage of unpatched software, hardware, or other vulnerabilities to gain control of your systems, networks, and devices. These attacks can go unnoticed before you have the opportunity to apply a patch or update. Your plan should provide instructions for mitigating active exploitation, such as temporarily suspending Internet access or ceasing online activity.

Main steps in your incident response plan

Your IRP should identify the objectives, stakeholders, responsibilities, communication methods, and escalation processes used throughout the incident response lifecycle. Keep the plan simple and flexible. Test, revisit, and revise your incident response plan annually to keep it effective.

Follow the incident response lifecycle steps below to structure your IRP.

Preparation

1. Start with a statement of your management's commitment to the project. Perform a risk assessment to identify your organization's most valuable assets that are critical to your business operations
2. Define the security incidents your organization is most likely to face and create detailed response steps for these incidents
3. Lay out the objectives of your incident response strategy, as well as your related policies, standards, and procedures. Your policy should include performance measures, the incident data that you collect over time (for example, the number of incidents and time spent per incident)
4. Define your goals to improve security, visibility, and recovery
5. Develop and implement a reliable backup process to create copies of your data and systems to help you restore them during an outage
6. Have a detailed strategy for updating and patching your software and hardware. Use this strategy to track and fix vulnerabilities and mitigate the occurrence and severity of incidents
7. Create your response team and assign roles and responsibilities to each member
8. Define your communications plan and identify how key stakeholders and management will be informed throughout the incident. You should have multiple communication mechanisms in place, this may be valuable during an incident
9. Develop exercises to test your plan and response. You can revise and improve your plan using your test results

Detection and analysis

Monitor your networks, systems, and connected devices to identify potential threats. Produce reports regularly and document events and potential incidents. Analyze these occurrences and determine whether you need to activate your IRP. Determine the frequency and intensity of your monitoring.

Although it is impossible to have a step-by-step guide for every incident, you should be prepared to handle incidents that use common attack vectors.

In the event of a breach or compromise, analyze the incident, including its type, its origin, and the extent of the damage caused. All facts about the incident should be documented. When an incident is detected, analyzed, and prioritized, your incident response team should notify the appropriate stakeholders so that everyone that needs to be involved is informed.

Containment

Containment is crucial for your organization's recovery. The primary goal is to minimize business impact.

Gain an understanding of the issue so you can contain the threat and apply effective mitigation measures.

An effective mitigation measure for an IT environment may include deactivating connectivity to your systems and devices to block the threat actor from causing further damage. It might be necessary to isolate all systems and suspend employee access temporarily to detect and stop further intrusions.

Containment strategies and procedures will depend on the type of incident, the degree of damage the incident can cause, and your operational requirements. Refer to your organization's incident containment strategies, established in the preparation phase.

When dealing with an incident, the risk assessment completed in the preparation phase should help you define your acceptable risk so that you can develop your containment strategies accordingly.

Eradication

Conduct a root cause analysis to identify and remove all elements of the incident from the affected systems and complete the following actions:

• Identify all affected systems, hosts, and services
• Remove all malicious content from affected systems
• Scan and wipe your systems and devices
• Identify and address all residual attack vectors
• Communicate with stakeholders to ensure appropriate management of the incident
• Harden, patch, and upgrade all affected systems
• Upgrade or replace legacy systems

Recovery

Restore and reintegrate the affected systems back into your operating environment.

• Ensure any malware is removed before restoring your backups
• Test, verify, monitor, and validate affected systems to ensure they are running effectively
• Revise and update policies, procedures, and training initiatives

Post-incident activities and lessons learned

Review the root cause of the incident and collaborate with the response team to determine what can be improved. Evaluate your incident response processes and highlight what went well and what areas require improvement. Create a lessons learned document that details how you will adjust and improve your plan for future incidents. The results of the lessons learned should be used to improve detection methods and prevent repeated incidents.

In-house or professional services

When developing your IRP, determine which actions and services you can conduct internally and which actions you will outsource. Professional services can be retained to assist with incident response initiatives, such as developing your plan, determining your backup processes, and monitoring and patching your systems. Outsourcing incident response for OT incidents or other specialized environments can be costly, and it is important to plan for these scenarios.

Learn more

• Ransomware: How to prevent and recover (ITSAP.00.099)
• Developing your IT recovery plan (ITSAP.40.004)
• Have you been hacked? (ITSAP.00.015)
• Preventative security tools (ITSAP.00.058)
• Tips for backing up your information (ITSAP.40.002)
• Offer tailored cyber security training to your employees (ITSAP.10.093)
• Cyber security considerations for consumers of managed services (ITSM.50.030)
• Improving cyber security resilience through emergency preparedness (ITSM.10.014)