12 Ingredients for Creating a Successful Incident Response (IR) Plan

In AT&T’s latest Cybersecurity Insights report, 62 percent of organizations acknowledged they were breached in 2015. However, only 34 percent believe they have an effective incident response plan.

When faced with a potential data breach, or any incident that may potentially harm organizations and their customers, an incident response plan, or IRP, is required to protect an organization’s data and, thereby, its reputation. If IRPs are not implemented properly, organizations may not be able to recover quickly from data loss. An IRP helps to identify the best possible data loss prevention (DLP) activities that help safeguard organizations and quickly restore normal business operations. A well-defined security IRP will help safeguard against losses in case of a DL incident, a natural disaster, an external breach of critical data or IP, or an insider threat.

According to the 2016 SANS Institute survey on the state of IR, 29 percent of respondents report a remediation time of two to seven days. A lack of skilled personnel is aggravating the problem, as 65 percent of respondents reported the lack of personnel was impeding their ability to respond to incidents.

12 Common Ingredients of Implementing IRPs
IRPs cannot be a one-size-fits-all system. Every organization has its own needs. Over the years and based on many studies, the following common ingredients have been identified:

  1. Prepare: According to CISO, the team that handles threats, dealing with the fallout from a breach requires the efforts of the entire company. This requires team effort and training. Everyone must be made aware of who to report to on the IT team in case they observe something suspicious.
  1. Get approvals: IRPs are not implemented if they are not approved by the Board of Directors. It is critical to make this group understand, and get involved in, the whole process of an IRP implementation from the initial stages so that they are aware of the severe repercussions of a data loss. Once they accept the criticality of a DLP activity, creating a successful IRP will be easy.
  1. Define the team and scope ahead of time: IRP developers need to define cross-organizational goals and allocate appropriate resources, leaders, roles, and responsibilities. Everyone must know ahead of time what should be done when. The core team may comprise of individuals from privacy, security, legal, and IT who call on other departments as the need requires. Identifying the scope of IRP will allow team members to assemble the components into an effective plan.
  1. Identify measurements and matrices: For a robust IRP, organizations need to define in advance key metrics such as time to detection, time to report an incident, time to triage and investigate, the number of false positives, and the nature of the attack indicators that will be measured in case of a breach.
  1. Hold test runs: Companies must play out the various breach scenarios – something like a mock fire drill, just to ensure things are in place. This helps in identifying weak points and risk factors, and thus leads to a crisper IRP.
  1. Check alerts that appear benign: IT professionals must be very observant when checking for signs of compromises and threats, and they must never disregard a regular user’s doubts. The PCI Security Standards Council states that one of the biggest risks to an organization’s information security is often the action or inaction by employees that can lead to security incidents.
  1. Document the IRP, and keep it updated: Documenting an IRP helps organizations consider different scenarios, their implications, and the tools needed to mitigate the damage. DL assessments are part of every IRP and must be documented to support an organization’s burden of proof. An IRP must be a “living document,” that must always be kept updated. New threats from malware, identity theft, and unencrypted mobile devices are putting protected health information (PHI) at risk. An IRP should reflect these new dangers.
  1. Dont overlook your refineries and factories: Many organizations need to run industrial systems in parallel, such as an oil refinery or a factory that manufactures drugs. Such organizations usually do not feel the need to implement an IRP, thinking hackers won’t target these locations. This, more often than not, leads to a breach resulting in losses.
  1. Contain and remediate: Once an affected system has been identified, take it offline, and use it to conduct a post-mortem as to the how and what of the breach. After the root cause is identified, control the spreading of such breaches further before it affects the entire organization. The findings and details of the breach must be noted carefully, and action must be taken so that there’s no room for similar attacks to re-occur. The focus should be on investigating the malware’s techniques and infection vector so that a robust eradication and prevention plan may be developed.
    According to Marsh & McLennan Companies, “Once an organization experiences a data breach, the response is to secure defenses to make sure that history does not repeat itself.”
  1. Plan for a follow-up budget and resources: According to Gartner, Inc., 75 percent of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020, up from less than 10 percent in 2012.
  1. Follow up: For future containment, learning and improvement, and detection, IRPs require the cooperation of an entire organization, not just the IT and security departments. For example, a bank handling the impact of a breach will need help from its PR staff, from its Web development team, from the HR team, etc.
  1. Align and integrate the IRP with an organization’s existing business continuity plans (BCP), data loss prevention (DLP) policies, and disaster recovery plan (DRP): Prioritizing the assets to rebuild to ensure business-as-usual quickly is very critical. The prioritized inventory must be updated and amended regularly as business needs evolve.