What is an incident response plan? Reviewing common IR templates, methodologies

This article was written by an independent guest author.

In today’s threat landscape, it’s no longer if an incident will happen, it’s when. Defending your organization and having a plan for what to do if an incident occurs is more critical than ever. And frankly, the benefits of having an incident response plan are quantifiable. Ponemon’s Cost of a Data Breach Report compared organizations boasting robust security Incident Response (IR) capabilities with those that do not. Well-prepared businesses reported less breach-related costs by an average of about $2 million USD.

What is an incident response plan?

An Incident Response Plan (IRP) serves as a blueprint, outlining the steps to be followed when responding to a security incident. Think of the IRP as a set of guidelines and processes your security team can follow so threats can be identified, eliminated, and recovered from. It is an essential tool for minimizing damage caused by threats, such as data loss, loss of customer trust, or abuse of resources. With a robust IRP, your company’s team can respond quickly and more efficiently against any type of threat.

No matter what type of attack an organization faces, all cyberattacks require incident response. The best scenarios are those in which sufficient preventive measures are in place, including threat detection and intelligence integration tools.

For organizations looking to get started with an IRP, there are many templates and frameworks available. Two industry standard incident response frameworks are the National Institute of Standards and Technology (NIST) framework and the SysAdmin, Audit, Network, and Security (SANS) institute framework. We’ve compared the SANS and NIST frameworks here. 

Whichever playbook, template or framework you choose, make sure you have the right team in place and are prepared to dedicate the time and resources to this critical organizational process.

Who should carry out an incident response plan?

While a robust incident response plan is incredibly important, having the right people with the relevant skillsets to execute the plans is equally crucial. To handle a cybersecurity incident effectively, your company should have an incident response team in place. In some organizations, it’s called a Computer Security Incident Response Team (CSIRT) and others may refer to it as a Security Incident Response Team (SIRT) or Computer Incident Response Team (CIRT). The team’s mission is to execute on the incident response plan as soon as an incident is discovered.

The incident response team is divided into several groups, each playing a key role in mitigating an incident's potential damage. The team should be comprised of technical and non-technical people who can work together to identify, manage, eradicate and recover from any threat. They are responsible for collecting, analyzing and taking action based on incident data and information, and well as communicating with other stakeholders in the organization and critical third parties, including press, legal, affected customers and law enforcement.

The best-prepared CSIRTs should include the following specialized teams:

• The Security Operations Centers (SOC), the first line of cybersecurity defense working 24/7 to triage important security alerts, analyzing the data and making key decisions.
• An Incident Manager, who makes the ultimate decision on best course of action based on communication with key stakeholders.
• The CIRT team, those with specialized technical skills to provide the right advice and threat analysis.
• The Threat Intelligence team, made up of intel specialists who can assess and understand the threat landscape and advise what type of attack or threat you’re dealing with.

An example Incident response plan template for your business

PWC report, 87% of consumers will take business elsewhere if they feel their data isn’t being handled properly. Companies with effective incident response policies demonstrate a commitment to security and privacy.

The cold, hard fact is this: when a security breach isn’t handled quickly and properly, the company risks losing customer confidence. Or worse, if the data breach is publicized, the risk of losing investor and shareholder confidence increases.